[PATCH 2/2] drm/msm: protect against faults from copy_from_user() in submit ioctl
Rob Clark
robdclark at gmail.com
Sun Aug 28 16:43:46 UTC 2016
On Tue, Aug 23, 2016 at 2:03 AM, Daniel Vetter <daniel at ffwll.ch> wrote:
> On Mon, Aug 22, 2016 at 03:38:05PM -0400, Rob Clark wrote:
>> An evil userspace could try to cause deadlock by passing an unfaulted-in
>> GEM bo as submit->bos (or submit->cmds) table. Which will trigger
>> msm_gem_fault() while we already hold struct_mutex. See:
>>
>> https://github.com/freedreno/msmtest/blob/master/evilsubmittest.c
>>
>> Cc: stable at vger.kernel.org
>> Signed-off-by: Rob Clark <robdclark at gmail.com>
>> ---
>> drivers/gpu/drm/msm/msm_drv.h | 6 ++++++
>> drivers/gpu/drm/msm/msm_gem.c | 9 +++++++++
>> drivers/gpu/drm/msm/msm_gem_submit.c | 3 +++
>> 3 files changed, 18 insertions(+)
>>
>> diff --git a/drivers/gpu/drm/msm/msm_drv.h b/drivers/gpu/drm/msm/msm_drv.h
>> index a35c1b6..957801e 100644
>> --- a/drivers/gpu/drm/msm/msm_drv.h
>> +++ b/drivers/gpu/drm/msm/msm_drv.h
>> @@ -157,6 +157,12 @@ struct msm_drm_private {
>> struct shrinker shrinker;
>>
>> struct msm_vblank_ctrl vblank_ctrl;
>> +
>> + /* task holding struct_mutex.. currently only used in submit path
>> + * to detect and reject faults from copy_from_user() for submit
>> + * ioctl.
>> + */
>> + struct task_struct *struct_mutex_task;
>> };
>>
>> struct msm_format {
>> diff --git a/drivers/gpu/drm/msm/msm_gem.c b/drivers/gpu/drm/msm/msm_gem.c
>> index 8dfdeec..f6b8945 100644
>> --- a/drivers/gpu/drm/msm/msm_gem.c
>> +++ b/drivers/gpu/drm/msm/msm_gem.c
>> @@ -196,11 +196,20 @@ int msm_gem_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
>> {
>> struct drm_gem_object *obj = vma->vm_private_data;
>> struct drm_device *dev = obj->dev;
>> + struct msm_drm_private *priv = dev->dev_private;
>> struct page **pages;
>> unsigned long pfn;
>> pgoff_t pgoff;
>> int ret;
>>
>> + /* This should only happen if userspace tries to pass a mmap'd
>> + * but unfaulted gem bo vaddr into submit ioctl, triggering
>> + * a page fault while struct_mutex is already held. This is
>> + * not a valid use-case so just bail.
>> + */
>> + if (priv->struct_mutex_task == current)
>
> READ_ONCE here I think. Otherwise should at least work, though I still
> think it's sloppy ;-)
hmm, is READ_ONCE() actually needed? In the "== current" case I don't
see how there could be a race, and the "!= current" case I don't
really care..
and yeah, maybe not sloppy but I wouldn't call it pretty. I couldn't
come up with any low overhead way to check if submit->cmds /
submit->objs wasn't a GEM object (otherwise I would have bailed out
earlier than copy_from_user() with an -EINVAL, and wouldn't have
needed this)
BR,
-R
> -Daniel
>
>> + return VM_FAULT_SIGBUS;
>> +
>> /* Make sure we don't parallel update on a fault, nor move or remove
>> * something from beneath our feet
>> */
>> diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c
>> index 03d4ce2..0be57a9 100644
>> --- a/drivers/gpu/drm/msm/msm_gem_submit.c
>> +++ b/drivers/gpu/drm/msm/msm_gem_submit.c
>> @@ -426,6 +426,8 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data,
>> if (ret)
>> return ret;
>>
>> + priv->struct_mutex_task = current;
>> +
>> if (args->flags & MSM_SUBMIT_FENCE_FD_OUT) {
>> out_fence_fd = get_unused_fd_flags(O_CLOEXEC);
>> if (out_fence_fd < 0) {
>> @@ -549,6 +551,7 @@ out:
>> out_unlock:
>> if (ret && (out_fence_fd >= 0))
>> put_unused_fd(out_fence_fd);
>> + priv->struct_mutex_task = NULL;
>> mutex_unlock(&dev->struct_mutex);
>> return ret;
>> }
>> --
>> 2.7.4
>>
>
> --
> Daniel Vetter
> Software Engineer, Intel Corporation
> http://blog.ffwll.ch
More information about the dri-devel
mailing list