From patchwork Tue Feb 12 12:13:52 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Inki Dae X-Patchwork-Id: 2127981 Return-Path: X-Original-To: patchwork-dri-devel@patchwork.kernel.org Delivered-To: patchwork-process-083081@patchwork1.kernel.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) by patchwork1.kernel.org (Postfix) with ESMTP id 83A7C3FCA4 for ; Tue, 12 Feb 2013 12:14:08 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 6A2FFE6386 for ; Tue, 12 Feb 2013 04:14:08 -0800 (PST) X-Original-To: dri-devel@lists.freedesktop.org Delivered-To: dri-devel@lists.freedesktop.org Received: from mailout3.samsung.com (mailout3.samsung.com [203.254.224.33]) by gabe.freedesktop.org (Postfix) with ESMTP id ADE49E5EEF for ; Tue, 12 Feb 2013 04:13:55 -0800 (PST) Received: from epcpsbgm2.samsung.com (epcpsbgm2 [203.254.230.27]) by mailout3.samsung.com (Oracle Communications Messaging Server 7u4-24.01(7.0.4.24.0) 64bit (built Nov 17 2011)) with ESMTP id <0MI300JREWN5O640@mailout3.samsung.com> for dri-devel@lists.freedesktop.org; Tue, 12 Feb 2013 21:13:53 +0900 (KST) Received: from epcpsbgm2.samsung.com ( [203.254.230.44]) by epcpsbgm2.samsung.com (EPCPMTA) with SMTP id 48.76.03880.1023A115; Tue, 12 Feb 2013 21:13:53 +0900 (KST) X-AuditID: cbfee61b-b7fb06d000000f28-b8-511a320140dc Received: from epmmp2 ( [203.254.227.17]) by epcpsbgm2.samsung.com (EPCPMTA) with SMTP id F7.76.03880.1023A115; Tue, 12 Feb 2013 21:13:53 +0900 (KST) Received: from daeinki-desktop.10.32.193.11 ([10.90.8.53]) by mmp2.samsung.com (Oracle Communications Messaging Server 7u4-24.01 (7.0.4.24.0) 64bit (built Nov 17 2011)) with ESMTPA id <0MI3004NNWN5GC40@mmp2.samsung.com> for dri-devel@lists.freedesktop.org; Tue, 12 Feb 2013 21:13:53 +0900 (KST) From: Inki Dae To: airlied@linux.ie, dri-devel@lists.freedesktop.org Subject: [PATCH] drm/exynos: fix wrong pointer access at vm close. Date: Tue, 12 Feb 2013 21:13:52 +0900 Message-id: <1360671232-16182-1-git-send-email-inki.dae@samsung.com> X-Mailer: git-send-email 1.7.4.1 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrLLMWRmVeSWpSXmKPExsVy+t8zHV1GI6lAg62nlSyufH3P5sDocb/7 OFMAYxSXTUpqTmZZapG+XQJXxuoNx1kL1khVrPiynKWB8adoFyMnh4SAicSp082sELaYxIV7 69m6GLk4hASWMUq0r+5igyk6M+MTM0RiOqPE9gPTmCCcdUwSTzZMZQGpYhNQlZi44j5Yh4iA qUTHpKUsIEXMAt2MEs8f/AXbISzgJLGwZyIjiM0C1HD3/ktmEJtXwEXiyJzL7BDrFCQW3HsL doeEwB42iesf5jBBNAhIfJt8CGgqB1BCVmLTAWaIekmJgytusExgFFzAyLCKUTS1ILmgOCk9 10ivODG3uDQvXS85P3cTIySwpHcwrmqwOMQowMGoxMN7Q1wyUIg1say4MvcQowQHs5IIr4y+ VKAQb0piZVVqUX58UWlOavEhxmSg5ROZpUST84FBn1cSb2hsYGxoaGloZmppakCasJI4L+Op JwFCAumJJanZqakFqUUwW5g4OKUaGGcGqjZ7K8VN2vghxKksUrRx9Zzz5UcYfi5vObv89aqN glOl75+NsCxdNcHWUnCy3gf18FtRJ3T6dr5bq8hrrVXpOpMzcg/jlqk/LiXOXqhTOP+9y2JP KZlXWvqitVpFZv7bToruaudP4Q52W1s/af28GUWOyfPKGGrKrje5zr/18cMmk5f7jZVYijMS DbWYi4oTAaAQyWRwAgAA X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFuphkeLIzCtJLcpLzFFi42I5/e+xoC6jkVSgwaQWKYsrX9+zOTB63O8+ zhTAGNXAaJORmpiSWqSQmpecn5KZl26r5B0c7xxvamZgqGtoaWGupJCXmJtqq+TiE6DrlpkD NFZJoSwxpxQoFJBYXKykb4dpQmiIm64FTGOErm9IEFyPkQEaSFjHmLF6w3HWgjVSFSu+LGdp YPwp2sXIySEhYCJxZsYnZghbTOLCvfVsXYxcHEIC0xklth+YxgThrGOSeLJhKgtIFZuAqsTE FffZQGwRAVOJjklLWUCKmAW6GSWeP/jLCpIQFnCSWNgzkRHEZgFquHv/JdgKXgEXiSNzLrND rFOQWHDvLdsERu4FjAyrGEVTC5ILipPSc430ihNzi0vz0vWS83M3MYLD9pn0DsZVDRaHGAU4 GJV4eG+ISwYKsSaWFVfmHmKU4GBWEuGV0ZcKFOJNSaysSi3Kjy8qzUktPsSYDLR9IrOUaHI+ MKbySuINjU3MjCyNzIxNzI2NSRNWEudlPPUkQEggPbEkNTs1tSC1CGYLEwenVAOjWGXj0y2O D53cWX03hsdLJBhanm6ad0SiVlb+27MLhks31oQosKtavFr8cF7kLkXB5z5GOxqecV28/eq9 