Re: [Intel-gfx] [PATCH v8 0/5] drm: address potential UAF bugs with drm_master ptrs

On 21/7/21 2:24 am, Daniel Vetter wrote: On Mon, Jul 12, 2021 at 12:35:03PM +0800, Desmond Cheong Zhi Xi wrote: Hi, In the previous thread on this series we decided to remove a patch that was violating a lockdep requirement in drm_lease. In addition to this change, I took a closer look at

[Intel-gfx] [PATCH 3/3] drm/vmwgfx: fix potential UAF in vmwgfx_surface.c

ing drm_master_get with drm_file_get_master. Signed-off-by: Desmond Cheong Zhi Xi --- drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c index 0eba47762

[Intel-gfx] [PATCH 2/3] drm: clarify lifetime/locking for drm_master's lease fields

for the lifetime of lessors and leases to make it easier to reason about them. Signed-off-by: Desmond Cheong Zhi Xi --- include/drm/drm_auth.h | 62 ++ 1 file changed, 51 insertions(+), 11 deletions(-) diff --git a/include/drm/drm_auth.h b/include/d

[Intel-gfx] [PATCH 1/3] drm: use the lookup lock in drm_is_current_master

Signed-off-by: Desmond Cheong Zhi Xi --- drivers/gpu/drm/drm_auth.c | 9 + 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/drm_auth.c b/drivers/gpu/drm/drm_auth.c index f00354bec3fb..9c24b8cc8e36 100644 --- a/drivers/gpu/drm/drm_auth.c +++ b/drivers/gpu/drm

Re: [Intel-gfx] [PATCH v8 0/5] drm: address potential UAF bugs with drm_master ptrs

On 21/7/21 9:23 pm, Daniel Vetter wrote: On Wed, Jul 21, 2021 at 2:44 PM Desmond Cheong Zhi Xi wrote: On 21/7/21 6:29 pm, Daniel Vetter wrote: On Wed, Jul 21, 2021 at 6:12 AM Desmond Cheong Zhi Xi wrote: On 21/7/21 2:24 am, Daniel Vetter wrote: On Mon, Jul 12, 2021 at 12:35:03PM +0800

Re: [Intel-gfx] [PATCH 2/3] drm: clarify lifetime/locking for drm_master's lease fields

On 22/7/21 6:35 pm, Daniel Vetter wrote: On Thu, Jul 22, 2021 at 05:29:28PM +0800, Desmond Cheong Zhi Xi wrote: In particular, we make it clear that &drm_device.mode_config.idr_mutex protects the lease idr and list structures for drm_master. The lessor field itself doesn't need to be

[Intel-gfx] [PATCH 0/3] drm, drm/vmwgfx: fixes and updates related to drm_master

clarify lifetime/locking rules. 3. Prevent potential use-after-free bugs by replacing calls to drm_master_get with drm_file_get_master in vmwgfx_surface.c. Best wishes, Desmond Desmond Cheong Zhi Xi (3): drm: use the lookup lock in drm_is_current_master drm: clarify lifetime/locking for

Re: [Intel-gfx] [PATCH 3/3] drm/vmwgfx: fix potential UAF in vmwgfx_surface.c

On 23/7/21 3:17 am, Zack Rusin wrote: On 7/22/21 5:29 AM, Desmond Cheong Zhi Xi wrote: drm_file.master should be protected by either drm_device.master_mutex or drm_file.master_lookup_lock when being dereferenced. However, drm_master_get is called on unprotected file_priv->master pointers

[Intel-gfx] [PATCH v2 1/3] drm: use the lookup lock in drm_is_current_master

Signed-off-by: Desmond Cheong Zhi Xi Reviewed-by: Daniel Vetter --- drivers/gpu/drm/drm_auth.c | 9 + 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/drm_auth.c b/drivers/gpu/drm/drm_auth.c index f00354bec3fb..9c24b8cc8e36 100644 --- a/drivers/gpu/drm

[Intel-gfx] [PATCH v2 3/3] drm/vmwgfx: fix potential UAF in vmwgfx_surface.c

ing drm_master_get with drm_file_get_master. Signed-off-by: Desmond Cheong Zhi Xi Reviewed-by: Daniel Vetter Reviewed-by: Zack Rusin --- drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/

[Intel-gfx] [PATCH v2 2/3] drm: clarify usage of drm leases

g, and explains how leases work and why they're used. 4. Clean up function documentation in drm_lease.c to use kernel-doc formatting. Signed-off-by: Desmond Cheong Zhi Xi --- Hi, After I updated the formatting for comments in drm_lease.c, I noticed that none of these were driver interfaces

Re: [Intel-gfx] [PATCH v2 2/3] drm: clarify usage of drm leases

On 27/7/21 9:04 pm, Daniel Vetter wrote: On Sat, Jul 24, 2021 at 07:18:23PM +0800, Desmond Cheong Zhi Xi wrote: We make the following changes to the documentation of drm leases to make it easier to reason about their usage. In particular, we clarify the lifetime and locking rules of lease

Re: [Intel-gfx] [PATCH 1/3] drm: use the lookup lock in drm_is_current_master

On 29/7/21 3:00 pm, Daniel Vetter wrote: On Tue, Jul 27, 2021 at 04:37:22PM +0200, Peter Zijlstra wrote: On Thu, Jul 22, 2021 at 12:38:10PM +0200, Daniel Vetter wrote: On Thu, Jul 22, 2021 at 05:29:27PM +0800, Desmond Cheong Zhi Xi wrote: Inside drm_is_current_master, using the outer

