superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mirror-linux/drivers/gpu/drm
History
Jann Horn 4f2a129b33 drm/drm_file: Fix pid refcounting race 
<maarten.lankhorst@linux.intel.com>, Maxime Ripard
<mripard@kernel.org>, Thomas Zimmermann <tzimmermann@suse.de>

filp->pid is supposed to be a refcounted pointer; however, before this
patch, drm_file_update_pid() only increments the refcount of a struct
pid after storing a pointer to it in filp->pid and dropping the
dev->filelist_mutex, making the following race possible:

process A               process B
=========               =========
                        begin drm_file_update_pid
                        mutex_lock(&dev->filelist_mutex)
                        rcu_replace_pointer(filp->pid, <pid B>, 1)
                        mutex_unlock(&dev->filelist_mutex)
begin drm_file_update_pid
mutex_lock(&dev->filelist_mutex)
rcu_replace_pointer(filp->pid, <pid A>, 1)
mutex_unlock(&dev->filelist_mutex)
get_pid(<pid A>)
synchronize_rcu()
put_pid(<pid B>)   *** pid B reaches refcount 0 and is freed here ***
                        get_pid(<pid B>)   *** UAF ***
                        synchronize_rcu()
                        put_pid(<pid A>)

As far as I know, this race can only occur with CONFIG_PREEMPT_RCU=y
because it requires RCU to detect a quiescent state in code that is not
explicitly calling into the scheduler.

This race leads to use-after-free of a "struct pid".
It is probably somewhat hard to hit because process A has to pass
through a synchronize_rcu() operation while process B is between
mutex_unlock() and get_pid().

Fix it by ensuring that by the time a pointer to the current task's pid
is stored in the file, an extra reference to the pid has been taken.

This fix also removes the condition for synchronize_rcu(); I think
that optimization is unnecessary complexity, since in that case we
would usually have bailed out on the lockless check above.