iuu9d9pW0odli5TKFfX+NW8s/H8jlN/twn1b9b/HbpVUf2zbMF+Vz6ihzXBV/xb2P7f8TvWe +JjpbXbuvdj13PNK/28bnvnCFbdBiaU4I9FQi7moOBEAToNEgZ8CAAA= DLP-Filter: Pass X-MTR: 20000000000000000@CPGS X-CFilter-Loop: Reflected Cc: kyungmin.park@samsung.com, sw0312.kim@samsung.com X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: dri-devel-bounces+patchwork-dri-devel=patchwork.kernel.org@lists.freedesktop.org Errors-To: dri-devel-bounces+patchwork-dri-devel=patchwork.kernel.org@lists.freedesktop.org From: YoungJun Cho This patch fixes wrong pointer access issue to filp->f_op and filp->private_data. The exynos_drm_gem_mmap_ioctl() changes filp->f_op and filp->private_data temporarily and restore them to use original ones in exynos_drm_gem_mmap_buffer() but there was no lock between the changing and the restoring so wrong pointer access to filp->f_op and filp->private_data was induced by vm close callback. So this patch uses mutex lock properly to resolve this issue. Signed-off-by: YoungJun Cho Signed-off-by: Inki Dae Signed-off-by: Kyungmin Park --- drivers/gpu/drm/exynos/exynos_drm_gem.c | 33 ++++++++++++++++++++----------- 1 file changed, 21 insertions(+), 12 deletions(-) diff --git a/drivers/gpu/drm/exynos/exynos_drm_gem.c b/drivers/gpu/drm/exynos/exynos_drm_gem.c index 4731807..67e17ce 100644 --- a/drivers/gpu/drm/exynos/exynos_drm_gem.c +++ b/drivers/gpu/drm/exynos/exynos_drm_gem.c @@ -329,17 +329,11 @@ static struct drm_file *exynos_drm_find_drm_file(struct drm_device *drm_dev, { struct drm_file *file_priv; - mutex_lock(&drm_dev->struct_mutex); - /* find current process's drm_file from filelist. */ - list_for_each_entry(file_priv, &drm_dev->filelist, lhead) { - if (file_priv->filp == filp) { - mutex_unlock(&drm_dev->struct_mutex); + list_for_each_entry(file_priv, &drm_dev->filelist, lhead) + if (file_priv->filp == filp) return file_priv; - } - } - mutex_unlock(&drm_dev->struct_mutex); WARN_ON(1); return ERR_PTR(-EFAULT); @@ -400,9 +394,7 @@ static int exynos_drm_gem_mmap_buffer(struct file *filp, */ drm_gem_object_reference(obj); - mutex_lock(&drm_dev->struct_mutex); drm_vm_open_locked(drm_dev, vma); - mutex_unlock(&drm_dev->struct_mutex); return 0; } @@ -432,6 +424,16 @@ int exynos_drm_gem_mmap_ioctl(struct drm_device *dev, void *data, } /* + * We have to use gem object and its fops for specific mmaper, + * but vm_mmap() can deliver only filp. So we have to change + * filp->f_op and filp->private_data temporarily, then restore + * again. So it is important to keep lock until restoration the + * settings to prevent others from misuse of filp->f_op or + * filp->private_data. + */ + mutex_lock(&dev->struct_mutex); + + /* * Set specific mmper's fops. And it will be restored by * exynos_drm_gem_mmap_buffer to dev->driver->fops. * This is used to call specific mapper temporarily. @@ -448,13 +450,20 @@ int exynos_drm_gem_mmap_ioctl(struct drm_device *dev, void *data, addr = vm_mmap(file_priv->filp, 0, args->size, PROT_READ | PROT_WRITE, MAP_SHARED, 0); - drm_gem_object_unreference_unlocked(obj); + drm_gem_object_unreference(obj); if (IS_ERR((void *)addr)) { - file_priv->filp->private_data = file_priv; + /* check filp->f_op, filp->private_data are restored */ + if (file_priv->filp->f_op == &exynos_drm_gem_fops) { + file_priv->filp->f_op = fops_get(dev->driver->fops); + file_priv->filp->private_data = file_priv; + } + mutex_unlock(&dev->struct_mutex); return PTR_ERR((void *)addr); } + mutex_unlock(&dev->struct_mutex); + args->mapped = addr; DRM_DEBUG_KMS("mapped = 0x%lx\n", (unsigned long)args->mapped);