[Intel-gfx] [RESEND PATCH v2 0/2] locking/lockdep, drm: apply new lockdep assert in drm_auth.c

in the use of lockdep_assert(). As suggested by Boqun Feng. Link: https://lore.kernel.org/lkml/20210722092929.244629-2-desmondcheon...@gmail.com/ [1] Best wishes, Desmond Desmond Cheong Zhi Xi (1): drm: add lockdep assert to drm_is_current_master_locked Peter Zijlstra (1): locking/lockdep: Provide l

[Intel-gfx] [RESEND PATCH v2 1/2] locking/lockdep: Provide lockdep_assert{, _once}() helpers

Zijlstra (Intel) Signed-off-by: Desmond Cheong Zhi Xi Acked-by: Boqun Feng Acked-by: Waiman Long Acked-by: Peter Zijlstra (Intel) --- include/linux/lockdep.h | 41 + 1 file changed, 21 insertions(+), 20 deletions(-) diff --git a/include/linux/lockdep.h b

[Intel-gfx] [RESEND PATCH v2 2/2] drm: add lockdep assert to drm_is_current_master_locked

ion is now convenient. So we add in the assertion and explain this lock design in the kerneldoc. Signed-off-by: Desmond Cheong Zhi Xi Acked-by: Boqun Feng Acked-by: Waiman Long Acked-by: Peter Zijlstra (Intel) --- drivers/gpu/drm/drm_auth.c | 6 +++--- include/drm/drm_file.h | 4 +++

[Intel-gfx] [PATCH 1/2] drm: avoid races with modesetting rights

return to userspace. Reported-by: Daniel Vetter Signed-off-by: Desmond Cheong Zhi Xi --- drivers/gpu/drm/drm_auth.c | 17 ++--- drivers/gpu/drm/drm_client_modeset.c | 10 ++ drivers/gpu/drm/drm_drv.c| 2 ++ drivers/gpu/drm/drm_fb_helper.c

[Intel-gfx] [PATCH 2/2] drm: unexport drm_ioctl_permit

Since the last user of drm_ioctl_permit was removed, and it's now only used in drm_ioctl.c, unexport the symbol. Reported-by: Daniel Vetter Signed-off-by: Desmond Cheong Zhi Xi --- drivers/gpu/drm/drm_ioctl.c | 15 +-- include/drm/drm_ioctl.h | 1 - 2 files chang

[Intel-gfx] [PATCH 0/2] drm: update the ioctl handler

() Thoughts and comments would be very appreciated. Link: https://lore.kernel.org/lkml/YN9kAFcfGoB13x7f@phenom.ffwll.local/ [1] Best wishes, Desmond Desmond Cheong Zhi Xi (2): drm: avoid races with modesetting rights drm: unexport drm_ioctl_permit drivers/gpu/drm/drm_auth.c | 17

[Intel-gfx] [PATCH v2] drm: avoid races with modesetting rights

by: Daniel Vetter Signed-off-by: Desmond Cheong Zhi Xi --- Hi, I opted to leave the drm_master_unlock_and_flush helper out of this patch, but happy to add it in if it'd be useful. Imo, when comparing it with a mutex_unlock followed by drm_master_flush, it didn't add clarity. And since we d

Re: [Intel-gfx] [PATCH v2] drm: avoid races with modesetting rights

git tree, kindly drop us a note. And when submitting patch, we suggest to use '--base' as documented in https://git-scm.com/docs/git-format-patch] url: https://github.com/0day-ci/linux/commits/Desmond-Cheong-Zhi-Xi/drm-avoid-races-with-modesetting-rights/20210815-2

Re: [Intel-gfx] [PATCH v2] drm: avoid races with modesetting rights

, kindly drop us a note. And when submitting patch, we suggest to use '--base' as documented in https://git-scm.com/docs/git-format-patch] url: https://github.com/0day-ci/linux/commits/Desmond-Cheong-Zhi-Xi/drm-avoid-races-with-modesetting-rights/20210815-2

Re: [Intel-gfx] [PATCH 1/2] drm: avoid races with modesetting rights

On 13/8/21 11:49 pm, Daniel Vetter wrote: On Fri, Aug 13, 2021 at 04:54:49PM +0800, Desmond Cheong Zhi Xi wrote: In drm_client_modeset.c and drm_fb_helper.c, drm_master_internal_{acquire,release} are used to avoid races with DRM userspace. These functions hold onto drm_device.master_mutex while

Re: [Intel-gfx] [PATCH v2] drm: avoid races with modesetting rights

On 16/8/21 5:04 pm, Daniel Vetter wrote: On Mon, Aug 16, 2021 at 10:53 AM Desmond Cheong Zhi Xi wrote: On 16/8/21 2:47 am, kernel test robot wrote: Hi Desmond, Thank you for the patch! Yet something to improve: [auto build test ERROR on next-20210813] [also build test ERROR on v5.14-rc5

Re: [Intel-gfx] [PATCH v2] drm: avoid races with modesetting rights

On 16/8/21 9:59 pm, Daniel Vetter wrote: On Mon, Aug 16, 2021 at 12:31 PM Desmond Cheong Zhi Xi wrote: On 16/8/21 5:04 pm, Daniel Vetter wrote: On Mon, Aug 16, 2021 at 10:53 AM Desmond Cheong Zhi Xi wrote: On 16/8/21 2:47 am, kernel test robot wrote: Hi Desmond, Thank you for the patch

