From: Vinicius Costa Gomes <vinicius.gomes@intel.com> mainline inclusion from mainline-v6.10-rc1 commit 8dfa57aabff625bf445548257f7711ef294cd30e category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/4650 CVE: CVE-2024-21823 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- Check if the process submitting the descriptor belongs to the same address space as the one that opened the file, reject otherwise. Fixes: 6827738dc684 ("dmaengine: idxd: add a write() method for applications to submit work") Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com> Signed-off-by: Dave Jiang <dave.jiang@intel.com> Link: https://lore.kernel.org/r/20250421170337.3008875-1-dave.jiang@intel.com Signed-off-by: Vinod Koul <vkoul@kernel.org> Conflicts: drivers/dma/idxd/cdev.c [Commit 1c71222e5f23 (mm: replace vma->vm_flags direct modifications with modifier calls) not merged, so the absence of the vm_flags_set modifier function has caused a context conflict.] Signed-off-by: Wang Zhaolong <wangzhaolong@huaweicloud.com> --- drivers/dma/idxd/cdev.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/drivers/dma/idxd/cdev.c b/drivers/dma/idxd/cdev.c index 6701b2265b7f..5c39a29dbde6 100644 --- a/drivers/dma/idxd/cdev.c +++ b/drivers/dma/idxd/cdev.c @@ -237,10 +237,13 @@ static int idxd_cdev_mmap(struct file *filp, struct vm_area_struct *vma) * has CAP_SYS_RAWIO capabilities. */ if (!idxd->user_submission_safe && !capable(CAP_SYS_RAWIO)) return -EPERM; + if (current->mm != ctx->mm) + return -EPERM; + rc = check_vma(wq, vma, __func__); if (rc < 0) return rc; vma->vm_flags |= VM_DONTCOPY; @@ -303,10 +306,13 @@ static ssize_t idxd_cdev_write(struct file *filp, const char __user *buf, size_t struct dsa_hw_desc __user *udesc = (struct dsa_hw_desc __user *)buf; struct idxd_user_context *ctx = filp->private_data; ssize_t written = 0; int i; + if (current->mm != ctx->mm) + return -EPERM; + for (i = 0; i < len/sizeof(struct dsa_hw_desc); i++) { int rc = idxd_submit_user_descriptor(ctx, udesc + i); if (rc) return written ? written : rc; @@ -323,10 +329,13 @@ static __poll_t idxd_cdev_poll(struct file *filp, struct idxd_user_context *ctx = filp->private_data; struct idxd_wq *wq = ctx->wq; struct idxd_device *idxd = wq->idxd; __poll_t out = 0; + if (current->mm != ctx->mm) + return -EPERM; + poll_wait(filp, &wq->err_queue, wait); spin_lock(&idxd->dev_lock); if (idxd->sw_err.valid) out = EPOLLIN | EPOLLRDNORM; spin_unlock(&idxd->dev_lock); -- 2.34.3