--- /dev/null
+From d78d383ab354b0b9e1d23404ae0d9fbdeb9aa035 Mon Sep 17 00:00:00 2001
+From: Rob Clark <robdclark@gmail.com>
+Date: Mon, 22 Aug 2016 15:28:38 -0400
+Subject: drm/msm: protect against faults from copy_from_user() in submit ioctl
+
+From: Rob Clark <robdclark@gmail.com>
+
+commit d78d383ab354b0b9e1d23404ae0d9fbdeb9aa035 upstream.
+
+An evil userspace could try to cause deadlock by passing an unfaulted-in
+GEM bo as submit->bos (or submit->cmds) table. Which will trigger
+msm_gem_fault() while we already hold struct_mutex. See:
+
+https://github.com/freedreno/msmtest/blob/master/evilsubmittest.c
+
+Signed-off-by: Rob Clark <robdclark@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ drivers/gpu/drm/msm/msm_drv.h | 6 ++++++
+ drivers/gpu/drm/msm/msm_gem.c | 9 +++++++++
+ drivers/gpu/drm/msm/msm_gem_submit.c | 2 ++
+ 3 files changed, 17 insertions(+)
+
+--- a/drivers/gpu/drm/msm/msm_drv.h
++++ b/drivers/gpu/drm/msm/msm_drv.h
+@@ -148,6 +148,12 @@ struct msm_drm_private {
+ } vram;
+
+ struct msm_vblank_ctrl vblank_ctrl;
++
++ /* task holding struct_mutex.. currently only used in submit path
++ * to detect and reject faults from copy_from_user() for submit
++ * ioctl.
++ */
++ struct task_struct *struct_mutex_task;
+ };
+
+ struct msm_format {
+--- a/drivers/gpu/drm/msm/msm_gem.c
++++ b/drivers/gpu/drm/msm/msm_gem.c
+@@ -196,11 +196,20 @@ int msm_gem_fault(struct vm_area_struct
+ {
+ struct drm_gem_object *obj = vma->vm_private_data;
+ struct drm_device *dev = obj->dev;
++ struct msm_drm_private *priv = dev->dev_private;
+ struct page **pages;
+ unsigned long pfn;
+ pgoff_t pgoff;
+ int ret;
+
++ /* This should only happen if userspace tries to pass a mmap'd
++ * but unfaulted gem bo vaddr into submit ioctl, triggering
++ * a page fault while struct_mutex is already held. This is
++ * not a valid use-case so just bail.
++ */
++ if (priv->struct_mutex_task == current)
++ return VM_FAULT_SIGBUS;
++
+ /* Make sure we don't parallel update on a fault, nor move or remove
+ * something from beneath our feet
+ */
+--- a/drivers/gpu/drm/msm/msm_gem_submit.c
++++ b/drivers/gpu/drm/msm/msm_gem_submit.c
+@@ -394,6 +394,7 @@ int msm_ioctl_gem_submit(struct drm_devi
+ return -ENOMEM;
+
+ mutex_lock(&dev->struct_mutex);
++ priv->struct_mutex_task = current;
+
+ ret = submit_lookup_objects(submit, args, file);
+ if (ret)
+@@ -479,6 +480,7 @@ out:
+ submit_cleanup(submit);
+ if (ret)
+ msm_gem_submit_free(submit);
++ priv->struct_mutex_task = NULL;
+ mutex_unlock(&dev->struct_mutex);
+ return ret;
+ }
--- /dev/null
+From ba63f23d69a3a10e7e527a02702023da68ef8a6d Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Thu, 8 Sep 2016 14:20:38 -0700
+Subject: fscrypto: require write access to mount to set encryption policy
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit ba63f23d69a3a10e7e527a02702023da68ef8a6d upstream.
+
+Since setting an encryption policy requires writing metadata to the
+filesystem, it should be guarded by mnt_want_write/mnt_drop_write.
+Otherwise, a user could cause a write to a frozen or readonly
+filesystem. This was handled correctly by f2fs but not by ext4. Make
+fscrypt_process_policy() handle it rather than relying on the filesystem
+to get it right.
+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Cc: stable@vger.kernel.org # 4.1+; check fs/{ext4,f2fs}
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Acked-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/ioctl.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/ext4/ioctl.c
++++ b/fs/ext4/ioctl.c
+@@ -782,7 +782,13 @@ resizefs_out:
+ goto encryption_policy_out;
+ }
+
++ err = mnt_want_write_file(filp);
++ if (err)
++ goto encryption_policy_out;
++
+ err = ext4_process_policy(&policy, inode);
++
++ mnt_drop_write_file(filp);
+ encryption_policy_out:
+ return err;
+ #else
--- /dev/null
+From ba913e4f72fc9cfd03dad968dfb110eb49211d80 Mon Sep 17 00:00:00 2001
+From: James Hogan <james.hogan@imgtec.com>
+Date: Fri, 19 Aug 2016 14:30:29 +0100
+Subject: MIPS: KVM: Check for pfn noslot case
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: James Hogan <james.hogan@imgtec.com>
+
+commit ba913e4f72fc9cfd03dad968dfb110eb49211d80 upstream.
+
+When mapping a page into the guest we error check using is_error_pfn(),
+however this doesn't detect a value of KVM_PFN_NOSLOT, indicating an
+error HVA for the page. This can only happen on MIPS right now due to
+unusual memslot management (e.g. being moved / removed / resized), or
+with an Enhanced Virtual Memory (EVA) configuration where the default
+KVM_HVA_ERR_* and kvm_is_error_hva() definitions are unsuitable (fixed
+in a later patch). This case will be treated as a pfn of zero, mapping
+the first page of physical memory into the guest.
+
+It would appear the MIPS KVM port wasn't updated prior to being merged
+(in v3.10) to take commit 81c52c56e2b4 ("KVM: do not treat noslot pfn as
+a error pfn") into account (merged v3.8), which converted a bunch of
+is_error_pfn() calls to is_error_noslot_pfn(). Switch to using
+is_error_noslot_pfn() instead to catch this case properly.
+
+Fixes: 858dd5d45733 ("KVM/MIPS32: MMU/TLB operations for the Guest.")
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Radim Krčmář <rkrcmar@redhat.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: linux-mips@linux-mips.org
+Cc: kvm@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+[james.hogan@imgtec.com: Backport to v4.7.y]
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/kvm/tlb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/kvm/tlb.c
++++ b/arch/mips/kvm/tlb.c
+@@ -159,7 +159,7 @@ static int kvm_mips_map_page(struct kvm
+ srcu_idx = srcu_read_lock(&kvm->srcu);
+ pfn = kvm_mips_gfn_to_pfn(kvm, gfn);
+
+- if (kvm_mips_is_error_pfn(pfn)) {
++ if (is_error_noslot_pfn(pfn)) {
+ kvm_err("Couldn't get pfn for gfn %#" PRIx64 "!\n", gfn);
+ err = -EFAULT;
+ goto out;
clocksource-drivers-sun4i-clear-interrupts-after-stopping-timer-in-probe-function.patch
+mips-kvm-check-for-pfn-noslot-case.patch
+fscrypto-require-write-access-to-mount-to-set-encryption-policy.patch
+drm-msm-protect-against-faults-from-copy_from_user-in-submit-ioctl.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
