Commit b8509ce1 authored by Rob Clark's avatar Rob Clark Committed by Greg Kroah-Hartman

drm/msm: protect against faults from copy_from_user() in submit ioctl

commit d78d383a upstream.

An evil userspace could try to cause deadlock by passing an unfaulted-in
GEM bo as submit->bos (or submit->cmds) table.  Which will trigger
msm_gem_fault() while we already hold struct_mutex.  See:

https://github.com/freedreno/msmtest/blob/master/evilsubmittest.cSigned-off-by: default avatarRob Clark <robdclark@gmail.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 399c967d
......@@ -148,6 +148,12 @@ struct msm_drm_private {
} vram;
struct msm_vblank_ctrl vblank_ctrl;
/* task holding struct_mutex.. currently only used in submit path
* to detect and reject faults from copy_from_user() for submit
* ioctl.
*/
struct task_struct *struct_mutex_task;
};
struct msm_format {
......
......@@ -196,11 +196,20 @@ int msm_gem_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
{
struct drm_gem_object *obj = vma->vm_private_data;
struct drm_device *dev = obj->dev;
struct msm_drm_private *priv = dev->dev_private;
struct page **pages;
unsigned long pfn;
pgoff_t pgoff;
int ret;
/* This should only happen if userspace tries to pass a mmap'd
* but unfaulted gem bo vaddr into submit ioctl, triggering
* a page fault while struct_mutex is already held. This is
* not a valid use-case so just bail.
*/
if (priv->struct_mutex_task == current)
return VM_FAULT_SIGBUS;
/* Make sure we don't parallel update on a fault, nor move or remove
* something from beneath our feet
*/
......
......@@ -394,6 +394,7 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data,
return -ENOMEM;
mutex_lock(&dev->struct_mutex);
priv->struct_mutex_task = current;
ret = submit_lookup_objects(submit, args, file);
if (ret)
......@@ -479,6 +480,7 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data,
submit_cleanup(submit);
if (ret)
msm_gem_submit_free(submit);
priv->struct_mutex_task = NULL;
mutex_unlock(&dev->struct_mutex);
return ret;
}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment