From: Daniel Vetter <daniel@ffwll.ch>
To: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
Cc: tzimmermann@suse.de, airlied@linux.ie,
intel-gfx@lists.freedesktop.org,
maarten.lankhorst@linux.intel.com, linux-kernel@vger.kernel.org,
mripard@kernel.org, linux-graphics-maintainer@vmware.com,
dri-devel@lists.freedesktop.org, daniel@ffwll.ch,
linux-kernel-mentees@lists.linuxfoundation.org, zackr@vmware.com
Subject: Re: [PATCH 3/3] drm/vmwgfx: fix potential UAF in vmwgfx_surface.c
Date: Thu, 22 Jul 2021 12:39:49 +0200 [thread overview]
Message-ID: <YPlK9b+7CN533jpl@phenom.ffwll.local> (raw)
In-Reply-To: <20210722092929.244629-4-desmondcheongzx@gmail.com>
On Thu, Jul 22, 2021 at 05:29:29PM +0800, Desmond Cheong Zhi Xi wrote:
> drm_file.master should be protected by either drm_device.master_mutex
> or drm_file.master_lookup_lock when being dereferenced. However,
> drm_master_get is called on unprotected file_priv->master pointers in
> vmw_surface_define_ioctl and vmw_gb_surface_define_internal.
>
> This is fixed by replacing drm_master_get with drm_file_get_master.
>
> Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
I'll let Zack take a look at this and expect him to push this patch to
drm-misc.git.
-Daniel
> ---
> drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
> index 0eba47762bed..5d53a5f9d123 100644
> --- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
> +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
> @@ -865,7 +865,7 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void *data,
> user_srf->prime.base.shareable = false;
> user_srf->prime.base.tfile = NULL;
> if (drm_is_primary_client(file_priv))
> - user_srf->master = drm_master_get(file_priv->master);
> + user_srf->master = drm_file_get_master(file_priv);
>
> /**
> * From this point, the generic resource management functions
> @@ -1534,7 +1534,7 @@ vmw_gb_surface_define_internal(struct drm_device *dev,
>
> user_srf = container_of(srf, struct vmw_user_surface, srf);
> if (drm_is_primary_client(file_priv))
> - user_srf->master = drm_master_get(file_priv->master);
> + user_srf->master = drm_file_get_master(file_priv);
>
> res = &user_srf->srf.res;
>
> --
> 2.25.1
>
--
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
WARNING: multiple messages have this Message-ID (diff)
From: Daniel Vetter <daniel@ffwll.ch>
To: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
Cc: tzimmermann@suse.de, airlied@linux.ie,
gregkh@linuxfoundation.org, intel-gfx@lists.freedesktop.org,
linux-kernel@vger.kernel.org,
linux-graphics-maintainer@vmware.com,
dri-devel@lists.freedesktop.org, skhan@linuxfoundation.org,
linux-kernel-mentees@lists.linuxfoundation.org
Subject: Re: [PATCH 3/3] drm/vmwgfx: fix potential UAF in vmwgfx_surface.c
Date: Thu, 22 Jul 2021 12:39:49 +0200 [thread overview]
Message-ID: <YPlK9b+7CN533jpl@phenom.ffwll.local> (raw)
In-Reply-To: <20210722092929.244629-4-desmondcheongzx@gmail.com>
On Thu, Jul 22, 2021 at 05:29:29PM +0800, Desmond Cheong Zhi Xi wrote:
> drm_file.master should be protected by either drm_device.master_mutex
> or drm_file.master_lookup_lock when being dereferenced. However,
> drm_master_get is called on unprotected file_priv->master pointers in
> vmw_surface_define_ioctl and vmw_gb_surface_define_internal.
>
> This is fixed by replacing drm_master_get with drm_file_get_master.
>
> Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
I'll let Zack take a look at this and expect him to push this patch to
drm-misc.git.