[Intel-gfx] [PATCH v3 3/9] drm: check for null master in drm_is_current_master_locked

is non-NULl to guard against this scenario. Signed-off-by: Desmond Cheong Zhi Xi --- drivers/gpu/drm/drm_auth.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/drm_auth.c b/drivers/gpu/drm/drm_auth.c index 8c0e0dba1611..f9267b21556e 100644 --- a/drivers/gpu/

[Intel-gfx] [PATCH v3 1/9] drm: move master_lookup_lock into drm_device

drm_device allows us to use it for structures that are accessed by multiple drm_files, such as drm_master.magic_map. Signed-off-by: Desmond Cheong Zhi Xi --- drivers/gpu/drm/drm_auth.c | 18 +- drivers/gpu/drm/drm_drv.c | 1 + drivers/gpu/drm/drm_file.c | 1 - include/drm

[Intel-gfx] [PATCH v3 0/9] drm, kernel: update locking for DRM

nt drm_master_flush with task_work so that flushes can be queued to run before returning to userspace without creating a new DRM_MASTER_FLUSH ioctl flag. Best wishes, Desmond Desmond Cheong Zhi Xi (9): drm: move master_lookup_lock into drm_device drm: hold master_lookup_lock when releasing a drm_file&#

[Intel-gfx] [PATCH v3 5/9] drm: protect magic_map, unique{_len} with master_lookup_lock

serialize access to drm_master.magic_map and drm_master.unique{_len} using drm_device.master_lookup_lock which is an inner lock. Signed-off-by: Desmond Cheong Zhi Xi --- drivers/gpu/drm/drm_auth.c | 12 +++- drivers/gpu/drm/drm_ioctl.c | 10 ++ include/drm/drm_auth.h | 6

[Intel-gfx] [PATCH v3 7/9] drm: update global mutex lock in the ioctl handler

At the same time, we update the check for the global mutex to use the drm_dev_needs_global_mutex helper function. Signed-off-by: Desmond Cheong Zhi Xi --- drivers/gpu/drm/drm_ioctl.c | 18 +- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/drivers/gpu/drm/drm_ioctl.

[Intel-gfx] [PATCH v3 8/9] kernel: export task_work_add

: ERROR: modpost: "task_work_add" [drivers/gpu/drm/drm.ko] undefined! Reported-by: kernel test robot Signed-off-by: Desmond Cheong Zhi Xi --- kernel/task_work.c | 1 + 1 file changed, 1 insertion(+) diff --git a/kernel/task_work.c b/kernel/task_work.c index 1698fbe6f0e1..9404af2b 10

[Intel-gfx] [PATCH v3 4/9] drm: fix potential null ptr dereferences in drm_{auth, ioctl}

cking if the master pointers are NULL before use. Signed-off-by: Desmond Cheong Zhi Xi --- drivers/gpu/drm/drm_auth.c | 16 ++-- drivers/gpu/drm/drm_ioctl.c | 5 + 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/drm_auth.c b/drivers/gpu/drm/drm_

[Intel-gfx] [PATCH v3 9/9] drm: avoid races with modesetting rights

sem: users that perform modesetting should hold a read lock on the new drm_device.master_rwsem, and users that change these permissions should either hold a write lock, or should flush readers before returning to userspace. Reported-by: Daniel Vetter Signed-off-by: Desmond Cheong Zhi Xi --- drive

[Intel-gfx] [PATCH v3 2/9] drm: hold master_lookup_lock when releasing a drm_file's master

When drm_file.master changes value, the corresponding drm_device.master_lookup_lock should be held. In drm_master_release, a call to drm_master_put sets the file_priv->master to NULL, so we protect this section with drm_device.master_lookup_lock. Signed-off-by: Desmond Cheong Zhi

[Intel-gfx] [PATCH v3 6/9] drm: convert drm_device.master_mutex into a rwsem

. Hence, convert master_mutex into a rwsem to enable concurrent readers. Signed-off-by: Desmond Cheong Zhi Xi --- drivers/gpu/drm/drm_auth.c| 27 ++- drivers/gpu/drm/drm_debugfs.c | 4 ++-- drivers/gpu/drm/drm_drv.c | 3 +-- drivers/gpu/drm/drm_ioctl.c | 4

Re: [Intel-gfx] [PATCH v3 2/9] drm: hold master_lookup_lock when releasing a drm_file's master

On 18/8/21 6:05 pm, Daniel Vetter wrote: On Wed, Aug 18, 2021 at 03:38:17PM +0800, Desmond Cheong Zhi Xi wrote: When drm_file.master changes value, the corresponding drm_device.master_lookup_lock should be held. In drm_master_release, a call to drm_master_put sets the file_priv->master to N

Re: [Intel-gfx] [PATCH v3 4/9] drm: fix potential null ptr dereferences in drm_{auth, ioctl}

On 18/8/21 6:11 pm, Daniel Vetter wrote: On Wed, Aug 18, 2021 at 03:38:19PM +0800, Desmond Cheong Zhi Xi wrote: There are three areas where we dereference struct drm_master without checking if the pointer is non-NULL. 1. drm_getmagic is called from the ioctl_handler. Since DRM_IOCTL_GET_MAGIC

Re: [Intel-gfx] [PATCH v3 4/9] drm: fix potential null ptr dereferences in drm_{auth, ioctl}

