| Message ID | 20210615023645.6535-2-desmondcheongzx@gmail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | drm: Address potential UAF bugs with drm_master ptrs | expand |
On Tue, Jun 15, 2021 at 10:36:44AM +0800, Desmond Cheong Zhi Xi wrote: > While checking the master status of the DRM file in > drm_is_current_master(), the device's master mutex should be > held. Without the mutex, the pointer fpriv->master may be freed > concurrently by another process calling drm_setmaster_ioctl(). This > could lead to use-after-free errors when the pointer is subsequently > dereferenced in drm_lease_owner(). > > The callers of drm_is_current_master() from drm_auth.c hold the > device's master mutex, but external callers do not. Hence, we implement > drm_is_current_master_locked() to be used within drm_auth.c, and > modify drm_is_current_master() to grab the device's master mutex > before checking the master status. > > Reported-by: Daniel Vetter <daniel.vetter@ffwll.ch> > Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com> > Reviewed-by: Emil Velikov <emil.l.velikov@gmail.com> > --- > drivers/gpu/drm/drm_auth.c | 23 +++++++++++++++++++---- > 1 file changed, 19 insertions(+), 4 deletions(-) > > diff --git a/drivers/gpu/drm/drm_auth.c b/drivers/gpu/drm/drm_auth.c > index 232abbba3686..c6bf52c310a9 100644 > --- a/drivers/gpu/drm/drm_auth.c > +++ b/drivers/gpu/drm/drm_auth.c > @@ -61,6 +61,8 @@ > * trusted clients. > */ > > +static bool drm_is_current_master_locked(struct drm_file *fpriv); A bit a bikeshed, but we try to avoid forward declarations when they're not needed. If you don't want to tear apart drm_is_current_master and the _locked version then just move them together. Can you pls do that and respin? Otherwise looks all great. -Daniel > + > int drm_getmagic(struct drm_device *dev, void *data, struct drm_file *file_priv) > { > struct drm_auth *auth = data; > @@ -223,7 +225,7 @@ int drm_setmaster_ioctl(struct drm_device *dev, void *data, > if (ret) > goto out_unlock; > > - if (drm_is_current_master(file_priv)) > + if (drm_is_current_master_locked(file_priv)) > goto out_unlock; > > if (dev->master) { > @@ -272,7 +274,7 @@ int drm_dropmaster_ioctl(struct drm_device *dev, void *data, > if (ret) > goto out_unlock; > > - if (!drm_is_current_master(file_priv)) { > + if (!drm_is_current_master_locked(file_priv)) { > ret = -EINVAL; > goto out_unlock; > } > @@ -321,7 +323,7 @@ void drm_master_release(struct drm_file *file_priv) > if (file_priv->magic) > idr_remove(&file_priv->master->magic_map, file_priv->magic); > > - if (!drm_is_current_master(file_priv)) > + if (!drm_is_current_master_locked(file_priv)) > goto out; > > drm_legacy_lock_master_cleanup(dev, master); > @@ -342,6 +344,13 @@ void drm_master_release(struct drm_file *file_priv) > mutex_unlock(&dev->master_mutex); > } > > +static bool drm_is_current_master_locked(struct drm_file *fpriv) > +{ > + lockdep_assert_held_once(&fpriv->master->dev->master_mutex); > + > + return fpriv->is_master && drm_lease_owner(fpriv->master) == fpriv->minor->dev->master; > +} > + > /** > * drm_is_current_master - checks whether @priv is the current master > * @fpriv: DRM file private > @@ -354,7 +363,13 @@ void drm_master_release(struct drm_file *file_priv) > */ > bool drm_is_current_master(struct drm_file *fpriv) > { > - return fpriv->is_master && drm_lease_owner(fpriv->master) == fpriv->minor->dev->master; > + bool ret; > + > + mutex_lock(&fpriv->master->dev->master_mutex); > + ret = drm_is_current_master_locked(fpriv); > + mutex_unlock(&fpriv->master->dev->master_mutex); > + > + return ret; > } > EXPORT_SYMBOL(drm_is_current_master); > > -- > 2.25.1 >