-Daniel
> ---
> drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
> index 0eba47762bed..5d53a5f9d123 100644
> --- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
> +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
> @@ -865,7 +865,7 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void *data,
> user_srf->prime.base.shareable = false;
> user_srf->prime.base.tfile = NULL;
> if (drm_is_primary_client(file_priv))
> - user_srf->master = drm_master_get(file_priv->master);
> + user_srf->master = drm_file_get_master(file_priv);
>
> /**
> * From this point, the generic resource management functions
> @@ -1534,7 +1534,7 @@ vmw_gb_surface_define_internal(struct drm_device *dev,
>
> user_srf = container_of(srf, struct vmw_user_surface, srf);
> if (drm_is_primary_client(file_priv))
> - user_srf->master = drm_master_get(file_priv->master);
> + user_srf->master = drm_file_get_master(file_priv);
>
> res = &user_srf->srf.res;
>
> --
> 2.25.1
>
--
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch
WARNING: multiple messages have this Message-ID (diff)
From: Daniel Vetter <daniel@ffwll.ch>
To: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
Cc: linux-graphics-maintainer@vmware.com, zackr@vmware.com,
airlied@linux.ie, daniel@ffwll.ch,
maarten.lankhorst@linux.intel.com, mripard@kernel.org,
tzimmermann@suse.de, dri-devel@lists.freedesktop.org,
linux-kernel@vger.kernel.org, intel-gfx@lists.freedesktop.org,
skhan@linuxfoundation.org, gregkh@linuxfoundation.org,
linux-kernel-mentees@lists.linuxfoundation.org
Subject: Re: [PATCH 3/3] drm/vmwgfx: fix potential UAF in vmwgfx_surface.c
Date: Thu, 22 Jul 2021 12:39:49 +0200 [thread overview]
Message-ID: <YPlK9b+7CN533jpl@phenom.ffwll.local> (raw)
In-Reply-To: <20210722092929.244629-4-desmondcheongzx@gmail.com>
On Thu, Jul 22, 2021 at 05:29:29PM +0800, Desmond Cheong Zhi Xi wrote:
> drm_file.master should be protected by either drm_device.master_mutex
> or drm_file.master_lookup_lock when being dereferenced. However,
> drm_master_get is called on unprotected file_priv->master pointers in
> vmw_surface_define_ioctl and vmw_gb_surface_define_internal.
>
> This is fixed by replacing drm_master_get with drm_file_get_master.
>
> Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
I'll let Zack take a look at this and expect him to push this patch to
drm-misc.git.
-Daniel
> ---
> drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
> index 0eba47762bed..5d53a5f9d123 100644
> --- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
> +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
> @@ -865,7 +865,7 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void *data,
> user_srf->prime.base.shareable = false;
> user_srf->prime.base.tfile = NULL;
> if (drm_is_primary_client(file_priv))
> - user_srf->master = drm_master_get(file_priv->master);
> + user_srf->master = drm_file_get_master(file_priv);
>
> /**
> * From this point, the generic resource management functions
> @@ -1534,7 +1534,7 @@ vmw_gb_surface_define_internal(struct drm_device *dev,
>
> user_srf = container_of(srf, struct vmw_user_surface, srf);
> if (drm_is_primary_client(file_priv))
> - user_srf->master = drm_master_get(file_priv->master);
> + user_srf->master = drm_file_get_master(file_priv);
>
> res = &user_srf->srf.res;
>
> --
> 2.25.1
>
--
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch
WARNING: multiple messages have this Message-ID (diff)
From: Daniel Vetter <daniel@ffwll.ch>
To: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
Cc: tzimmermann@suse.de, airlied@linux.ie,
gregkh@linuxfoundation.org, intel-gfx@lists.freedesktop.org,
linux-kernel@vger.kernel.org, mripard@kernel.org,
linux-graphics-maintainer@vmware.com,
dri-devel@lists.freedesktop.org, skhan@linuxfoundation.org,
linux-kernel-mentees@lists.linuxfoundation.org, zackr@vmware.com
Subject: Re: [Intel-gfx] [PATCH 3/3] drm/vmwgfx: fix potential UAF in vmwgfx_surface.c
Date: Thu, 22 Jul 2021 12:39:49 +0200 [thread overview]
Message-ID: <YPlK9b+7CN533jpl@phenom.ffwll.local> (raw)
In-Reply-To: <20210722092929.244629-4-desmondcheongzx@gmail.com>
On Thu, Jul 22, 2021 at 05:29:29PM +0800, Desmond Cheong Zhi Xi wrote:
> drm_file.master should be protected by either drm_device.master_mutex
> or drm_file.master_lookup_lock when being dereferenced. However,
> drm_master_get is called on unprotected file_priv->master pointers in
> vmw_surface_define_ioctl and vmw_gb_surface_define_internal.
