drm/msm: protect against faults from copy_from_user() in submit ioctl

An evil userspace could try to cause deadlock by passing an unfaulted-in GEM bo as submit->bos (or submit->cmds) table. Which will trigger msm_gem_fault() while we already hold struct_mutex. See: https://github.com/freedreno/msmtest/blob/master/evilsubmittest.c Cc: stable@vger.kernel.org Signed-off-by: Rob Clark <robdclark@gmail.com>
author: Rob Clark 2016-08-22 21:28:38 +0200
committer: Rob Clark 2016-08-28 18:49:39 +0200
commit: d78d383ab354b0b9e1d23404ae0d9fbdeb9aa035 (patch)
tree: aee4580ca0766d3be40c2b574dd7816aabc3d080 /drivers/gpu/drm/msm/msm_drv.h
parent: drm/msm: fix use of copy_from_user() while holding spinlock (diff)
download: kernel-qcow2-linux-d78d383ab354b0b9e1d23404ae0d9fbdeb9aa035.tar.gz
kernel-qcow2-linux-d78d383ab354b0b9e1d23404ae0d9fbdeb9aa035.tar.xz
kernel-qcow2-linux-d78d383ab354b0b9e1d23404ae0d9fbdeb9aa035.zip
1 files changed, 6 insertions, 0 deletions
diff --git a/drivers/gpu/drm/msm/msm_drv.h b/drivers/gpu/drm/msm/msm_drv.h
index b4bc7f1ef717..d0da52f2a806 100644
--- a/drivers/gpu/drm/msm/msm_drv.h
+++ b/drivers/gpu/drm/msm/msm_drv.h
@@ -157,6 +157,12 @@ struct msm_drm_private {
 	struct shrinker shrinker;
 
 	struct msm_vblank_ctrl vblank_ctrl;
+
+	/* task holding struct_mutex.. currently only used in submit path
+	 * to detect and reject faults from copy_from_user() for submit
+	 * ioctl.
+	 */
+	struct task_struct *struct_mutex_task;
 };
 
 struct msm_format {
author	Rob Clark	2016-08-22 21:28:38 +0200
committer	Rob Clark	2016-08-28 18:49:39 +0200
commit	d78d383ab354b0b9e1d23404ae0d9fbdeb9aa035 (patch)
tree	aee4580ca0766d3be40c2b574dd7816aabc3d080 /drivers/gpu/drm/msm/msm_drv.h
parent	drm/msm: fix use of copy_from_user() while holding spinlock (diff)
download	kernel-qcow2-linux-d78d383ab354b0b9e1d23404ae0d9fbdeb9aa035.tar.gz kernel-qcow2-linux-d78d383ab354b0b9e1d23404ae0d9fbdeb9aa035.tar.xz kernel-qcow2-linux-d78d383ab354b0b9e1d23404ae0d9fbdeb9aa035.zip