On 18/6/21 1:03 am, Daniel Vetter wrote: > On Tue, Jun 15, 2021 at 10:36:44AM +0800, Desmond Cheong Zhi Xi wrote: >> While checking the master status of the DRM file in >> drm_is_current_master(), the device's master mutex should be >> held. Without the mutex, the pointer fpriv->master may be freed >> concurrently by another process calling drm_setmaster_ioctl(). This >> could lead to use-after-free errors when the pointer is subsequently >> dereferenced in drm_lease_owner(). >> >> The callers of drm_is_current_master() from drm_auth.c hold the >> device's master mutex, but external callers do not. Hence, we implement >> drm_is_current_master_locked() to be used within drm_auth.c, and >> modify drm_is_current_master() to grab the device's master mutex >> before checking the master status. >> >> Reported-by: Daniel Vetter <daniel.vetter@ffwll.ch> >> Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com> >> Reviewed-by: Emil Velikov <emil.l.velikov@gmail.com> >> --- >> drivers/gpu/drm/drm_auth.c | 23 +++++++++++++++++++---- >> 1 file changed, 19 insertions(+), 4 deletions(-) >> >> diff --git a/drivers/gpu/drm/drm_auth.c b/drivers/gpu/drm/drm_auth.c >> index 232abbba3686..c6bf52c310a9 100644 >> --- a/drivers/gpu/drm/drm_auth.c >> +++ b/drivers/gpu/drm/drm_auth.c >> @@ -61,6 +61,8 @@ >> * trusted clients. >> */ >> >> +static bool drm_is_current_master_locked(struct drm_file *fpriv); > > A bit a bikeshed, but we try to avoid forward declarations when they're > not needed. If you don't want to tear apart drm_is_current_master and the > _locked version then just move them together. > > Can you pls do that and respin? > > Otherwise looks all great. > -Daniel > > Yeah, I was trying to keep the logic in _locked close to drm_is_current_master. But got it, will do.
diff --git a/drivers/gpu/drm/drm_auth.c b/drivers/gpu/drm/drm_auth.c index 232abbba3686..c6bf52c310a9 100644 --- a/drivers/gpu/drm/drm_auth.c +++ b/drivers/gpu/drm/drm_auth.c @@ -61,6 +61,8 @@ * trusted clients. */ +static bool drm_is_current_master_locked(struct drm_file *fpriv); + int drm_getmagic(struct drm_device *dev, void *data, struct drm_file *file_priv) { struct drm_auth *auth = data; @@ -223,7 +225,7 @@ int drm_setmaster_ioctl(struct drm_device *dev, void *data, if (ret) goto out_unlock; - if (drm_is_current_master(file_priv)) + if (drm_is_current_master_locked(file_priv)) goto out_unlock; if (dev->master) { @@ -272,7 +274,7 @@ int drm_dropmaster_ioctl(struct drm_device *dev, void *data, if (ret) goto out_unlock; - if (!drm_is_current_master(file_priv)) { + if (!drm_is_current_master_locked(file_priv)) { ret = -EINVAL; goto out_unlock; } @@ -321,7 +323,7 @@ void drm_master_release(struct drm_file *file_priv) if (file_priv->magic) idr_remove(&file_priv->master->magic_map, file_priv->magic); - if (!drm_is_current_master(file_priv)) + if (!drm_is_current_master_locked(file_priv)) goto out; drm_legacy_lock_master_cleanup(dev, master); @@ -342,6 +344,13 @@ void drm_master_release(struct drm_file *file_priv) mutex_unlock(&dev->master_mutex); } +static bool drm_is_current_master_locked(struct drm_file *fpriv) +{ + lockdep_assert_held_once(&fpriv->master->dev->master_mutex); + + return fpriv->is_master && drm_lease_owner(fpriv->master) == fpriv->minor->dev->master; +} + /** * drm_is_current_master - checks whether @priv is the current master * @fpriv: DRM file private @@ -354,7 +363,13 @@ void drm_master_release(struct drm_file *file_priv) */ bool drm_is_current_master(struct drm_file *fpriv) { - return fpriv->is_master && drm_lease_owner(fpriv->master) == fpriv->minor->dev->master; + bool ret; + + mutex_lock(&fpriv->master->dev->master_mutex); + ret = drm_is_current_master_locked(fpriv); + mutex_unlock(&fpriv->master->dev->master_mutex); + + return ret; } EXPORT_SYMBOL(drm_is_current_master);