CVE-2024-53071

In the Linux kernel, the following vulnerability has been resolved:

drm/panthor: Be stricter about IO mapping flags

The current panthordevicemmap_io() implementation has two issues:

1. For mapping DRMPANTHORUSERFLUSHIDMMIOOFFSET, panthordevicemmapio() bails if VMWRITE is set, but does not clear VMMAYWRITE. That means userspace can use mprotect() to make the mapping writable later on. This is a classic Linux driver gotcha. I don't think this actually has any impact in practice: When the GPU is powered, writes to the FLUSHID seem to be ignored; and when the GPU is not powered, the dummylatestflush page provided by the driver is deliberately designed to not do any flushes, so the only thing writing to the dummylatestflush could achieve would be to make more flushes happen.

2. panthordevicemmapio() does not block MAPPRIVATE mappings (which are mappings without the VMSHARED flag). MAPPRIVATE in combination with VMMAYWRITE indicates that the VMA has copy-on-write semantics, which for VMPFNMAP are semi-supported but fairly cursed. In particular, in such a mapping, the driver can only install PTEs during mmap() by calling remappfnrange() (because remappfnrange() wants to store the physical address of the mapped physical memory into the vmpgoff of the VMA); installing PTEs later on with a fault handler (as panthor does) is not supported in private mappings, and so if you try to fault in such a mapping, vmfinsertpfnprot() splats when it hits a BUG() check.

Fix it by clearing the VMMAYWRITE flag (userspace writing to the FLUSHID doesn't make sense) and requiring VMSHARED (copy-on-write semantics for the FLUSHID don't make sense).

Reproducers for both scenarios are in the notes of my patch on the mailing list; I tested that these bugs exist on a Rock 5B machine.

Note that I only compile-tested the patch, I haven't tested it; I don't have a working kernel build setup for the test machine yet. Please test it before applying it.