On 19/8/21 12:33 am, Daniel Vetter wrote: On Wed, Aug 18, 2021 at 5:37 PM Desmond Cheong Zhi Xi wrote: On 18/8/21 6:11 pm, Daniel Vetter wrote: On Wed, Aug 18, 2021 at 03:38:19PM +0800, Desmond Cheong Zhi Xi wrote: There are three areas where we dereference struct drm_master without

Re: [Intel-gfx] [PATCH v3 8/9] kernel: export task_work_add

On 19/8/21 5:26 pm, Christoph Hellwig wrote: On Wed, Aug 18, 2021 at 03:38:23PM +0800, Desmond Cheong Zhi Xi wrote: +EXPORT_SYMBOL(task_work_add); EXPORT_SYMBOL_GPL for this kinds of functionality, please. Thanks, I wasn't aware of the GPL-only export. I'll update this in a fut

Re: [Intel-gfx] [PATCH v3 7/9] drm: update global mutex lock in the ioctl handler

On 18/8/21 7:02 pm, Daniel Vetter wrote: On Wed, Aug 18, 2021 at 03:38:22PM +0800, Desmond Cheong Zhi Xi wrote: In a future patch, a read lock on drm_device.master_rwsem is held in the ioctl handler before the check for ioctl permissions. However, this produces the following lockdep splat

[Intel-gfx] [PATCH v4 0/5] drm: update locking for modesetting

reating a new DRM_MASTER_FLUSH ioctl flag. Best wishes, Desmond Desmond Cheong Zhi Xi (5): drm: fix null ptr dereference in drm_master_release drm: convert drm_device.master_mutex into a rwsem drm: lock drm_global_mutex earlier in the ioctl handler drm: avoid races with modesetting rig

[Intel-gfx] [PATCH v4 1/5] drm: fix null ptr dereference in drm_master_release

s set up in drm_open_helper through the call to drm_master_open, so we mirror it with a call to drm_master_release in drm_close_helper, and remove drm_master_release from drm_file_free to avoid the null ptr dereference. Signed-off-by: Desmond Cheong Zhi Xi --- drivers/gpu/drm/drm_file.c | 6 +

[Intel-gfx] [PATCH v4 2/5] drm: convert drm_device.master_mutex into a rwsem

, convert master_mutex into a rwsem to enable concurrent readers. Signed-off-by: Desmond Cheong Zhi Xi --- drivers/gpu/drm/drm_auth.c| 35 ++- drivers/gpu/drm/drm_debugfs.c | 4 ++-- drivers/gpu/drm/drm_drv.c | 3 +-- drivers/gpu/drm/drm_ioctl.c | 10

[Intel-gfx] [PATCH v4 3/5] drm: lock drm_global_mutex earlier in the ioctl handler

ctl permissions. Signed-off-by: Desmond Cheong Zhi Xi --- drivers/gpu/drm/drm_ioctl.c | 18 +- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c index d25713b09b80..158629d88319 100644 --- a/drivers/gpu/

[Intel-gfx] [PATCH v4 4/5] drm: avoid races with modesetting rights

ned-off-by: Desmond Cheong Zhi Xi --- drivers/gpu/drm/drm_auth.c | 4 drivers/gpu/drm/drm_ioctl.c | 20 +++- drivers/gpu/drm/drm_lease.c | 35 --- include/drm/drm_device.h| 5 + 4 files changed, 48 insertions(+), 16 deletions(-) di

[Intel-gfx] [PATCH v4 5/5] drm: remove drm_file.master_lookup_lock

ter_rwsem while holding onto mode_config.idr_mutex), then remove master_lookup_lock. Signed-off-by: Desmond Cheong Zhi Xi --- drivers/gpu/drm/drm_auth.c| 19 ++-- drivers/gpu/drm/drm_file.c| 1 - drivers/gpu/drm/drm_internal.h| 1 + drivers/gpu/drm/drm_ioctl.c

[Intel-gfx] [PATCH v5 0/6] drm: update locking for modesetting

ers. - Implement drm_master_flush with task_work so that flushes can be queued to run before returning to userspace without creating a new DRM_MASTER_FLUSH ioctl flag. Best wishes, Desmond Desmond Cheong Zhi Xi (6): drm: fix null ptr dereference in drm_master_release drm: convert drm_device.mas

[Intel-gfx] [PATCH v5 1/6] drm: fix null ptr dereference in drm_master_release

s set up in drm_open_helper through the call to drm_master_open, so we mirror it with a call to drm_master_release in drm_close_helper, and remove drm_master_release from drm_file_free to avoid the null ptr dereference. Signed-off-by: Desmond Cheong Zhi Xi --- drivers/gpu/drm/drm_file.c | 6 +

[Intel-gfx] [PATCH v5 2/6] drm: convert drm_device.master_mutex into a rwsem

, convert master_mutex into a rwsem to enable concurrent readers. Signed-off-by: Desmond Cheong Zhi Xi --- drivers/gpu/drm/drm_auth.c| 35 ++- drivers/gpu/drm/drm_debugfs.c | 4 ++-- drivers/gpu/drm/drm_drv.c | 3 +-- drivers/gpu/drm/drm_ioctl.c | 10

[Intel-gfx] [PATCH v5 3/6] drm: lock drm_global_mutex earlier in the ioctl handler

ctl permissions. Signed-off-by: Desmond Cheong Zhi Xi --- drivers/gpu/drm/drm_ioctl.c | 18 +- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c index d25713b09b80..158629d88319 100644 --- a/drivers/gpu/

