]> git.ipfire.org Git - thirdparty/kernel/stable.git/commit
projects / thirdparty / kernel / stable.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 399c967) | patch
drm/msm: protect against faults from copy_from_user() in submit ioctl
authorRob Clark <robdclark@gmail.com>
Mon, 22 Aug 2016 19:28:38 +0000 (15:28 -0400)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Sat, 24 Sep 2016 08:09:23 +0000 (10:09 +0200)
commitb8509ce12df9d26b6ec4e6d5aa3b541803da60e2
treeb6426b3c862cd90f9eb07bc90847ab8d9ad2ef31tree
parent399c967d80f1dfc8273a3831d73a9f06daa4b1bccommit | diff
drm/msm: protect against faults from copy_from_user() in submit ioctl

commit d78d383ab354b0b9e1d23404ae0d9fbdeb9aa035 upstream.

An evil userspace could try to cause deadlock by passing an unfaulted-in
GEM bo as submit->bos (or submit->cmds) table.  Which will trigger
msm_gem_fault() while we already hold struct_mutex.  See:

https://github.com/freedreno/msmtest/blob/master/evilsubmittest.c

Signed-off-by: Rob Clark <robdclark@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/gpu/drm/msm/msm_drv.h diff | blob | blame | history
drivers/gpu/drm/msm/msm_gem.c diff | blob | blame | history
drivers/gpu/drm/msm/msm_gem_submit.c diff | blob | blame | history
Mirror https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git