]> git.baikalelectronics.ru Git - kernel.git/commit
projects / kernel.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 6ace51e) | patch
drm/msm: protect against faults from copy_from_user() in submit ioctl
authorRob Clark <robdclark@gmail.com>
Mon, 22 Aug 2016 19:28:38 +0000 (15:28 -0400)
committerRob Clark <robdclark@gmail.com>
Sun, 28 Aug 2016 16:49:39 +0000 (12:49 -0400)
commit40a2d2de5557245340fa3d5f4abe99ffc6be09e2
treeaee4580ca0766d3be40c2b574dd7816aabc3d080tree | snapshot
parent6ace51efa9258535904a89cca1ea9eefcffa8215commit | diff
drm/msm: protect against faults from copy_from_user() in submit ioctl

An evil userspace could try to cause deadlock by passing an unfaulted-in
GEM bo as submit->bos (or submit->cmds) table.  Which will trigger
msm_gem_fault() while we already hold struct_mutex.  See:

https://github.com/freedreno/msmtest/blob/master/evilsubmittest.c

Cc: stable@vger.kernel.org
Signed-off-by: Rob Clark <robdclark@gmail.com>
drivers/gpu/drm/msm/msm_drv.h diff | blob | history
drivers/gpu/drm/msm/msm_gem.c diff | blob | history
drivers/gpu/drm/msm/msm_gem_submit.c diff | blob | history
Linux Kernel Source Tree.