From patchwork Mon Mar 27 11:00:26 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thomas Hellstrom X-Patchwork-Id: 9646435 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id AA0EF602C8 for ; Mon, 27 Mar 2017 11:16:22 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8FD9228335 for ; Mon, 27 Mar 2017 11:16:22 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 8434328358; Mon, 27 Mar 2017 11:16:22 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.1 required=2.0 tests=BAD_ENC_HEADER,BAYES_00, DKIM_SIGNED, RCVD_IN_DNSWL_MED, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 83EB328335 for ; Mon, 27 Mar 2017 11:16:21 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id CA399891B3; Mon, 27 Mar 2017 11:16:19 +0000 (UTC) X-Original-To: dri-devel@lists.freedesktop.org Delivered-To: dri-devel@lists.freedesktop.org Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-co1nam03on0083.outbound.protection.outlook.com [104.47.40.83]) by gabe.freedesktop.org (Postfix) with ESMTPS id 3336689123 for ; Mon, 27 Mar 2017 11:16:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=onevmw.onmicrosoft.com; s=selector1-vmware-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=GH67zmoQigOLjHPXm9NF6ly2uIVIAfUaKXHNVGlMVhA=; b=m5phZ5AFIJ1Czxa9koQwU2FcgVUJecLNa8LA4cDxMYz3ysmQTd5k0C/lKMIXEujWPK0qBcQGEz4nlUN0mrWwTYvuE1FXF4/I7Hq2W5Popr+5ofWbTZHXEIGMzb9Wh/+YDQYYPcQh61UaXzskVCU7+sdhuA2DmUbJhdjU3awzQLk= Authentication-Results: lists.freedesktop.org; dkim=none (message not signed) header.d=none; lists.freedesktop.org; dmarc=none action=none header.from=vmware.com; Received: from linvm2.localdomain (185.29.113.161) by BY2PR05MB757.namprd05.prod.outlook.com (10.141.224.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.991.4; Mon, 27 Mar 2017 11:01:15 +0000 From: Thomas Hellstrom To: Subject: [PATCH] drm/vmwgfx: Type-check lookups of fence objects Date: Mon, 27 Mar 2017 13:00:26 +0200 Message-ID: <1490612426-2615-1-git-send-email-thellstrom@vmware.com> X-Mailer: git-send-email 2.5.0 MIME-Version: 1.0 X-Originating-IP: [185.29.113.161] X-ClientProxiedBy: CY4PR1001CA0003.namprd10.prod.outlook.com (10.171.218.144) To BY2PR05MB757.namprd05.prod.outlook.com (10.141.224.15) X-MS-Office365-Filtering-Correlation-Id: 71a3e1a4-7a91-4587-340a-08d47500979e X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001); SRVR:BY2PR05MB757; X-Microsoft-Exchange-Diagnostics: 1; BY2PR05MB757; 3:2gk/4iXjz8AaXztVEI5sxAzGYrhc1OU1cbbH9G2m4iBPG0RG9SqAfpFbY3HPvhFGq9D4RLhDxvVrVz0jAupUViNSIfG/LNC6eACtV1/SctB6sQELDC9QIJ8cCN8yGdZC2/pySs8/8TdDsecSp5CHG52l/e/aWIao5/SnWjdz/Uqy+wHuhtJHhsH1zZFHEio4jW9duTQAGcbV46WvE/Ni36tcmTSQe7IbpgrPFjIoUmRVKbR1ZfU34oh+k61BYZ8xZJCnfL+L/bbfGJ+ZonjJVA==; 