git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Zack McKevitt <zachary.mckevitt@oss.qualcomm.com>
	Thu, 30 Apr 2026 19:39:01 +0000 (12:39 -0700)
committer	Jeff Hugo <jeff.hugo@oss.qualcomm.com>
	Tue, 12 May 2026 16:58:18 +0000 (10:58 -0600)
commit	aa16b2bc0f02709919e2435f531406531e5bcc69
tree	fb46615e7e592cdcce6726f46c5e6a78c0c0c01c	tree \| snapshot
parent	53597deca0e38c30e6cd4ba2114fa42d2bcd85bb	commit \| diff

accel/qaic: Add overflow check to remap_pfn_range during mmap

The call to remap_pfn_range in qaic_gem_object_mmap is susceptible to
(re)mapping beyond the VMA if the BO is too large. This can cause use
after free issues when munmap() unmaps only the VMA region and not the
additional mappings. To prevent this, check the remaining size of the
VMA before remapping and truncate the remapped length if sg->length is
too large.

Reported-by: Lukas Maar <lukas.maar@tugraz.at>
Fixes: ff13be830333 ("accel/qaic: Add datapath")
Reviewed-by: Karol Wachowski <karol.wachowski@linux.intel.com>
Signed-off-by: Zack McKevitt <zachary.mckevitt@oss.qualcomm.com>
Reviewed-by: Jeff Hugo <jeff.hugo@oss.qualcomm.com>
[jhugo: fix braces from checkpatch --strict]
Signed-off-by: Jeff Hugo <jeff.hugo@oss.qualcomm.com>
Link: https://patch.msgid.link/20260430193858.1178641-1-zachary.mckevitt@oss.qualcomm.com