projects / GitHub / moto-9609 / android_kernel_motorola_exynos9610.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 89f82cb) | patch
drm/msm: protect against faults from copy_from_user() in submit ioctl
authorRob Clark <robdclark@gmail.com>
Mon, 22 Aug 2016 19:28:38 +0000 (15:28 -0400)
committerRob Clark <robdclark@gmail.com>
Sun, 28 Aug 2016 16:49:39 +0000 (12:49 -0400)
commitd78d383ab354b0b9e1d23404ae0d9fbdeb9aa035
treeaee4580ca0766d3be40c2b574dd7816aabc3d080tree | snapshot (tar.gz zip)
parent89f82cbb0d5c0ab768c8d02914188aa2211cd2e3commit | diff
drm/msm: protect against faults from copy_from_user() in submit ioctl

An evil userspace could try to cause deadlock by passing an unfaulted-in
GEM bo as submit->bos (or submit->cmds) table.  Which will trigger
msm_gem_fault() while we already hold struct_mutex.  See:

https://github.com/freedreno/msmtest/blob/master/evilsubmittest.c

Cc: stable@vger.kernel.org
Signed-off-by: Rob Clark <robdclark@gmail.com>
drivers/gpu/drm/msm/msm_drv.h diff | blob | blame | history
drivers/gpu/drm/msm/msm_gem.c diff | blob | blame | history
drivers/gpu/drm/msm/msm_gem_submit.c diff | blob | blame | history