drm/msm: protect against faults from copy_from_user() in submit ioctl

An evil userspace could try to cause deadlock by passing an unfaulted-in GEM bo as submit->bos (or submit->cmds) table. Which will trigger msm_gem_fault() while we already hold struct_mutex. See: https://github.com/freedreno/msmtest/blob/master/evilsubmittest.c Cc: stable@vger.kernel.org Signed-off-by: Rob Clark <robdclark@gmail.com>
author: Rob Clark <robdclark@gmail.com> 2016-08-22 15:28:38 -0400
committer: Rob Clark <robdclark@gmail.com> 2016-08-28 12:49:39 -0400
commit: d78d383ab354b0b9e1d23404ae0d9fbdeb9aa035 (patch)
tree: aee4580ca0766d3be40c2b574dd7816aabc3d080 /drivers/gpu/drm/msm/msm_gem.c
parent: 89f82cbb0d5c0ab768c8d02914188aa2211cd2e3 (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/drivers/gpu/drm/msm/msm_gem.c b/drivers/gpu/drm/msm/msm_gem.c
index 6cd4af443139..85f3047e05ae 100644
--- a/drivers/gpu/drm/msm/msm_gem.c
+++ b/drivers/gpu/drm/msm/msm_gem.c
@@ -196,11 +196,20 @@ int msm_gem_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
 {
 	struct drm_gem_object *obj = vma->vm_private_data;
 	struct drm_device *dev = obj->dev;
+	struct msm_drm_private *priv = dev->dev_private;
 	struct page **pages;
 	unsigned long pfn;
 	pgoff_t pgoff;
 	int ret;
 
+	/* This should only happen if userspace tries to pass a mmap'd
+	 * but unfaulted gem bo vaddr into submit ioctl, triggering
+	 * a page fault while struct_mutex is already held.  This is
+	 * not a valid use-case so just bail.
+	 */
+	if (priv->struct_mutex_task == current)
+		return VM_FAULT_SIGBUS;
+
 	/* Make sure we don't parallel update on a fault, nor move or remove
 	 * something from beneath our feet
 	 */
author	Rob Clark <robdclark@gmail.com>	2016-08-22 15:28:38 -0400
committer	Rob Clark <robdclark@gmail.com>	2016-08-28 12:49:39 -0400
commit	d78d383ab354b0b9e1d23404ae0d9fbdeb9aa035 (patch)
tree	aee4580ca0766d3be40c2b574dd7816aabc3d080 /drivers/gpu/drm/msm/msm_gem.c
parent	89f82cbb0d5c0ab768c8d02914188aa2211cd2e3 (diff)