Fixes: 1c7a387ffe ("drm: Update file owner during use")
Cc: <stable@vger.kernel.org>
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
 		2024-06-28 08:56:26 +10:00
..
amd drm/amdgpu: Don't show false warning for reg list 2024-06-25 14:22:56 -04:00
arm Merge drm/drm-fixes into drm-misc-fixes 2024-06-14 09:55:46 +02:00
armada drm/print: drop include debugfs.h and include where needed 2024-04-25 17:05:48 +03:00
aspeed
ast Linux 6.9-rc5 2024-04-22 14:35:52 +10:00
atmel-hlcdc
bridge drm/bridge/panel: Fix runtime warning on panel bridge release 2024-06-10 13:22:05 +02:00
ci USB / Thunderbolt changes for 6.10-rc1 2024-05-22 11:40:09 -07:00
display drm/mst: Fix NULL pointer dereference at drm_dp_add_payload_part2 2024-05-21 16:36:59 -04:00
etnaviv Revert "drm/etnaviv: Expose a few more chipspecs to userspace" 2024-04-25 16:56:20 +02:00
exynos drm/exynos/vidi: fix memory leak in .get_modes() 2024-06-10 15:05:43 +09:00
fsl-dcu
gma500 The usual shower of singleton fixes and minor series all over MM, 2024-05-19 09:21:03 -07:00
gud drm/gud: switch to struct drm_edid 2024-04-22 21:44:31 +03:00
hisilicon
hyperv
i2c
i915 drm/i915/gt: Fix potential UAF by revoke of fence registers 2024-06-24 13:05:15 +03:00
imagination Short summary of fixes pull: 2024-05-23 17:07:13 +02:00
imx Revert "drm: Make drivers depends on DRM_DW_HDMI" 2024-05-02 17:59:59 +02:00
ingenic Revert "drm: Make drivers depends on DRM_DW_HDMI" 2024-05-02 17:59:59 +02:00
kmb
lib
lima drm/lima: Fix dma_resv deadlock at drm object pin time 2024-05-29 09:30:39 +02:00
logicvc
loongson drm/loongson: fix build after debugfs include change 2024-04-26 14:30:36 +10:00
mcde
mediatek drm/mediatek: Call drm_atomic_helper_shutdown() at shutdown time 2024-06-12 09:54:23 +02:00
meson Short summary of fixes pull: 2024-05-23 17:07:13 +02:00
mgag200 drm/mgag200: Add drm_panic support 2024-04-15 16:13:50 +02:00
msm drm/msm: remove python 3.9 dependency for compiling msm 2024-05-30 18:49:23 +02:00
mxsfb drm/lcdif: Do not disable clocks on already suspended hardware 2024-03-20 04:32:55 +01:00
nouveau drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes 2024-06-25 15:30:50 -04:00
omapdrm The usual shower of singleton fixes and minor series all over MM, 2024-05-19 09:21:03 -07:00
panel drm/panel: simple: Add missing display timing flags for KOE TX26D202VM0BWA 2024-06-24 11:06:08 +02:00
panfrost drm/panfrost: Fix dma_resv deadlock at drm object pin time 2024-05-29 09:30:38 +02:00
panthor drm/panthor: Call panthor_sched_post_reset() even if the reset failed 2024-05-13 09:52:22 +02:00
pl111
qxl drm for 6.10-rc1 2024-05-15 09:43:42 -07:00
radeon drm/radeon: fix UBSAN warning in kv_dpm.c 2024-06-19 18:25:37 -04:00
renesas drm: renesas: shmobile: Call drm_atomic_helper_shutdown() at shutdown time 2024-06-12 09:54:07 +02:00
rockchip Revert "drm: Make drivers depends on DRM_DW_HDMI" 2024-05-02 17:59:59 +02:00
scheduler tracing/treewide: Remove second parameter of __assign_str() 2024-05-22 20:14:47 -04:00
solomon
sprd
sti drm/print: drop include debugfs.h and include where needed 2024-04-25 17:05:48 +03:00
stm
sun4i Revert "drm: Make drivers depends on DRM_DW_HDMI" 2024-05-02 17:59:59 +02:00
tegra Revert "drm: Switch DRM_DISPLAY_HELPER to depends on" 2024-05-02 17:58:23 +02:00
tests Short summary of fixes pull: 2024-05-27 13:47:14 +10:00
tidss
tilcdc drm: tilcdc: don't use devm_pinctrl_get_select_default() in probe 2024-04-10 14:27:00 +03:00
tiny drm/simpledrm: Add drm_panic support 2024-04-15 16:13:39 +02:00
ttm Short summary of fixes pull: 2024-05-23 17:07:13 +02:00
tve200
udl
v3d The usual shower of singleton fixes and minor series all over MM, 2024-05-19 09:21:03 -07:00
vboxvideo
vc4 Revert "drm: Switch DRM_DISPLAY_HELPER to depends on" 2024-05-02 17:58:23 +02:00
vgem
virtio tracing: Remove second argument of __assign_str() 2024-05-23 12:28:01 -07:00
vkms drm/vkms: Use drm_crtc_vblank_crtc() 2024-04-18 13:29:15 +03:00
vmwgfx drm/vmwgfx: Fix missing HYPERVISOR_GUEST dependency 2024-06-17 11:56:54 +02:00
xe drm/xe/vf: Don't touch GuC irq registers if using memory irqs 2024-06-20 09:22:37 +02:00
xen fix missing vmalloc.h includes 2024-04-25 20:55:49 -07:00
xlnx drm: xlnx: zynqmp_dpsub: Fix compilation error 2024-05-08 12:57:04 +02:00
Kconfig drm: have config DRM_WERROR depend on !WERROR 2024-06-07 16:28:34 +03:00