>
> This is fixed by replacing drm_master_get with drm_file_get_master.
>
> Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
I'll let Zack take a look at this and expect him to push this patch to
drm-misc.git.
-Daniel
> ---
> drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
> index 0eba47762bed..5d53a5f9d123 100644
> --- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
> +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
> @@ -865,7 +865,7 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void *data,
> user_srf->prime.base.shareable = false;
> user_srf->prime.base.tfile = NULL;
> if (drm_is_primary_client(file_priv))
> - user_srf->master = drm_master_get(file_priv->master);
> + user_srf->master = drm_file_get_master(file_priv);
>
> /**
> * From this point, the generic resource management functions
> @@ -1534,7 +1534,7 @@ vmw_gb_surface_define_internal(struct drm_device *dev,
>
> user_srf = container_of(srf, struct vmw_user_surface, srf);
> if (drm_is_primary_client(file_priv))
> - user_srf->master = drm_master_get(file_priv->master);
> + user_srf->master = drm_file_get_master(file_priv);
>
> res = &user_srf->srf.res;
>
> --
> 2.25.1
>
--
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
next prev parent reply other threads:[~2021-07-22 10:39 UTC|newest]
Thread overview: 72+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-22 9:29 [PATCH 0/3] drm, drm/vmwgfx: fixes and updates related to drm_master Desmond Cheong Zhi Xi
2021-07-22 9:29 ` [Intel-gfx] " Desmond Cheong Zhi Xi
2021-07-22 9:29 ` Desmond Cheong Zhi Xi
2021-07-22 9:29 ` Desmond Cheong Zhi Xi
2021-07-22 9:29 ` [PATCH 1/3] drm: use the lookup lock in drm_is_current_master Desmond Cheong Zhi Xi
2021-07-22 9:29 ` [Intel-gfx] " Desmond Cheong Zhi Xi
2021-07-22 9:29 ` Desmond Cheong Zhi Xi
2021-07-22 9:29 ` Desmond Cheong Zhi Xi
2021-07-22 10:38 ` Daniel Vetter
2021-07-22 10:38 ` [Intel-gfx] " Daniel Vetter
2021-07-22 10:38 ` Daniel Vetter
2021-07-22 10:38 ` Daniel Vetter
2021-07-22 15:04 ` Boqun Feng
2021-07-22 15:04 ` [Intel-gfx] " Boqun Feng
2021-07-22 15:04 ` Boqun Feng
2021-07-22 19:02 ` Daniel Vetter
2021-07-22 19:02 ` Daniel Vetter
2021-07-22 19:02 ` Daniel Vetter
2021-07-22 19:02 ` [Intel-gfx] " Daniel Vetter
2021-07-23 7:16 ` Boqun Feng
2021-07-23 7:16 ` [Intel-gfx] " Boqun Feng
2021-07-23 7:16 ` Boqun Feng
2021-07-27 14:37 ` Peter Zijlstra
2021-07-27 14:37 ` [Intel-gfx] " Peter Zijlstra
2021-07-27 14:37 ` Peter Zijlstra
2021-07-29 7:00 ` Daniel Vetter
2021-07-29 7:00 ` Daniel Vetter
2021-07-29 7:00 ` Daniel Vetter
2021-07-29 7:00 ` [Intel-gfx] " Daniel Vetter