[Intel-gfx] [PATCH v5 4/6] drm: avoid races with modesetting rights

ned-off-by: Desmond Cheong Zhi Xi --- drivers/gpu/drm/drm_auth.c | 4 drivers/gpu/drm/drm_ioctl.c | 20 +++- drivers/gpu/drm/drm_lease.c | 35 --- include/drm/drm_device.h| 5 + 4 files changed, 48 insertions(+), 16 deletions(-) di

[Intel-gfx] [PATCH v5 5/6] drm: avoid circular locks with modeset_mutex and master_rwsem

Desmond Cheong Zhi Xi --- drivers/gpu/drm/drm_atomic_uapi.c | 4 +++- drivers/gpu/drm/drm_auth.c| 3 +++ drivers/gpu/drm/drm_encoder.c | 7 ++- drivers/gpu/drm/drm_framebuffer.c | 2 +- drivers/gpu/drm/drm_lease.c | 34 --- drivers

[Intel-gfx] [PATCH v5 6/6] drm: remove drm_file.master_lookup_lock

revious patch fixed other remaining inversions involving master_rwsem and modeset_mutex. Hence, we can take this opportunity to clean up the locking design by replacing master_lookup_lock with drm_device.master_rwsem. Signed-off-by: Desmond Cheong Zhi Xi --- drivers/gp

[Intel-gfx] [PATCH v6 0/7] drm: update locking for modesetting

o userspace without creating a new DRM_MASTER_FLUSH ioctl flag. Best wishes, Desmond Desmond Cheong Zhi Xi (7): drm: fix null ptr dereference in drm_master_release drm: convert drm_device.master_mutex into a rwsem drm: lock drm_global_mutex earlier in the ioctl handler drm: avoid races with

[Intel-gfx] [PATCH v6 1/7] drm: fix null ptr dereference in drm_master_release

s set up in drm_open_helper through the call to drm_master_open, so we mirror it with a call to drm_master_release in drm_close_helper, and remove drm_master_release from drm_file_free to avoid the null ptr dereference. Signed-off-by: Desmond Cheong Zhi Xi --- drivers/gpu/drm/drm_file.c | 6 +

[Intel-gfx] [PATCH v6 2/7] drm: convert drm_device.master_mutex into a rwsem

, convert master_mutex into a rwsem to enable concurrent readers. Signed-off-by: Desmond Cheong Zhi Xi --- drivers/gpu/drm/drm_auth.c| 35 ++- drivers/gpu/drm/drm_debugfs.c | 4 ++-- drivers/gpu/drm/drm_drv.c | 3 +-- drivers/gpu/drm/drm_ioctl.c | 10

[Intel-gfx] [PATCH v6 3/7] drm: lock drm_global_mutex earlier in the ioctl handler

ctl permissions. Signed-off-by: Desmond Cheong Zhi Xi --- drivers/gpu/drm/drm_ioctl.c | 18 +- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c index d25713b09b80..158629d88319 100644 --- a/drivers/gpu/

[Intel-gfx] [PATCH v6 4/7] drm: avoid races with modesetting rights

ned-off-by: Desmond Cheong Zhi Xi --- drivers/gpu/drm/drm_auth.c | 4 drivers/gpu/drm/drm_ioctl.c | 20 +++- drivers/gpu/drm/drm_lease.c | 35 --- include/drm/drm_device.h| 5 + 4 files changed, 48 insertions(+), 16 deletions(-) di

[Intel-gfx] [PATCH v6 5/7] drm: avoid circular locks in drm_mode_object_find

unlocked versions that call __drm_mode_object_find and drm_mode_object_find respectively. Signed-off-by: Desmond Cheong Zhi Xi --- drivers/gpu/drm/drm_atomic_uapi.c| 7 +++--- drivers/gpu/drm/drm_color_mgmt.c | 2 +- drivers/gpu/drm/drm_crtc.c | 5 +++--

[Intel-gfx] [PATCH v6 6/7] drm: avoid circular locks with modeset_mutex and master_rwsem

chy. To fix this, we create a new drm_lease_held_master helper function that enables us to avoid calling drm_file_get_master after locking modeset_mutex. Signed-off-by: Desmond Cheong Zhi Xi --- drivers/gpu/drm/drm_auth.c| 3 +++ drivers/gpu/drm/drm_encoder.c | 7 ++- drivers/gpu/

[Intel-gfx] [PATCH v6 7/7] drm: remove drm_file.master_lookup_lock

take this opportunity to clean up the locking design by replacing master_lookup_lock with drm_device.master_rwsem. Signed-off-by: Desmond Cheong Zhi Xi --- drivers/gpu/drm/drm_auth.c | 19 +++ drivers/gpu/drm/drm_file.c | 1 - drivers/gpu/drm/drm_internal.h | 1 + dr

[Intel-gfx] [PATCH v7 0/7] drm: update locking for modesetting

ace without creating a new DRM_MASTER_FLUSH ioctl flag. Best wishes, Desmond Desmond Cheong Zhi Xi (7): drm: fix null ptr dereference in drm_master_release drm: convert drm_device.master_mutex into a rwsem drm: lock drm_global_mutex earlier in the ioctl handler drm: avoid races with modes

[Intel-gfx] [PATCH v7 1/7] drm: fix null ptr dereference in drm_master_release

s set up in drm_open_helper through the call to drm_master_open, so we mirror it with a call to drm_master_release in drm_close_helper, and remove drm_master_release from drm_file_free to avoid the null ptr dereference. Signed-off-by: Desmond Cheong Zhi Xi --- drivers/gpu/drm/drm_file.c | 6 +

