From patchwork Mon Aug 22 19:38:05 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Rob Clark <robdclark@gmail.com>
X-Patchwork-Id: 9294319
Return-Path: <dri-devel-bounces@lists.freedesktop.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	06AEB607FF for <patchwork-dri-devel@patchwork.kernel.org>;
	Mon, 22 Aug 2016 19:38:30 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EDB3D2864A
	for <patchwork-dri-devel@patchwork.kernel.org>;
	Mon, 22 Aug 2016 19:38:29 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id E28AD28864; Mon, 22 Aug 2016 19:38:29 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_MED,
	T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 6DD782864A
	for <patchwork-dri-devel@patchwork.kernel.org>;
	Mon, 22 Aug 2016 19:38:29 +0000 (UTC)
Received: from gabe.freedesktop.org (localhost [127.0.0.1])
	by gabe.freedesktop.org (Postfix) with ESMTP id 78D7A6E54D;
	Mon, 22 Aug 2016 19:38:28 +0000 (UTC)
X-Original-To: dri-devel@lists.freedesktop.org
Delivered-To: dri-devel@lists.freedesktop.org
Received: from mail-yb0-x243.google.com (mail-yb0-x243.google.com
	[IPv6:2607:f8b0:4002:c09::243])
	by gabe.freedesktop.org (Postfix) with ESMTPS id 61C766E54D;
	Mon, 22 Aug 2016 19:38:27 +0000 (UTC)
Received: by mail-yb0-x243.google.com with SMTP id f60so1946767ybi.3;
	Mon, 22 Aug 2016 12:38:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=0cKQs7KjP8Pb0S/neKDs2atJMHwLDUhhx43t9Uu2Z94=;
	b=SiRBnA2OA30XZXQ1htj6UdC5ni0DcYWmXcxolwbZpHiErkYmtwjJ5BowupYAanXlJG
	+sSASh8sw8SgDazlWpH3KXN+Rm6hRO6bdKRlDIZ+7DGvRNli46QkouQaykTMjQ2WoJdT
	PWABKKsH2T3lq6t3dmIpWEzNfWE2aE0RQ4Yqo6meXfXuZgmXVF72Ah/QAnNnYgnJpaZZ
	ZFXKjQn0+94UkeEaZmXms6nohBr1v6uOx7dhDeXsW2/msiiMyh2HwW8bTRi030fKBSB6
	nVP9Pm++NJy9s5irS1zpq5g7UAbpD2rNJzPot4oD+8lAk9G1JoGmayEnBy6QRXmgmNVb
	dz8A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=0cKQs7KjP8Pb0S/neKDs2atJMHwLDUhhx43t9Uu2Z94=;
	b=LoDmcpuYaW5aE6uF6B71zhIlhGwiz21ITgHCA6LK1a1ac0RuhO6XBuZ2doNyhzS8n+
	dV+ziHNG/m0/ckHyZMBQ7ep9F4/Q2shDXa+MBgL4SPS8Ka3C0rpl0kBLkkGVJa1GbhIQ
	A/UocIBdAUi9xD2sAT5477Ib8xEUuoeF9Ub6e+aI5OHirpVsil2TClXny69fos63axUz
	VaGFuJ627j+4P7wHCXUIwZyHJa6UszRc6tU5WpQrKLMUBBykFLajoMbqQlk/4NwfuE+n
	cifCIKLsDEH0fTjTA3eE/vcNvxNqlURGvITsmWeC9YmEzRe+WPKu73ddYB35ryrYTh1R
	qBcg==
X-Gm-Message-State: 
 AEkooutW0gUqUwlYrKJgqgdAPAjnAr9y9x/i2dRXo1kXS4LXvSxmavDq9QEgmeSFKmEGrA==
X-Received: by 10.37.13.19 with SMTP id 19mr11646769ybn.145.1471894706605;
	Mon, 22 Aug 2016 12:38:26 -0700 (PDT)
Received: from localhost (nat-pool-bos-t.redhat.com. [66.187.233.206])
	by smtp.gmail.com with ESMTPSA id
	w142sm9328515yww.17.2016.08.22.12.38.26
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Mon, 22 Aug 2016 12:38:26 -0700 (PDT)
From: Rob Clark <robdclark@gmail.com>
To: dri-devel@lists.freedesktop.org
Subject: [PATCH 2/2] drm/msm: protect against faults from copy_from_user() in
	submit ioctl
Date: Mon, 22 Aug 2016 15:38:05 -0400
Message-Id: <1471894685-20199-2-git-send-email-robdclark@gmail.com>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1471894685-20199-1-git-send-email-robdclark@gmail.com>
References: <1471894685-20199-1-git-send-email-robdclark@gmail.com>
Cc: stable@vger.kernel.org, Al Viro <viro@zeniv.linux.org.uk>,
	Vaishali Thakkar <vaishali.thakkar@oracle.com>,
	freedreno@lists.freedesktop.org
X-BeenThere: dri-devel@lists.freedesktop.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Direct Rendering Infrastructure - Development
	<dri-devel.lists.freedesktop.org>
List-Unsubscribe: <https://lists.freedesktop.org/mailman/options/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <https://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <https://lists.freedesktop.org/mailman/listinfo/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>
X-Virus-Scanned: ClamAV using ClamSMTP