2021-07-29 14:32 ` Desmond Cheong Zhi Xi
2021-07-29 14:32 ` [Intel-gfx] " Desmond Cheong Zhi Xi
2021-07-29 14:32 ` Desmond Cheong Zhi Xi
2021-07-29 14:32 ` Desmond Cheong Zhi Xi
2021-07-29 14:45 ` [Intel-gfx] " Peter Zijlstra
2021-07-29 14:45 ` Peter Zijlstra
2021-07-29 14:45 ` Peter Zijlstra
2021-07-29 14:45 ` Peter Zijlstra
2021-07-22 9:29 ` [PATCH 2/3] drm: clarify lifetime/locking for drm_master's lease fields Desmond Cheong Zhi Xi
2021-07-22 9:29 ` [Intel-gfx] " Desmond Cheong Zhi Xi
2021-07-22 9:29 ` Desmond Cheong Zhi Xi
2021-07-22 9:29 ` Desmond Cheong Zhi Xi
2021-07-22 10:35 ` Daniel Vetter
2021-07-22 10:35 ` [Intel-gfx] " Daniel Vetter
2021-07-22 10:35 ` Daniel Vetter
2021-07-22 10:35 ` Daniel Vetter
2021-07-22 13:02 ` Desmond Cheong Zhi Xi
2021-07-22 13:02 ` Desmond Cheong Zhi Xi
2021-07-22 13:02 ` [Intel-gfx] " Desmond Cheong Zhi Xi
2021-07-22 13:02 ` Desmond Cheong Zhi Xi
2021-07-22 14:17 ` Daniel Vetter
2021-07-22 14:17 ` Daniel Vetter
2021-07-22 14:17 ` Daniel Vetter
2021-07-22 14:17 ` [Intel-gfx] " Daniel Vetter
2021-07-22 9:29 ` [PATCH 3/3] drm/vmwgfx: fix potential UAF in vmwgfx_surface.c Desmond Cheong Zhi Xi
2021-07-22 9:29 ` [Intel-gfx] " Desmond Cheong Zhi Xi
2021-07-22 9:29 ` Desmond Cheong Zhi Xi
2021-07-22 9:29 ` Desmond Cheong Zhi Xi
2021-07-22 10:39 ` Daniel Vetter [this message]
2021-07-22 10:39 ` [Intel-gfx] " Daniel Vetter
2021-07-22 10:39 ` Daniel Vetter
2021-07-22 10:39 ` Daniel Vetter
2021-07-22 19:17 ` Zack Rusin
2021-07-22 19:17 ` Zack Rusin
2021-07-22 19:17 ` Zack Rusin
2021-07-22 19:17 ` [Intel-gfx] " Zack Rusin
2021-07-23 6:44 ` Desmond Cheong Zhi Xi
2021-07-23 6:44 ` [Intel-gfx] " Desmond Cheong Zhi Xi
2021-07-23 6:44 ` Desmond Cheong Zhi Xi
2021-07-23 6:44 ` Desmond Cheong Zhi Xi
2021-07-22 14:05 ` [Intel-gfx] ✗ Fi.CI.SPARSE: warning for drm, drm/vmwgfx: fixes and updates related to drm_master Patchwork
2021-07-22 14:34 ` [Intel-gfx] ✗ Fi.CI.BAT: failure " Patchwork
2021-07-27 17:42 ` [Intel-gfx] ✗ Fi.CI.BUILD: failure for drm, drm/vmwgfx: fixes and updates related to drm_master (rev2) Patchwork
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YPlK9b+7CN533jpl@phenom.ffwll.local \
--to=daniel@ffwll.ch \
--cc=airlied@linux.ie \
--cc=desmondcheongzx@gmail.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=intel-gfx@lists.freedesktop.org \
--cc=linux-graphics-maintainer@vmware.com \
--cc=linux-kernel-mentees@lists.linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=maarten.lankhorst@linux.intel.com \
--cc=mripard@kernel.org \
--cc=tzimmermann@suse.de \
--cc=zackr@vmware.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.