External email: Use caution opening links or attachments
On Mon, Sep 23, 2024 at 01:54:58PM +0000, Yonatan Maman wrote:
A copy push command might fail, causing `migrate_to_ram` to return a
dirty HIGH_USER page to the user.
This exposes a security vulnerability in the nouveau driver. To prevent
memory leaks in `migrate_to_ram` upon a copy error, allocate a zero
page for the destination page.
So, you refer to the case where this function fails in nouveau_dmem_copy_one()?
If so, can you please explain why adding __GFP_ZERO to alloc_page_vma() helps
with that?
Signed-off-by: Yonatan Maman <Ymaman@xxxxxxxxxx>
Signed-off-by: Gal Shalom <GalShalom@xxxxxxxxxx>
Since this is a bug, please also add a 'Fixes' tag, CC stable and add a
'Co-developed-by' tag if appropriate.
---
drivers/gpu/drm/nouveau/nouveau_dmem.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/nouveau/nouveau_dmem.c b/drivers/gpu/drm/nouveau/nouveau_dmem.c
index 6fb65b01d778..097bd3af0719 100644
--- a/drivers/gpu/drm/nouveau/nouveau_dmem.c
+++ b/drivers/gpu/drm/nouveau/nouveau_dmem.c
@@ -193,7 +193,7 @@ static vm_fault_t nouveau_dmem_migrate_to_ram(struct vm_fault *vmf)
if (!spage || !(src & MIGRATE_PFN_MIGRATE))
goto done;
- dpage = alloc_page_vma(GFP_HIGHUSER, vmf->vma, vmf->address);
+ dpage = alloc_page_vma(GFP_HIGHUSER | __GFP_ZERO, vmf->vma, vmf->address);
if (!dpage)
goto done;
--
2.34.1