[Intel-gfx] [PATCH v7 2/7] drm: convert drm_device.master_mutex into a rwsem

, convert master_mutex into a rwsem to enable concurrent readers. Signed-off-by: Desmond Cheong Zhi Xi --- drivers/gpu/drm/drm_auth.c| 35 ++- drivers/gpu/drm/drm_debugfs.c | 4 ++-- drivers/gpu/drm/drm_drv.c | 3 +-- drivers/gpu/drm/drm_ioctl.c | 10

[Intel-gfx] [PATCH v7 3/7] drm: lock drm_global_mutex earlier in the ioctl handler

ctl permissions. Signed-off-by: Desmond Cheong Zhi Xi --- drivers/gpu/drm/drm_ioctl.c | 18 +- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c index d25713b09b80..158629d88319 100644 --- a/drivers/gpu/

[Intel-gfx] [PATCH v7 4/7] drm: avoid races with modesetting rights

ned-off-by: Desmond Cheong Zhi Xi --- drivers/gpu/drm/drm_auth.c | 4 drivers/gpu/drm/drm_ioctl.c | 20 +++- drivers/gpu/drm/drm_lease.c | 35 --- include/drm/drm_device.h| 5 + 4 files changed, 48 insertions(+), 16 deletions(-) di

[Intel-gfx] [PATCH v7 5/7] drm: avoid circular locks in drm_mode_object_find

unlocked versions that call __drm_mode_object_find and drm_mode_object_find respectively. Signed-off-by: Desmond Cheong Zhi Xi --- drivers/gpu/drm/drm_atomic_uapi.c| 7 ++--- drivers/gpu/drm/drm_color_mgmt.c | 2 +- drivers/gpu/drm/drm_crtc.c | 5 ++-- dri

[Intel-gfx] [PATCH v7 6/7] drm: avoid circular locks with modeset_mutex and master_rwsem

chy. To fix this, we create a new drm_lease_held_master helper function that enables us to avoid calling drm_file_get_master after locking modeset_mutex. Signed-off-by: Desmond Cheong Zhi Xi --- drivers/gpu/drm/drm_auth.c| 3 +++ drivers/gpu/drm/drm_encoder.c | 7 ++- drivers/gpu/

[Intel-gfx] [PATCH v7 7/7] drm: remove drm_file.master_lookup_lock

take this opportunity to clean up the locking design by replacing master_lookup_lock with drm_device.master_rwsem. Signed-off-by: Desmond Cheong Zhi Xi --- drivers/gpu/drm/drm_auth.c | 19 +++ drivers/gpu/drm/drm_file.c | 1 - drivers/gpu/drm/drm_internal.h | 1 + dr

[Intel-gfx] [PATCH v8 0/7] drm: update locking for modesetting

rk so that flushes can be queued to run before returning to userspace without creating a new DRM_MASTER_FLUSH ioctl flag. Best wishes, Desmond Desmond Cheong Zhi Xi (7): drm: fix null ptr dereference in drm_master_release drm: convert drm_device.master_mutex into a rwsem drm: lock drm_global_m

[Intel-gfx] [PATCH v8 1/7] drm: fix null ptr dereference in drm_master_release

s set up in drm_open_helper through the call to drm_master_open, so we mirror it with a call to drm_master_release in drm_close_helper, and remove drm_master_release from drm_file_free to avoid the null ptr dereference. Signed-off-by: Desmond Cheong Zhi Xi --- drivers/gpu/drm/drm_file.c | 6 +

[Intel-gfx] [PATCH v8 2/7] drm: convert drm_device.master_mutex into a rwsem

, convert master_mutex into a rwsem to enable concurrent readers. Signed-off-by: Desmond Cheong Zhi Xi --- drivers/gpu/drm/drm_auth.c| 35 ++- drivers/gpu/drm/drm_debugfs.c | 4 ++-- drivers/gpu/drm/drm_drv.c | 3 +-- drivers/gpu/drm/drm_ioctl.c | 10

[Intel-gfx] [PATCH v8 3/7] drm: lock drm_global_mutex earlier in the ioctl handler

ctl permissions. Signed-off-by: Desmond Cheong Zhi Xi --- drivers/gpu/drm/drm_ioctl.c | 18 +- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c index d25713b09b80..158629d88319 100644 --- a/drivers/gpu/

[Intel-gfx] [PATCH v8 4/7] drm: avoid races with modesetting rights

ned-off-by: Desmond Cheong Zhi Xi --- drivers/gpu/drm/drm_auth.c | 4 drivers/gpu/drm/drm_ioctl.c | 20 +++- drivers/gpu/drm/drm_lease.c | 35 --- include/drm/drm_device.h| 5 + 4 files changed, 48 insertions(+), 16 deletions(-) di

[Intel-gfx] [PATCH v8 5/7] drm: avoid circular locks in drm_mode_object_find

unlocked versions that call __drm_mode_object_find and drm_mode_object_find respectively. Signed-off-by: Desmond Cheong Zhi Xi --- drivers/gpu/drm/drm_atomic_uapi.c| 7 ++--- drivers/gpu/drm/drm_color_mgmt.c | 2 +- drivers/gpu/drm/drm_crtc.c | 5 ++-- dri

[Intel-gfx] [PATCH v8 6/7] drm: avoid circular locks in drm_lease_held

inversion of the master_rwsem --> modeset_mutex lock hierarchy. To fix this, we create a new drm_lease_held_master helper function that enables us to avoid calling drm_file_get_master after locking master_rwsem or modeset_mutex. Signed-off-by: Desmond Cheong Zhi Xi --- drivers/gpu/drm/drm_aut

