drm/xe/ufence: Prefetch ufence addr to catch bogus address

nirmoy · lucasdemarchi · commit 9c1813b32534 · 2024-10-24T12:42:52.000-05:00
access_ok() only checks for addr overflow so also try to read the addr to catch invalid addr sent from userspace. Link: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/1630 Cc: Francois Dugast <francois.dugast@intel.com> Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com> Cc: Matthew Auld <matthew.auld@intel.com> Cc: Matthew Brost <matthew.brost@intel.com> Reviewed-by: Matthew Brost <matthew.brost@intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20241016082304.66009-2-nirmoy.das@intel.com Signed-off-by: Nirmoy Das <nirmoy.das@intel.com> (cherry picked from commit 9408c45) Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
diff --git a/drivers/gpu/drm/xe/xe_sync.c b/drivers/gpu/drm/xe/xe_sync.c
@@ -54,8 +54,9 @@ static struct xe_user_fence *user_fence_create(struct xe_device *xe, u64 addr,
 {
 	struct xe_user_fence *ufence;
 	u64 __user *ptr = u64_to_user_ptr(addr);
+	u64 __maybe_unused prefetch_val;
 
-	if (!access_ok(ptr, sizeof(*ptr)))
+	if (get_user(prefetch_val, ptr))
 		return ERR_PTR(-EFAULT);
 
 	ufence = kzalloc(sizeof(*ufence), GFP_KERNEL);

Original file line number	Diff line number	Diff line change
`@@ -54,8 +54,9 @@ static struct xe_user_fence user_fence_create(struct xe_device xe, u64 addr,`
`54`	`54`	`{`
`55`	`55`	`struct xe_user_fence *ufence;`
`56`	`56`	`u64 __user *ptr = u64_to_user_ptr(addr);`
	`57`	`+ u64 __maybe_unused prefetch_val;`
`57`	`58`
`58`		`- if (!access_ok(ptr, sizeof(*ptr)))`
	`59`	`+ if (get_user(prefetch_val, ptr))`
`59`	`60`	`return ERR_PTR(-EFAULT);`
`60`	`61`
`61`	`62`	`ufence = kzalloc(sizeof(*ufence), GFP_KERNEL);`