/[packages]/backports/8/kernel/current/SOURCES/drm-i915-fix-potential-context-uafs.patch
ViewVC logotype

Contents of /backports/8/kernel/current/SOURCES/drm-i915-fix-potential-context-uafs.patch

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1932881 - (show annotations) (download)
Sat Jan 14 11:15:03 2023 UTC (14 months, 2 weeks ago) by tmb
File size: 3581 byte(s)
- update to 6.1.6
  * drop merged patches
- add current -stable queue
- Revert "mm/compaction: fix set skip in fast_find_migrateblock"
- wifi: brcmfmac: fix regression for Broadcom PCIe wifi devices


1 From afce71ff6daa9c0f852df0727fe32c6fb107f0fa Mon Sep 17 00:00:00 2001
2 From: Rob Clark <robdclark@chromium.org>
3 Date: Tue, 3 Jan 2023 15:49:46 -0800
4 Subject: drm/i915: Fix potential context UAFs
5
6 From: Rob Clark <robdclark@chromium.org>
7
8 commit afce71ff6daa9c0f852df0727fe32c6fb107f0fa upstream.
9
10 gem_context_register() makes the context visible to userspace, and which
11 point a separate thread can trigger the I915_GEM_CONTEXT_DESTROY ioctl.
12 So we need to ensure that nothing uses the ctx ptr after this. And we
13 need to ensure that adding the ctx to the xarray is the *last* thing
14 that gem_context_register() does with the ctx pointer.
15
16 Signed-off-by: Rob Clark <robdclark@chromium.org>
17 Fixes: eb4dedae920a ("drm/i915/gem: Delay tracking the GEM context until it is registered")
18 Fixes: a4c1cdd34e2c ("drm/i915/gem: Delay context creation (v3)")
19 Fixes: 49bd54b390c2 ("drm/i915: Track all user contexts per client")
20 Cc: <stable@vger.kernel.org> # v5.10+
21 Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
22 Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
23 [tursulin: Stable and fixes tags add/tidy.]
24 Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
25 Link: https://patchwork.freedesktop.org/patch/msgid/20230103234948.1218393-1-robdclark@gmail.com
26 (cherry picked from commit bed4b455cf5374e68879be56971c1da563bcd90c)
27 Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
28 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
29 ---
30 drivers/gpu/drm/i915/gem/i915_gem_context.c | 24 ++++++++++++++++++------
31 1 file changed, 18 insertions(+), 6 deletions(-)
32
33 --- a/drivers/gpu/drm/i915/gem/i915_gem_context.c
34 +++ b/drivers/gpu/drm/i915/gem/i915_gem_context.c
35 @@ -1688,6 +1688,10 @@ void i915_gem_init__contexts(struct drm_
36 init_contexts(&i915->gem.contexts);
37 }
38
39 +/*
40 + * Note that this implicitly consumes the ctx reference, by placing
41 + * the ctx in the context_xa.
42 + */
43 static void gem_context_register(struct i915_gem_context *ctx,
44 struct drm_i915_file_private *fpriv,
45 u32 id)
46 @@ -1703,10 +1707,6 @@ static void gem_context_register(struct
47 snprintf(ctx->name, sizeof(ctx->name), "%s[%d]",
48 current->comm, pid_nr(ctx->pid));
49
50 - /* And finally expose ourselves to userspace via the idr */
51 - old = xa_store(&fpriv->context_xa, id, ctx, GFP_KERNEL);
52 - WARN_ON(old);
53 -
54 spin_lock(&ctx->client->ctx_lock);
55 list_add_tail_rcu(&ctx->client_link, &ctx->client->ctx_list);
56 spin_unlock(&ctx->client->ctx_lock);
57 @@ -1714,6 +1714,10 @@ static void gem_context_register(struct
58 spin_lock(&i915->gem.contexts.lock);
59 list_add_tail(&ctx->link, &i915->gem.contexts.list);
60 spin_unlock(&i915->gem.contexts.lock);
61 +
62 + /* And finally expose ourselves to userspace via the idr */
63 + old = xa_store(&fpriv->context_xa, id, ctx, GFP_KERNEL);
64 + WARN_ON(old);
65 }
66
67 int i915_gem_context_open(struct drm_i915_private *i915,
68 @@ -2199,14 +2203,22 @@ finalize_create_context_locked(struct dr
69 if (IS_ERR(ctx))
70 return ctx;
71
72 + /*
73 + * One for the xarray and one for the caller. We need to grab
74 + * the reference *prior* to making the ctx visble to userspace
75 + * in gem_context_register(), as at any point after that
76 + * userspace can try to race us with another thread destroying
77 + * the context under our feet.
78 + */
79 + i915_gem_context_get(ctx);
80 +
81 gem_context_register(ctx, file_priv, id);
82
83 old = xa_erase(&file_priv->proto_context_xa, id);
84 GEM_BUG_ON(old != pc);
85 proto_context_close(file_priv->dev_priv, pc);
86
87 - /* One for the xarray and one for the caller */
88 - return i915_gem_context_get(ctx);
89 + return ctx;
90 }
91
92 struct i915_gem_context *

  ViewVC Help
Powered by ViewVC 1.1.30