[Intel-gfx] [PATCH] drm/i915: Minimize uaccess exposure in i915_gem_execbuffer2_ioctl()

Thu, 27 Feb 2020 14:09:41 -0800 

With CONFIG_CC_OPTIMIZE_FOR_SIZE, objtool reports:

  drivers/gpu/drm/i915/gem/i915_gem_execbuffer.o: warning: objtool: 
i915_gem_execbuffer2_ioctl()+0x5b7: call to gen8_canonical_addr() with UACCESS 
enabled

This means i915_gem_execbuffer2_ioctl() is calling gen8_canonical_addr()
-- and indirectly, sign_extend64() -- from the user_access_begin/end
critical region (i.e, with SMAP disabled).

While it's probably harmless in this case, in general we like to avoid
extra function calls in SMAP-disabled regions because it can open up
inadvertent security holes.

Fix it by moving the gen8_canonical_addr() conversion to a separate loop
before user_access_begin() is called.

Note that gen8_canonical_addr() is now called *before* masking off the
PIN_OFFSET_MASK bits.  That should be ok because it just does a sign
extension and ignores the masked lower bits anyway.

Reported-by: Randy Dunlap <rdun...@infradead.org>
Signed-off-by: Josh Poimboeuf <jpoim...@redhat.com>
---
 drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c 
b/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c
index d5a0f5ae4a8b..183cab13e028 100644
--- a/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c
+++ b/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c
@@ -2947,6 +2947,13 @@ i915_gem_execbuffer2_ioctl(struct drm_device *dev, void 
*data,
                        u64_to_user_ptr(args->buffers_ptr);
                unsigned int i;
 
+               /*
+                * Do the call to gen8_canonical_addr() outside the
+                * uaccess-enabled region to minimize uaccess exposure.
+                */
+               for (i = 0; i < args->buffer_count; i++)
+                       exec2_list[i].offset = 
gen8_canonical_addr(exec2_list[i].offset);
+
                /* Copy the new buffer offsets back to the user's exec list. */
                /*
                 * Note: count * sizeof(*user_exec_list) does not overflow,
@@ -2962,9 +2969,7 @@ i915_gem_execbuffer2_ioctl(struct drm_device *dev, void 
*data,
                        if (!(exec2_list[i].offset & UPDATE))
                                continue;
 
-                       exec2_list[i].offset =
-                               gen8_canonical_addr(exec2_list[i].offset & 
PIN_OFFSET_MASK);
-                       unsafe_put_user(exec2_list[i].offset,
+                       unsafe_put_user(exec2_list[i].offset & PIN_OFFSET_MASK,
                                        &user_exec_list[i].offset,
                                        end_user);
                }
-- 
2.21.1

_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx

Reply via email to