drm/msm: protect against faults from copy_from_user() in submit ioctl

An evil userspace could try to cause deadlock by passing an unfaulted-in GEM bo as submit->bos (or submit->cmds) table. Which will trigger msm_gem_fault() while we already hold struct_mutex. See: https://github.com/freedreno/msmtest/blob/master/evilsubmittest.c Cc: stable@vger.kernel.org Signed-off-by: Rob Clark <robdclark@gmail.com>
author: Rob Clark <robdclark@gmail.com> 2016-08-22 21:28:38 +0200
committer: Rob Clark <robdclark@gmail.com> 2016-08-28 18:49:39 +0200
commit: d78d383ab354b0b9e1d23404ae0d9fbdeb9aa035 (patch)
tree: aee4580ca0766d3be40c2b574dd7816aabc3d080 /drivers/gpu/drm/msm/msm_gem_submit.c
parent: drm/msm: fix use of copy_from_user() while holding spinlock (diff)
download: linux-d78d383ab354b0b9e1d23404ae0d9fbdeb9aa035.tar.xz
linux-d78d383ab354b0b9e1d23404ae0d9fbdeb9aa035.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c
index 408da409a216..880d6a9af7c8 100644
--- a/drivers/gpu/drm/msm/msm_gem_submit.c
+++ b/drivers/gpu/drm/msm/msm_gem_submit.c
@@ -394,6 +394,8 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data,
 	if (ret)
 		return ret;
 
+	priv->struct_mutex_task = current;
+
 	submit = submit_create(dev, gpu, args->nr_bos, args->nr_cmds);
 	if (!submit) {
 		ret = -ENOMEM;
@@ -485,6 +487,7 @@ out:
 	if (ret)
 		msm_gem_submit_free(submit);
 out_unlock:
+	priv->struct_mutex_task = NULL;
 	mutex_unlock(&dev->struct_mutex);
 	return ret;
 }
author	Rob Clark <robdclark@gmail.com>	2016-08-22 21:28:38 +0200
committer	Rob Clark <robdclark@gmail.com>	2016-08-28 18:49:39 +0200
commit	d78d383ab354b0b9e1d23404ae0d9fbdeb9aa035 (patch)
tree	aee4580ca0766d3be40c2b574dd7816aabc3d080 /drivers/gpu/drm/msm/msm_gem_submit.c
parent	drm/msm: fix use of copy_from_user() while holding spinlock (diff)
download	linux-d78d383ab354b0b9e1d23404ae0d9fbdeb9aa035.tar.xz linux-d78d383ab354b0b9e1d23404ae0d9fbdeb9aa035.zip