25:7X8UgTBuxkcBZa+xVAqgQqsJBQK+uFkFitYrvRg5iZ4EhiI4CEs79YlDqCJEEVT3z8JQN96P30QjypfmciM1A9RYKoz8aw1SQQUaaMlxW5N/a6MSuKIsZ17WK7EVmvoBfbSh4EkItBTvsprURkioP/jMj1xiIrh+l/y/u/vJRme8mNwbOFMnFWm8Evef+KT7dNTLy7YUioSbmxp29UrxusK5ukzm5GtWM9KbWu+hQ8zZyOqHPaUaSSByJc8rFCNopkhWNp+L/ll38mIVwdf6R/NI84xAPexRKn5f5WwuUVkmCb6iA/r7owt1fqDJ9iWclgm0JphhwY0F6zXfhfxQARynRpm7Q2hcngPQH2ZIKxwdTD2Z+0ye/5xlDKdBZqZAP/tPPvzzcdA3zhIFVWaAPExekUtEozTqwOS9BIuOJgNlQLC2ESpmjYoDL6/vpRHSWXNogh5ehgc9YTopK7bx0A== X-Microsoft-Exchange-Diagnostics: 1; BY2PR05MB757; 31:m0f2beRqyGZtvhxCpyf4TUN3kI5kQj53Iu5kwmP8rlQP69hQog9a+QMF98XDSEeX5gfdkZ0lCS26vCRG7xsAR9soYrTYAOZhf/59aCZDBtAFfnAxN/6Zou5vEEq0cMv5gG2+6AnPYhTJ1tTZqJvqO8AsWr+CPtn9w594dPUcs5NhwjZY2krmduFz4k8B0qNYwK/bQqWBin/VycZ5lru9Ng0tqob/kdZ2wsFYtaZCh+I=; 20:+hOJFwwd6U/hNOqmLsdMPQn7NSPtTdFlrx6u+5rTQVdpqcgDl5LaNdF4S0GV4uMF/wMR3B3rnHoCUfQyvUF9pzkua6lClbTfXRH5mVkjaivU3FfjydT/pb971GyNZxhIfQQj4DIfiVR5OZzC+Cp8oLX+wMoRWCVKOCY6PYvNKcXs7MUN18io8u0r3TqCbK04gPJxbp6pG27iU5nCycbcLQZt7CjVvfvFuHn8+4loppLO98rIESxtzTnypGtfh1ZiEhRBvOCdZPG9ImrrhQ3nuP8LO+NI5EcO2MIGvjm1uueYr3vCjjFH5FrsnYpKA12Ysl5I6FxQMpsX8jNLkNmCb+1gqSaPIfUaMQQDbyvwovbqgq3ut6ALedYqXoj12/+yibHyAjrLej7d+g4zkIsmu9qndq7mr9GHGkD6wgQwSYSMm1HwO+tKC5jz9ScKtiTEjmkxr5h8cV33KJyZoyyvAM1D/Nxnb1Su2/6I7Tx9Kz+87zbKaKa1mL+AmWmRyXwM X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(61668805478150)(9452136761055); X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6041248)(20161123564025)(20161123558025)(20161123562025)(20161123560025)(20161123555025)(6072148); SRVR:BY2PR05MB757; BCL:0; PCL:0; RULEID:; SRVR:BY2PR05MB757; X-Microsoft-Exchange-Diagnostics: 1; BY2PR05MB757; 4:oNhpLHPpxE5vKlt6VvY8VpSWM+5VDObM3DMI5t0jAlb2Ja/hqD3ZhghbwsV2PT99CQb2IVXGGpU7YhRgvzGEFYy+P/vqn6litB2s8Z0GHP9U0gIQ1rK7Xl1RBkf3FkjN0ivnu/fpkZ7JfZq9T6w+hSOF1spcZ47XSYu9s6jgskMwXcYnfNUi/te2qdy8iqkbttrXvH33Xl9PfjPMRAK92pfmLNT34Xj2evjAcBQABwbfYkh4EGaZfOu9xBR5ysqqKLOtGu5pSdXiXXrHqeuNeAlKUufI7rmQdFp0+nymCYzxcBxGLNRKFmU4MoZ/451yA5xPe4o1ildagLguDIGGNdxYGFnVoWf2ifbsbTZ2ARMWZ+fmKdpGWyOjsGGkAqNVuxaSZgtdrFY7C7RLhgGgIOCGvfzl2WdP7nzFAs8v1Qljnelnr3F0iZQWSUYC8juIbC/tTAOz3if9FPDgM75Oj0MjwtxiPAW7OGSvq2ZUyTLN8s4gleILuHG5egYUWVdxeZmhX8GLEYKoaLdofoeR7twsg4WMV0pwn5ir8L3pBWAufYiKSJ2gqIAyvagbxa9Kwck5O60n7pce4xpQ5QMH77AJ1nH+33RxihZVS0zMY6jpO8sldX/ltNoShWHne9Zb9doGqWfmh1mpmGzjIJlFQ8ffV+SDaleR/l9EJINSKT6hwvk12wlQF9vvlRmzSZ1a X-Forefront-PRVS: 02596AB7DA