From 28be2405fb753927e18bc1a891617a430b2a0684 Mon Sep 17 00:00:00 2001
From: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
Date: Sat, 24 Jul 2021 19:18:22 +0800
Subject: [PATCH] drm: use the lookup lock in drm_is_current_master
Git-commit: 28be2405fb753927e18bc1a891617a430b2a0684
Patch-mainline: v5.15-rc1
References: CVE-2022-1280 bsc#1197914
Inside drm_is_current_master, using the outer drm_device.master_mutex
to protect reads of drm_file.master makes the function prone to creating
lock hierarchy inversions. Instead, we can use the
drm_file.master_lookup_lock that sits at the bottom of the lock
hierarchy.
Reported-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20210724111824.59266-2-desmondcheongzx@gmail.com
Acked-by: Takashi Iwai <tiwai@suse.de>
---
drivers/gpu/drm/drm_auth.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/drivers/gpu/drm/drm_auth.c
+++ b/drivers/gpu/drm/drm_auth.c
@@ -63,8 +63,9 @@
static bool drm_is_current_master_locked(struct drm_file *fpriv)
{
- lockdep_assert_held_once(&fpriv->master->dev->master_mutex);
-
+ /* Either drm_device.master_mutex or drm_file.master_lookup_lock
+ * should be held here.
+ */
return fpriv->is_master && drm_lease_owner(fpriv->master) == fpriv->minor->dev->master;
}
@@ -82,9 +83,9 @@ bool drm_is_current_master(struct drm_fi
{
bool ret;
- mutex_lock(&fpriv->master->dev->master_mutex);
+ spin_lock(&fpriv->master_lookup_lock);
ret = drm_is_current_master_locked(fpriv);
- mutex_unlock(&fpriv->master->dev->master_mutex);
+ spin_unlock(&fpriv->master_lookup_lock);
return ret;
}