From 0b0860a3cf5eccf183760b1177a1dcdb821b0b66 Mon Sep 17 00:00:00 2001

From: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>

Date: Mon, 12 Jul 2021 12:35:07 +0800

Subject: [PATCH] drm: serialize drm_file.master with a new spinlock

Git-commit: 0b0860a3cf5eccf183760b1177a1dcdb821b0b66

Patch-mainline: v5.15-rc1

References: bsc#1197914

Currently, drm_file.master pointers should be protected by

drm_device.master_mutex when being dereferenced. This is because

drm_file.master is not invariant for the lifetime of drm_file. If

drm_file is not the creator of master, then drm_file.is_master is

false, and a call to drm_setmaster_ioctl will invoke

drm_new_set_master, which then allocates a new master for drm_file and

puts the old master.

Thus, without holding drm_device.master_mutex, the old value of

drm_file.master could be freed while it is being used by another

concurrent process.

However, it is not always possible to lock drm_device.master_mutex to

dereference drm_file.master. Through the fbdev emulation code, this

might occur in a deep nest of other locks. But drm_device.master_mutex

is also the outermost lock in the nesting hierarchy, so this leads to

potential deadlocks.

To address this, we introduce a new spin lock at the bottom of the

lock hierarchy that only serializes drm_file.master. With this change,

the value of drm_file.master changes only when both

drm_device.master_mutex and drm_file.master_lookup_lock are

held. Hence, any process holding either of those locks can ensure that

the value of drm_file.master will not change concurrently.

Since no lock depends on the new drm_file.master_lookup_lock, when

drm_file.master is dereferenced, but drm_device.master_mutex cannot be

held, we can safely protect the master pointer with

drm_file.master_lookup_lock.

Reported-by: Daniel Vetter <daniel.vetter@ffwll.ch>

Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>

Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>

Link: https://patchwork.freedesktop.org/patch/msgid/20210712043508.11584-5-desmondcheongzx@gmail.com

Acked-by: Takashi Iwai <tiwai@suse.de>

---

 drivers/gpu/drm/drm_auth.c |   17 +++++++++++------

 drivers/gpu/drm/drm_file.c |    1 +

 include/drm/drm_file.h     |   12 +++++++++---

 3 files changed, 21 insertions(+), 9 deletions(-)

--- a/drivers/gpu/drm/drm_auth.c

+++ b/drivers/gpu/drm/drm_auth.c

@@ -164,16 +164,18 @@ static void drm_set_master(struct drm_de

 static int drm_new_set_master(struct drm_device *dev, struct drm_file *fpriv)

 {

 	struct drm_master *old_master;

+	struct drm_master *new_master;

 	lockdep_assert_held_once(&dev->master_mutex);

 	WARN_ON(fpriv->is_master);

 	old_master = fpriv->master;

-	fpriv->master = drm_master_create(dev);

-	if (!fpriv->master) {

-		fpriv->master = old_master;

+	new_master = drm_master_create(dev);

+	if (!new_master)

 		return -ENOMEM;

-	}

+	spin_lock(&fpriv->master_lookup_lock);

+	fpriv->master = new_master;

+	spin_unlock(&fpriv->master_lookup_lock);

 	fpriv->is_master = 1;

 	fpriv->authenticated = 1;

@@ -331,10 +333,13 @@ int drm_master_open(struct drm_file *fil

 	/* if there is no current master make this fd it, but do not create

 	 * any master object for render clients */

 	mutex_lock(&dev->master_mutex);

-	if (!dev->master)

+	if (!dev->master) {

 		ret = drm_new_set_master(dev, file_priv);

-	else

+	} else {

+		spin_lock(&file_priv->master_lookup_lock);

 		file_priv->master = drm_master_get(dev->master);

+		spin_unlock(&file_priv->master_lookup_lock);

+	}

 	mutex_unlock(&dev->master_mutex);

 	return ret;

--- a/drivers/gpu/drm/drm_file.c

+++ b/drivers/gpu/drm/drm_file.c

@@ -177,6 +177,7 @@ struct drm_file *drm_file_alloc(struct d

 	init_waitqueue_head(&file->event_wait);

 	file->event_space = 4096; /* set aside 4k for event buffer */

+	spin_lock_init(&file->master_lookup_lock);

 	mutex_init(&file->event_read_lock);

 	if (drm_core_check_feature(dev, DRIVER_GEM))

--- a/include/drm/drm_file.h

+++ b/include/drm/drm_file.h

@@ -226,15 +226,21 @@ struct drm_file {

 	/**

 	 * @master:

 	 *

-	 * Master this node is currently associated with. Only relevant if

-	 * drm_is_primary_client() returns true. Note that this only

-	 * matches &drm_device.master if the master is the currently active one.

+	 * Master this node is currently associated with. Protected by struct

+	 * &drm_device.master_mutex, and serialized by @master_lookup_lock.

+	 *

+	 * Only relevant if drm_is_primary_client() returns true. Note that

+	 * this only matches &drm_device.master if the master is the currently

+	 * active one.

 	 *

 	 * See also @authentication and @is_master and the :ref:`section on

 	 * primary nodes and authentication <drm_primary_node>`.

 	 */

 	struct drm_master *master;

+	/** @master_lock: Serializes @master. */

+	spinlock_t master_lookup_lock;

+

 	/** @pid: Process that opened this file. */

 	struct pid *pid;