X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(4630300001)(6009001)(39850400002)(39840400002)(39410400002)(39450400003)(2906002)(54906002)(53936002)(6512007)(50986999)(5660300001)(36756003)(48376002)(6666003)(50466002)(47776003)(66066001)(8676002)(81166006)(6916009)(4326008)(189998001)(2351001)(33646002)(50226002)(25786009)(3846002)(6116002)(110136004)(38730400002)(86362001)(5003940100001)(7736002)(6486002)(6506006)(305945005)(42186005); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR05MB757; H:linvm2.localdomain; FPR:; SPF:None; MLV:sfv; LANG:en; X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; BY2PR05MB757; 23:cCQCxuUdgG+Y+Yto9a7KrQ47kFkNn5KZ2fNW6v8fJP?= =?us-ascii?Q?T3kRvyUuNWO+hsxcAN729W8wE8jWzLeQ7JmdjP8gbM/NM4dPOZXeFgaidLpL?= =?us-ascii?Q?WJUeiCcnOKd/JWI5D4SLrbNreyG6VqRdatZzx2qnMpnFmvWrhR9VgZpHDoWW?= =?us-ascii?Q?4YDNO2zVqg9pH1qX9ZCjEfWRIbLnmd3KZpZ+EQetmBJBfcuioSuEX1JhtRj1?= =?us-ascii?Q?Yq0UOB9lSoEEjZQDWOIwTXRrYZsoE41sJW/HKjyjPXMFiBfDg98Tct1NGF3M?= =?us-ascii?Q?mcRzjzEY39g4wbnkAsU+LkKDfBnjfwR9WLp3fIPKmR47KJgwf4xIae1H/6bw?= =?us-ascii?Q?JzcP/cmfubSDsghvivjs7vsrKBFl000zQS0fP14lXXYclYhTJQ3Uvj0pHwu/?= =?us-ascii?Q?m6m64xx8xblWnPuIr/xv7sy1/QBwDuYPmSjOLQhuAKQiqvJX82QGfWzAb2z3?= =?us-ascii?Q?3uvyym8NwCLIdV9wZLIqsnrzO3FiGg7JsV0liAl8vd9ghngRxVwZCkM7+aqg?= =?us-ascii?Q?RCDBF0lzv6L7mnhJZ08yFYYxP0pL2omAiuRv41RkQBF0fzl1+r+mcFpZRLdy?= =?us-ascii?Q?n6Ug6kfzPSDRVKfwPxBEvy5/cCAzNNmxAIP6oYdv28KiKwbwbxgkUWPkM+HO?= =?us-ascii?Q?/5WCeD3P8kj3zoYkBAZpkDtoD6V4gCILU01iEs0PdTbvuKvuHSheSyIw1C48?= =?us-ascii?Q?lsh6wBML3TfHlmVI9A59RKfLKbz744Ubiyqb2dzdMVmQZaRaVhbzSmqcTU7e?= =?us-ascii?Q?TO6SZd2NZQbL6S5OtBVdauno1MOrnCVFzDgEXxBYOPLn35IYka7zSaL6/jfT?= =?us-ascii?Q?kMOdG374EOg6vu+/yI7SKjMWRl2WFpxc8Ox8ZOzNLbsVe4sIArR9lqC0dY81?= =?us-ascii?Q?l4p12akkgQHDvWlzD9F16zuSd30yBbfTH6j2lKYhN8hTRRtVFOa6s4J/d0rT?= =?us-ascii?Q?xuiBt8j0Jm8j2o94m5QsArXK8/IMFDx4tHytzbhg=3D=3D?= X-Microsoft-Exchange-Diagnostics: 1; BY2PR05MB757; 6:szeqYnmkEHyxu5pnBgXirNf7khjeQEkwdm/o/wCZ/tTkO/OfjxH2ARZN9STJQxPejHXIDO8fxRqfR7t1lKYpi496K3gk5FAEKVxp48ufDT/G3g5XPl8USMS9hvzXfZu4rsF/LlneNsHQlDElLVU7wW1m5d/E5BTQAetxZKc+BIwfUM8s/oMS9Yy87YIDld9krBIZiGR4JHTe4wudUAi2Si9tSRrlJWJoDUHoONreK+vRWdu0jpHfs9JQmzZYXDL5Nsf/ZnDm2C+OZxuIMcGeOku2OdMcdb+/wYydYPiuRhyazHc3Vj0ZNJiKxtuLr2HpkL+uRYfsBM4pqeviGcjcyW+sRkUvu05dA7PK4eVz4WnAC3hbyMh0k/89Bbh/mZFSUF4nWSkhWGFA9/pfyYuVww==; 5:KXh2IZcXG3bK2QKo/aQycrDBUNBwQ6Hrd+sVGPnaAtbCZvsZ+7LTf4oVhOOS9n8UhymbegzHt0LhrRp2QpBEZte4jNZqAgeM1/L3MWjherLoyvzV7lckIUZFTeEYL2yk1Yt9ARL1Qu8l3dmskiG+wA==; 24:hqyXnxhDTGRnehTm21mm2js0iiUjgAKwo2+mGQf2YeWYoeTxydQk5+hZFDLgikYKJvtHcmCUBs6I7GsrfQLEHMwpJdVQsBBdYAnQWWP/JWw= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1; BY2PR05MB757; 7:96X1Q6PNXjECg2J7OTf7TThP0n4fp8rQ8gA3Wdy7+7KYAiUmT5lxxunfus/yFyrVPg1RuqTkoFjLw6wZF9+YHsHDjUTiKSGVs+B4F4ZfcPw5O+Ep9bms3TpKhAZylKHFOrkw8QkP9wT9t7RN3oT9MwInY/13pKwGoeH3Wz9nj7CQUyZDfon6VHyo7aDwqD7Hn2hhfdFy2WFRR+TqbCHJufYgDXSD/s+5cnDljG9r6IX0EUeTd5uHeDR48g9HsZfx394OWsD27m4tTFsRY9h2K5w4L/Z+Uy9PoeVCQooxXppQ/PyDNcPIRCTFHoz9UO4U3d7+16YX0C2hnRwOLR5Xng==; 20:v1ctaXCgh5bU7XgwKD9SVB4WQQJUIh7zpGDP4gjv2Kt+oC8EbqlhnG4d+odOeiWHw2hRpHzebngBXG4RZ+rXtZnVwdrzSFP8xLcFzjS1fPwjxd5WDRQZS1Tl61qIcezkhKIHRs0KGPeCl0gJWRXVFp561/twvaltQeL6FtxE+yc= X-OriginatorOrg: vmware.