kernel_optimize_test/include/drm/drm_auth.h
Desmond Cheong Zhi Xi 34609faad0 drm: protect drm_master pointers in drm_lease.c
[ Upstream commit 56f0729a510f92151682ff6c89f69724d5595d6e ]

drm_file->master pointers should be protected by
drm_device.master_mutex or drm_file.master_lookup_lock when being
dereferenced.

However, in drm_lease.c, there are multiple instances where
drm_file->master is accessed and dereferenced while neither lock is
held. This makes drm_lease.c vulnerable to use-after-free bugs.

We address this issue in 2 ways:

1. Add a new drm_file_get_master() function that calls drm_master_get
on drm_file->master while holding on to
drm_file.master_lookup_lock. Since drm_master_get increments the
reference count of master, this prevents master from being freed until
we unreference it with drm_master_put.

2. In each case where drm_file->master is directly accessed and
eventually dereferenced in drm_lease.c, we wrap the access in a call
to the new drm_file_get_master function, then unreference the master
pointer once we are done using it.

Reported-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
Reviewed-by: Emil Velikov <emil.l.velikov@gmail.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20210712043508.11584-6-desmondcheongzx@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-09-18 13:40:19 +02:00

117 lines
3.6 KiB
C

#ifndef _DRM_AUTH_H_
#define _DRM_AUTH_H_
/*
* Internal Header for the Direct Rendering Manager
*
* Copyright 2016 Intel Corporation
*
* Author: Daniel Vetter <daniel.vetter@ffwll.ch>
*
* Permission is hereby granted, free of charge, to any person obtaining a
* copy of this software and associated documentation files (the "Software"),
* to deal in the Software without restriction, including without limitation
* the rights to use, copy, modify, merge, publish, distribute, sublicense,
* and/or sell copies of the Software, and to permit persons to whom the
* Software is furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice (including the next
* paragraph) shall be included in all copies or substantial portions of the
* Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
* VA LINUX SYSTEMS AND/OR ITS SUPPLIERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
* OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
* ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
* OTHER DEALINGS IN THE SOFTWARE.
*/
#include <linux/idr.h>
#include <linux/kref.h>
#include <linux/wait.h>
struct drm_file;
struct drm_hw_lock;
/*
* Legacy DRI1 locking data structure. Only here instead of in drm_legacy.h for
* include ordering reasons.
*
* DO NOT USE.
*/
struct drm_lock_data {
struct drm_hw_lock *hw_lock;
struct drm_file *file_priv;
wait_queue_head_t lock_queue;
unsigned long lock_time;
spinlock_t spinlock;
uint32_t kernel_waiters;
uint32_t user_waiters;
int idle_has_lock;
};
/**
* struct drm_master - drm master structure
*
* @refcount: Refcount for this master object.
* @dev: Link back to the DRM device
* @driver_priv: Pointer to driver-private information.
* @lessor: Lease holder
* @lessee_id: id for lessees. Owners always have id 0
* @lessee_list: other lessees of the same master
* @lessees: drm_masters leasing from this one
* @leases: Objects leased to this drm_master.
* @lessee_idr: All lessees under this owner (only used where lessor == NULL)
*
* Note that master structures are only relevant for the legacy/primary device
* nodes, hence there can only be one per device, not one per drm_minor.
*/
struct drm_master {
struct kref refcount;
struct drm_device *dev;
/**
* @unique: Unique identifier: e.g. busid. Protected by
* &drm_device.master_mutex.
*/
char *unique;
/**
* @unique_len: Length of unique field. Protected by
* &drm_device.master_mutex.
*/
int unique_len;
/**
* @magic_map: Map of used authentication tokens. Protected by
* &drm_device.master_mutex.
*/
struct idr magic_map;
void *driver_priv;
/* Tree of display resource leases, each of which is a drm_master struct
* All of these get activated simultaneously, so drm_device master points
* at the top of the tree (for which lessor is NULL). Protected by
* &drm_device.mode_config.idr_mutex.
*/
struct drm_master *lessor;
int lessee_id;
struct list_head lessee_list;
struct list_head lessees;
struct idr leases;
struct idr lessee_idr;
/* private: */
#if IS_ENABLED(CONFIG_DRM_LEGACY)
struct drm_lock_data lock;
#endif
};
struct drm_master *drm_master_get(struct drm_master *master);
struct drm_master *drm_file_get_master(struct drm_file *file_priv);
void drm_master_put(struct drm_master **master);
bool drm_is_current_master(struct drm_file *fpriv);
struct drm_master *drm_master_create(struct drm_device *dev);
#endif