[Intel-gfx] [PATCH v8 7/7] drm: remove drm_file.master_lookup_lock

take this opportunity to clean up the locking design by replacing master_lookup_lock with drm_device.master_rwsem. Signed-off-by: Desmond Cheong Zhi Xi --- drivers/gpu/drm/drm_auth.c | 19 +++ drivers/gpu/drm/drm_file.c | 1 - drivers/gpu/drm/drm_internal.h | 1 + dr

Re: [Intel-gfx] [PATCH v8 1/7] drm: fix null ptr dereference in drm_master_release

On 26/8/21 5:53 pm, Daniel Vetter wrote: On Thu, Aug 26, 2021 at 10:01:16AM +0800, Desmond Cheong Zhi Xi wrote: drm_master_release can be called on a drm_file without a master, which results in a null ptr dereference of file_priv->master->magic_map. The three cases are: 1. Error p

Re: [Intel-gfx] [PATCH v8 3/7] drm: lock drm_global_mutex earlier in the ioctl handler

On 26/8/21 5:58 pm, Daniel Vetter wrote: On Thu, Aug 26, 2021 at 10:01:18AM +0800, Desmond Cheong Zhi Xi wrote: In a future patch, a read lock on drm_device.master_rwsem is held in the ioctl handler before the check for ioctl permissions. However, this inverts the lock hierarchy of

Re: [Intel-gfx] [PATCH v8 4/7] drm: avoid races with modesetting rights

On 26/8/21 8:59 pm, Daniel Vetter wrote: On Thu, Aug 26, 2021 at 10:01:19AM +0800, Desmond Cheong Zhi Xi wrote: In drm_client_modeset.c and drm_fb_helper.c, drm_master_internal_{acquire,release} are used to avoid races with DRM userspace. These functions hold onto drm_device.master_rwsem while

Re: [Intel-gfx] [PATCH v8 7/7] drm: remove drm_file.master_lookup_lock

On 26/8/21 9:21 pm, Daniel Vetter wrote: On Thu, Aug 26, 2021 at 10:01:22AM +0800, Desmond Cheong Zhi Xi wrote: Previously, master_lookup_lock was introduced in commit 0b0860a3cf5e ("drm: serialize drm_file.master with a new spinlock") to serialize accesses to drm_file.master. This th

[Intel-gfx] [PATCH v9 0/4] drm: update locking for modesetting

nise readers and writers. - Implement drm_master_flush with task_work so that flushes can be queued to run before returning to userspace without creating a new DRM_MASTER_FLUSH ioctl flag. Best wishes, Desmond Desmond Cheong Zhi Xi (4): drm: fix null ptr dereference in drm_maste

[Intel-gfx] [PATCH v9 1/4] drm: fix null ptr dereference in drm_master_release

s set up in drm_open_helper through the call to drm_master_open, so we mirror it with a call to drm_master_release in drm_close_helper, and remove drm_master_release from drm_file_free to avoid the null ptr dereference. Fixes: 7eeaeb90a6a5 ("drm/file: Don't set master on in-kernel clien

[Intel-gfx] [PATCH v9 2/4] drm: convert drm_device.master_mutex into a rwsem

, convert master_mutex into a rwsem to enable concurrent readers. Signed-off-by: Desmond Cheong Zhi Xi Reviewed-by: Daniel Vetter --- drivers/gpu/drm/drm_auth.c| 35 ++- drivers/gpu/drm/drm_debugfs.c | 4 ++-- drivers/gpu/drm/drm_drv.c | 3 +-- drivers/gpu

[Intel-gfx] [PATCH v9 3/4] drm: lock drm_global_mutex earlier in the ioctl handler

ctl permissions. Signed-off-by: Desmond Cheong Zhi Xi Reviewed-by: Daniel Vetter --- drivers/gpu/drm/drm_ioctl.c | 21 - 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c index d25713b09b80..59c5aa850

[Intel-gfx] [PATCH v9 4/4] drm: avoid races with modesetting rights

ned-off-by: Desmond Cheong Zhi Xi Reviewed-by: Daniel Vetter --- drivers/gpu/drm/drm_auth.c | 4 drivers/gpu/drm/drm_ioctl.c | 20 +++- drivers/gpu/drm/drm_lease.c | 35 --- include/drm/drm_device.h| 6 ++ 4 files changed, 49 inserti

[Intel-gfx] [PATCH v10 0/4] drm: update locking for modesetting

ting a new DRM_MASTER_FLUSH ioctl flag. Best wishes, Desmond Desmond Cheong Zhi Xi (4): drm: fix null ptr dereference in drm_master_release drm: convert drm_device.master_mutex into a rwsem drm: lock drm_global_mutex earlier in the ioctl handler drm: avoid races with modesetting rights

[Intel-gfx] [PATCH v10 1/4] drm: fix null ptr dereference in drm_master_release

s set up in drm_open_helper through the call to drm_master_open, so we mirror it with a call to drm_master_release in drm_close_helper, and remove drm_master_release from drm_file_free to avoid the null ptr dereference. Fixes: 7eeaeb90a6a5 ("drm/file: Don't set master on in-kernel clien