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Mar 2017 11:01:15.9009 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR05MB757 Cc: Thomas Hellstrom , stable@vger.kernel.org X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" X-Virus-Scanned: ClamAV using ClamSMTP A malicious caller could otherwise hand over handles to other objects causing all sorts of interesting problems. Testing done: Ran a Fedora 25 desktop using both Xorg and gnome-shell/Wayland. Cc: Signed-off-by: Thomas Hellstrom Reviewed-by: Sinclair Yeh --- drivers/gpu/drm/vmwgfx/vmwgfx_fence.c | 77 +++++++++++++++++++++++------------ 1 file changed, 50 insertions(+), 27 deletions(-) diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c b/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c index 6541dd8..4076063 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c @@ -538,7 +538,7 @@ int vmw_fence_create(struct vmw_fence_manager *fman, struct vmw_fence_obj **p_fence) { struct vmw_fence_obj *fence; - int ret; + int ret; fence = kzalloc(sizeof(*fence), GFP_KERNEL); if (unlikely(fence == NULL)) @@ -701,6 +701,41 @@ void vmw_fence_fifo_up(struct vmw_fence_manager *fman) } +/** + * vmw_fence_obj_lookup - Look up a user-space fence object + * + * @tfile: A struct ttm_object_file identifying the caller. + * @handle: A handle identifying the fence object. + * @return: A struct vmw_user_fence base ttm object on success or + * an error pointer on failure. + * + * The fence object is looked up and type-checked. The caller needs + * to have opened the fence object first, but since that happens on + * creation and fence objects aren't shareable, that's not an + * issue currently. + */ +static struct ttm_base_object * +vmw_fence_obj_lookup(struct ttm_object_file *tfile, u32 handle) +{ + struct ttm_base_object *base = ttm_base_object_lookup(tfile, handle); + + if (!base) { + pr_err("Invalid fence object handle 0x%08lx.\n", + (unsigned long)handle); + return ERR_PTR(-EINVAL); + } + + if (base->refcount_release != vmw_user_fence_base_release) { + pr_err("Invalid fence object handle 0x%08lx.\n", + (unsigned long)handle); + ttm_base_object_unref(&base); + return ERR_PTR(-EINVAL); + } + + return base; +} + + int vmw_fence_obj_wait_ioctl(struct drm_device *dev, void *data, struct drm_file *file_priv) { @@ -726,13 +761,9 @@ int vmw_fence_obj_wait_ioctl(struct drm_device *dev, void *data, arg->kernel_cookie = jiffies + wait_timeout; } - base = ttm_base_object_lookup(tfile, arg->handle); - if (unlikely(base == NULL)) { - printk(KERN_ERR "Wait invalid fence object handle " - "0x%08lx.