An evil userspace could try to cause deadlock by passing an unfaulted-in
GEM bo as submit->bos (or submit->cmds) table.  Which will trigger
msm_gem_fault() while we already hold struct_mutex.  See:

https://github.com/freedreno/msmtest/blob/master/evilsubmittest.c

Cc: stable@vger.kernel.org
Signed-off-by: Rob Clark <robdclark@gmail.com>
---
 drivers/gpu/drm/msm/msm_drv.h        | 6 ++++++
 drivers/gpu/drm/msm/msm_gem.c        | 9 +++++++++
 drivers/gpu/drm/msm/msm_gem_submit.c | 3 +++
 3 files changed, 18 insertions(+)

diff --git a/drivers/gpu/drm/msm/msm_drv.h b/drivers/gpu/drm/msm/msm_drv.h
index a35c1b6..957801e 100644
--- a/drivers/gpu/drm/msm/msm_drv.h
+++ b/drivers/gpu/drm/msm/msm_drv.h
@@ -157,6 +157,12 @@ struct msm_drm_private {
 	struct shrinker shrinker;
 
 	struct msm_vblank_ctrl vblank_ctrl;
+
+	/* task holding struct_mutex.. currently only used in submit path
+	 * to detect and reject faults from copy_from_user() for submit
+	 * ioctl.
+	 */
+	struct task_struct *struct_mutex_task;
 };
 
 struct msm_format {
diff --git a/drivers/gpu/drm/msm/msm_gem.c b/drivers/gpu/drm/msm/msm_gem.c
index 8dfdeec..f6b8945 100644
--- a/drivers/gpu/drm/msm/msm_gem.c
+++ b/drivers/gpu/drm/msm/msm_gem.c
@@ -196,11 +196,20 @@ int msm_gem_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
 {
 	struct drm_gem_object *obj = vma->vm_private_data;
 	struct drm_device *dev = obj->dev;
+	struct msm_drm_private *priv = dev->dev_private;
 	struct page **pages;
 	unsigned long pfn;
 	pgoff_t pgoff;
 	int ret;
 
+	/* This should only happen if userspace tries to pass a mmap'd
+	 * but unfaulted gem bo vaddr into submit ioctl, triggering
+	 * a page fault while struct_mutex is already held.  This is
+	 * not a valid use-case so just bail.
+	 */
+	if (priv->struct_mutex_task == current)
+		return VM_FAULT_SIGBUS;
+
 	/* Make sure we don't parallel update on a fault, nor move or remove
 	 * something from beneath our feet
 	 */
diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c
index 03d4ce2..0be57a9 100644
--- a/drivers/gpu/drm/msm/msm_gem_submit.c
+++ b/drivers/gpu/drm/msm/msm_gem_submit.c
@@ -426,6 +426,8 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data,
 	if (ret)
 		return ret;
 
+	priv->struct_mutex_task = current;
+
 	if (args->flags & MSM_SUBMIT_FENCE_FD_OUT) {
 		out_fence_fd = get_unused_fd_flags(O_CLOEXEC);
 		if (out_fence_fd < 0) {
@@ -549,6 +551,7 @@ out:
 out_unlock:
 	if (ret && (out_fence_fd >= 0))
 		put_unused_fd(out_fence_fd);
+	priv->struct_mutex_task = NULL;
 	mutex_unlock(&dev->struct_mutex);
 	return ret;
 }