[Intel-gfx] [PATCH v10 2/4] drm: convert drm_device.master_mutex into a rwsem

, convert master_mutex into a rwsem to enable concurrent readers. Signed-off-by: Desmond Cheong Zhi Xi Reviewed-by: Daniel Vetter --- drivers/gpu/drm/drm_auth.c| 35 ++- drivers/gpu/drm/drm_debugfs.c | 4 ++-- drivers/gpu/drm/drm_drv.c | 3 +-- drivers/gpu

[Intel-gfx] [PATCH v10 3/4] drm: lock drm_global_mutex earlier in the ioctl handler

ctl permissions. Signed-off-by: Desmond Cheong Zhi Xi Reviewed-by: Daniel Vetter --- drivers/gpu/drm/drm_ioctl.c | 21 - 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c index 9fc00e36c5d6..fe9c4c026

[Intel-gfx] [PATCH v10 4/4] drm: avoid races with modesetting rights

ned-off-by: Desmond Cheong Zhi Xi Reviewed-by: Daniel Vetter --- drivers/gpu/drm/drm_auth.c | 4 drivers/gpu/drm/drm_ioctl.c | 20 +++- drivers/gpu/drm/drm_lease.c | 35 --- include/drm/drm_device.h| 6 ++ 4 files changed, 49 inserti

Re: [Intel-gfx] [PATCH v10 0/4] drm: update locking for modesetting

On 31/8/21 3:24 am, Desmond Cheong Zhi Xi wrote: Sorry for the noise, rebasing on top of drm-misc-next. Please ignore the v9 series. Hi, I updated the patch set with some suggestions by Daniel Vetter, and dropped the patches after patch 4 so that we can stick the landing for avoiding races

Re: [Intel-gfx] [PATCH] Revert "drm: add a locked version of drm_is_current_master"

On 23/6/21 4:14 pm, Daniel Vetter wrote: On Wed, Jun 23, 2021 at 10:09 AM Desmond Cheong Zhi Xi wrote: On 22/6/21 3:54 pm, Daniel Vetter wrote: This reverts commit 1815d9c86e3090477fbde066ff314a7e9721ee0f. Unfortunately this inverts the locking hierarchy, so back to the drawing board. Full

Re: [Intel-gfx] [PATCH] Revert "drm: add a locked version of drm_is_current_master"

_lock_acquire+0x151e/0x2590 lock_acquire+0xd1/0x3d0 __mutex_lock+0xab/0x970 drm_is_current_master+0x1b/0x40 drm_mode_getconnector+0x37e/0x4a0 drm_ioctl_kernel+0xa8/0xf0 drm_ioctl+0x1e8/0x390 __x64_sys_ioctl+0x6a/0xa0 do_syscall_64+0x39/0xb0 entry_SYSCALL_64_after_hwframe+0x44/0xae daniel@phenom:~/linux/

Re: [Intel-gfx] [PATCH v4 1/2] drm: add a locked version of drm_is_current_master

On 23/6/21 7:37 pm, Desmond Cheong Zhi Xi wrote: While checking the master status of the DRM file in drm_is_current_master(), the device's master mutex should be held. Without the mutex, the pointer fpriv->master may be freed concurrently by another process calling drm_setmaster_ioctl

[Intel-gfx] [PATCH v4 2/2] drm: protect drm_master pointers in drm_lease.c

put. 3. In each case where drm_file->master is directly accessed and eventually dereferenced in drm_lease.c, we wrap the access in a call to the new drm_file_get_master function, then unreference the master pointer once we are done using it. Reported-by: Daniel Vetter Signed-off-by: Desmond Che

[Intel-gfx] [PATCH v4 1/2] drm: add a locked version of drm_is_current_master

0xd1/0x3d0 __mutex_lock+0xab/0x970 drm_is_current_master+0x1b/0x40 drm_mode_getconnector+0x37e/0x4a0 drm_ioctl_kernel+0xa8/0xf0 drm_ioctl+0x1e8/0x390 __x64_sys_ioctl+0x6a/0xa0 do_syscall_64+0x39/0xb0 entry_SYSCALL_64_after_hwframe+0x44/0xae Reported-by: Daniel Vetter Signed-off-by: Desmond Cheon

[Intel-gfx] [PATCH v4 0/2] drm: address potential UAF bugs with drm_master ptrs

t;master from being freed. As suggested by Daniel Vetter. Changes in v1 -> v2: - Patch 2: Move the lock and assignment before the DRM_DEBUG_LEASE in drm_mode_get_lease_ioctl, as suggested by Emil Velikov. Desmond Cheong Zhi Xi (2): drm: add a locked version of drm_is_current_master drm: p

[Intel-gfx] [PATCH v5 1/3] drm: avoid circular locks in drm_mode_getconnector

/0x970 drm_is_current_master+0x1b/0x40 drm_mode_getconnector+0x37e/0x4a0 drm_ioctl_kernel+0xa8/0xf0 drm_ioctl+0x1e8/0x390 __x64_sys_ioctl+0x6a/0xa0 do_syscall_64+0x39/0xb0 entry_SYSCALL_64_after_hwframe+0x44/0xae Reported-by: Daniel Vetter Signed-off-by: Desmond Cheong Zhi Xi --- driver

[Intel-gfx] [PATCH v5 0/3] drm: address potential UAF bugs with drm_master ptrs

count, to prevent drm_file->master from being freed. As suggested by Daniel Vetter. Changes in v1 -> v2: - Patch 3: Move the lock and assignment before the DRM_DEBUG_LEASE in drm_mode_get_lease_ioctl, as suggested by Emil Velikov. Desmond Cheong Zhi Xi (3): drm: avoid circular locks in drm_

  1   2   >