\n", - (unsigned long)arg->handle); - return -EINVAL; - } + base = vmw_fence_obj_lookup(tfile, arg->handle); + if (IS_ERR(base)) + return PTR_ERR(base); fence = &(container_of(base, struct vmw_user_fence, base)->fence); @@ -771,13 +802,9 @@ int vmw_fence_obj_signaled_ioctl(struct drm_device *dev, void *data, struct ttm_object_file *tfile = vmw_fpriv(file_priv)->tfile; struct vmw_private *dev_priv = vmw_priv(dev); - base = ttm_base_object_lookup(tfile, arg->handle); - if (unlikely(base == NULL)) { - printk(KERN_ERR "Fence signaled invalid fence object handle " - "0x%08lx.\n", - (unsigned long)arg->handle); - return -EINVAL; - } + base = vmw_fence_obj_lookup(tfile, arg->handle); + if (IS_ERR(base)) + return PTR_ERR(base); fence = &(container_of(base, struct vmw_user_fence, base)->fence); fman = fman_from_fence(fence); @@ -1024,6 +1051,7 @@ int vmw_fence_event_ioctl(struct drm_device *dev, void *data, (struct drm_vmw_fence_event_arg *) data; struct vmw_fence_obj *fence = NULL; struct vmw_fpriv *vmw_fp = vmw_fpriv(file_priv); + struct ttm_object_file *tfile = vmw_fp->tfile; struct drm_vmw_fence_rep __user *user_fence_rep = (struct drm_vmw_fence_rep __user *)(unsigned long) arg->fence_rep; @@ -1037,15 +1065,11 @@ int vmw_fence_event_ioctl(struct drm_device *dev, void *data, */ if (arg->handle) { struct ttm_base_object *base = - ttm_base_object_lookup_for_ref(dev_priv->tdev, - arg->handle); - - if (unlikely(base == NULL)) { - DRM_ERROR("Fence event invalid fence object handle " - "0x%08lx.\n", - (unsigned long)arg->handle); - return -EINVAL; - } + vmw_fence_obj_lookup(tfile, arg->handle); + + if (IS_ERR(base)) + return PTR_ERR(base); + fence = &(container_of(base, struct vmw_user_fence, base)->fence); (void) vmw_fence_obj_reference(fence); @@ -1053,7 +1077,7 @@ int vmw_fence_event_ioctl(struct drm_device *dev, void *data, if (user_fence_rep != NULL) { bool existed; - ret = ttm_ref_object_add(vmw_fp->tfile, base, + ret = ttm_ref_object_add(tfile, base, TTM_REF_USAGE, &existed); if (unlikely(ret != 0)) { DRM_ERROR("Failed to reference a fence " @@ -1097,8 +1121,7 @@ int vmw_fence_event_ioctl(struct drm_device *dev, void *data, return 0; out_no_create: if (user_fence_rep != NULL) - ttm_ref_object_base_unref(vmw_fpriv(file_priv)->tfile, - handle, TTM_REF_USAGE); + ttm_ref_object_base_unref(tfile, handle, TTM_REF_USAGE); out_no_ref_obj: vmw_fence_obj_unreference(&fence); return ret;