lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20201103203405.042055538@linuxfoundation.org>
Date:   Tue,  3 Nov 2020 21:35:18 +0100
From:   Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To:     linux-kernel@...r.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        stable@...r.kernel.org,
        Boris Brezillon <boris.brezillon@...labora.com>,
        Christian König <christian.koenig@....com>,
        Sumit Semwal <sumit.semwal@...aro.org>,
        Lucas Stach <l.stach@...gutronix.de>,
        Russell King <linux+etnaviv@...linux.org.uk>,
        Christian Gmeiner <christian.gmeiner@...il.com>,
        Inki Dae <inki.dae@...sung.com>,
        Joonyoung Shim <jy0922.shim@...sung.com>,
        Seung-Woo Kim <sw0312.kim@...sung.com>,
        Kyungmin Park <kyungmin.park@...sung.com>,
        Thomas Zimmermann <tzimmermann@...e.de>,
        Gerd Hoffmann <kraxel@...hat.com>,
        Rob Herring <robh@...nel.org>, dri-devel@...ts.freedesktop.org,
        linux-media@...r.kernel.org, linaro-mm-sig@...ts.linaro.org,
        piotr.oniszczuk@...il.com, Daniel Vetter <daniel.vetter@...el.com>
Subject: [PATCH 5.9 267/391] drm/shme-helpers: Fix dma_buf_mmap forwarding bug

From: Daniel Vetter <daniel.vetter@...ll.ch>

commit f49a51bfdc8ea717c97ccd4cc98b7e6daaa5553a upstream.

When we forward an mmap to the dma_buf exporter, they get to own
everything. Unfortunately drm_gem_mmap_obj() overwrote
vma->vm_private_data after the driver callback, wreaking the
exporter complete. This was noticed because vb2_common_vm_close blew
up on mali gpu with panfrost after commit 26d3ac3cb04d
("drm/shmem-helpers: Redirect mmap for imported dma-buf").

Unfortunately drm_gem_mmap_obj also acquires a surplus reference that
we need to drop in shmem helpers, which is a bit of a mislayer
situation. Maybe the entire dma_buf_mmap forwarding should be pulled
into core gem code.

Note that the only two other drivers which forward mmap in their own
code (etnaviv and exynos) get this somewhat right by overwriting the
gem mmap code. But they seem to still have the leak. This might be a
good excuse to move these drivers over to shmem helpers completely.

Reviewed-by: Boris Brezillon <boris.brezillon@...labora.com>
Acked-by: Christian König <christian.koenig@....com>
Cc: Christian König <christian.koenig@....com>
Cc: Sumit Semwal <sumit.semwal@...aro.org>
Cc: Lucas Stach <l.stach@...gutronix.de>
Cc: Russell King <linux+etnaviv@...linux.org.uk>
Cc: Christian Gmeiner <christian.gmeiner@...il.com>
Cc: Inki Dae <inki.dae@...sung.com>
Cc: Joonyoung Shim <jy0922.shim@...sung.com>
Cc: Seung-Woo Kim <sw0312.kim@...sung.com>
Cc: Kyungmin Park <kyungmin.park@...sung.com>
Fixes: 26d3ac3cb04d ("drm/shmem-helpers: Redirect mmap for imported dma-buf")
Cc: Boris Brezillon <boris.brezillon@...labora.com>
Cc: Thomas Zimmermann <tzimmermann@...e.de>
Cc: Gerd Hoffmann <kraxel@...hat.com>
Cc: Rob Herring <robh@...nel.org>
Cc: dri-devel@...ts.freedesktop.org
Cc: linux-media@...r.kernel.org
Cc: linaro-mm-sig@...ts.linaro.org
Cc: <stable@...r.kernel.org> # v5.9+
Reported-and-tested-by: piotr.oniszczuk@...il.com
Cc: piotr.oniszczuk@...il.com
Signed-off-by: Daniel Vetter <daniel.vetter@...el.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20201027214922.3566743-1-daniel.vetter@ffwll.ch
Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>

---
 drivers/gpu/drm/drm_gem.c              |    4 ++--
 drivers/gpu/drm/drm_gem_shmem_helper.c |    7 ++++++-
 2 files changed, 8 insertions(+), 3 deletions(-)

--- a/drivers/gpu/drm/drm_gem.c
+++ b/drivers/gpu/drm/drm_gem.c
@@ -1085,6 +1085,8 @@ int drm_gem_mmap_obj(struct drm_gem_obje
 	 */
 	drm_gem_object_get(obj);
 
+	vma->vm_private_data = obj;
+
 	if (obj->funcs && obj->funcs->mmap) {
 		ret = obj->funcs->mmap(obj, vma);
 		if (ret) {
@@ -1107,8 +1109,6 @@ int drm_gem_mmap_obj(struct drm_gem_obje
 		vma->vm_page_prot = pgprot_decrypted(vma->vm_page_prot);
 	}
 
-	vma->vm_private_data = obj;
-
 	return 0;
 }
 EXPORT_SYMBOL(drm_gem_mmap_obj);
--- a/drivers/gpu/drm/drm_gem_shmem_helper.c
+++ b/drivers/gpu/drm/drm_gem_shmem_helper.c
@@ -594,8 +594,13 @@ int drm_gem_shmem_mmap(struct drm_gem_ob
 	/* Remove the fake offset */
 	vma->vm_pgoff -= drm_vma_node_start(&obj->vma_node);
 
-	if (obj->import_attach)
+	if (obj->import_attach) {
+		/* Drop the reference drm_gem_mmap_obj() acquired.*/
+		drm_gem_object_put(obj);
+		vma->vm_private_data = NULL;
+
 		return dma_buf_mmap(obj->dma_buf, vma, 0);
+	}
 
 	shmem = to_drm_gem_shmem_obj(obj);
 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