Makefile drm/panic: Add a drm panic handler 2024-04-15 16:12:49 +02:00
drm_aperture.c
drm_atomic.c
drm_atomic_helper.c drm/panic: Add drm panic locking 2024-04-15 16:11:26 +02:00
drm_atomic_state_helper.c
drm_atomic_uapi.c drm: prefer DRM_MODE_FMT/ARG over drm_mode_debug_printmodeline() 2024-04-15 16:22:50 +03:00
drm_auth.c
drm_blend.c
drm_bridge.c
drm_bridge_connector.c
drm_buddy.c Short summary of fixes pull: 2024-05-27 13:47:14 +10:00
drm_cache.c
drm_client.c Core DRM: 2024-05-02 14:30:31 +10:00
drm_client_modeset.c Linux 6.9-rc5 2024-04-22 14:35:52 +10:00
drm_color_mgmt.c
drm_connector.c drm/connector: Add \n to message about demoting connector force-probes 2024-05-07 09:17:07 -07:00
drm_crtc.c drm: prefer DRM_MODE_FMT/ARG over drm_mode_debug_printmodeline() 2024-04-15 16:22:50 +03:00
drm_crtc_helper.c drm: prefer DRM_MODE_FMT/ARG over drm_mode_debug_printmodeline() 2024-04-15 16:22:50 +03:00
drm_crtc_helper_internal.h
drm_crtc_internal.h drm/edid: rename drm_find_edid_extension() to drm_edid_find_extension() 2024-04-17 16:11:28 +03:00
drm_damage_helper.c
drm_debugfs.c
drm_debugfs_crc.c
drm_displayid.c drm/edid: rename drm_find_edid_extension() to drm_edid_find_extension() 2024-04-17 16:11:28 +03:00
drm_displayid_internal.h drm/edid: Parse topology block for all DispID structure v1.x 2024-04-22 11:38:11 +03:00
drm_drv.c drm/panic: Add a drm panic handler 2024-04-15 16:12:49 +02:00
drm_dumb_buffers.c
drm_edid.c drm/edid: Parse topology block for all DispID structure v1.x 2024-04-22 11:38:11 +03:00
drm_edid_load.c
drm_eld.c drm/edid: move all internal declarations to drm_crtc_internal.h 2024-04-17 16:11:17 +03:00
drm_encoder.c
drm_encoder_slave.c
drm_exec.c
drm_fb_dma_helper.c drm/fb_dma: Add checks in drm_fb_dma_get_scanout_buffer() 2024-05-02 23:39:21 +02:00
drm_fb_helper.c drm/fbdev-dma: Only set smem_start is enable per module option 2024-06-19 17:05:02 +02:00
drm_fbdev_dma.c drm/fbdev-dma: Only set smem_start is enable per module option 2024-06-19 17:05:02 +02:00
drm_fbdev_generic.c drm/fbdev-generic: Do not set physical framebuffer address 2024-05-02 23:38:49 +02:00
drm_file.c drm/drm_file: Fix pid refcounting race 2024-06-28 08:56:26 +10:00
drm_flip_work.c
drm_format_helper.c
drm_fourcc.c
drm_framebuffer.c
drm_gem.c
drm_gem_atomic_helper.c drm/atomic-helper: fix parameter order in drm_format_conv_state_copy() call 2024-04-19 17:36:49 +02:00
drm_gem_dma_helper.c
drm_gem_framebuffer_helper.c
drm_gem_shmem_helper.c drm/gem-shmem: Add import attachment warning to locked pin function 2024-05-29 09:30:44 +02:00
drm_gem_ttm_helper.c
drm_gem_vram_helper.c Merge drm/drm-next into drm-misc-next 2024-04-02 09:51:30 +02:00
drm_gpuvm.c
drm_internal.h drm/edid: move all internal declarations to drm_crtc_internal.h 2024-04-17 16:11:17 +03:00
drm_ioc32.c
drm_ioctl.c
drm_kms_helper_common.c
drm_lease.c
drm_managed.c
drm_mipi_dbi.c
drm_mipi_dsi.c drm/mipi-dsi: add mipi_dsi_compression_mode_ext() 2024-04-19 04:27:29 +03:00
drm_mm.c
drm_mode_config.c drm: Introduce plane SIZE_HINTS property 2024-04-11 18:28:58 +03:00
drm_mode_object.c
drm_modes.c drm: prefer DRM_MODE_FMT/ARG over drm_mode_debug_printmodeline() 2024-04-15 16:22:50 +03:00
drm_modeset_helper.c
drm_modeset_lock.c
drm_of.c
drm_panel.c
drm_panel_orientation_quirks.c drm: panel-orientation-quirks: Add quirk for Aya Neo KUN 2024-06-10 12:19:25 +02:00
drm_panic.c drm/panic: Add debugfs entry to test without triggering panic. 2024-04-15 16:13:15 +02:00
drm_pci.c
drm_plane.c drm: Fix plane SIZE_HINTS property docs 2024-04-22 11:42:32 +03:00
drm_plane_helper.c
drm_prime.c drm/prime: Unbreak virtgpu dma-buf export 2024-03-28 19:52:22 +01:00
drm_print.c drm/print: drop include debugfs.h and include where needed 2024-04-25 17:05:48 +03:00
drm_privacy_screen.c
drm_privacy_screen_x86.c
drm_probe_helper.c drm: prefer DRM_MODE_FMT/ARG over drm_mode_debug_printmodeline() 2024-04-15 16:22:50 +03:00
drm_property.c
drm_rect.c
drm_self_refresh_helper.c
drm_simple_kms_helper.c
drm_suballoc.c
drm_syncobj.c
drm_sysfs.c drm/sysfs: switch to drm device based logging 2024-04-15 16:22:05 +03:00
drm_trace.h
drm_trace_points.c
drm_vblank.c drm/vblank: Introduce drm_crtc_vblank_crtc() 2024-04-18 13:27:56 +03:00
drm_vblank_work.c drm/vblank: Introduce drm_crtc_vblank_crtc() 2024-04-18 13:27:56 +03:00
drm_vma_manager.c
drm_writeback.c