Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.6.132 2024-01-01T12:42:25+00:00 2024-01-01T12:42:25+00:00 Lingkai Dong Lingkai.Dong@arm.com 2023-12-06T13:51:58+00:00 urn:sha1:c9b26d9e438e449a8ccf68ba3df9de741a7e689d [ Upstream commit 5a6c9a05e55cb2972396cc991af9d74c8c15029a ] The DRM subsystem keeps a record of the owner of a DRM device file descriptor using thread group ID (TGID) instead of process ID (PID), to ensures all threads within the same userspace process are considered the owner. However, the DRM master ownership check compares the current thread's PID against the record, so the thread is incorrectly considered to be not the FD owner if the PID is not equal to the TGID. This causes DRM ioctls to be denied master privileges, even if the same thread that opened the FD performs an ioctl. Fix this by checking TGID. Fixes: 4230cea89cafb ("drm: Track clients by tgid and not tid") Signed-off-by: Lingkai Dong <lingkai.dong@arm.com> Reviewed-by: Christian König <christian.koenig@amd.com> Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com> Cc: <stable@vger.kernel.org> # v6.4+ Link: https://patchwork.freedesktop.org/patch/msgid/PA6PR08MB107665920BE9A96658CDA04CE8884A@PA6PR08MB10766.eurprd08.prod.outlook.com Signed-off-by: Christian König <christian.koenig@amd.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2024-01-01T12:42:25+00:00 Tvrtko Ursulin tvrtko.ursulin@intel.com 2023-06-21T09:48:24+00:00 urn:sha1:031ddd28008971cce0b5626379b910d0a05fb4dd [ Upstream commit 1c7a387ffef894b1ab3942f0482dac7a6e0a909c ] With the typical model where the display server opens the file descriptor and then hands it over to the client(*), we were showing stale data in debugfs. Fix it by updating the drm_file->pid on ioctl access from a different process. The field is also made RCU protected to allow for lockless readers. Update side is protected with dev->filelist_mutex. Before: $ cat /sys/kernel/debug/dri/0/clients command pid dev master a uid magic Xorg 2344 0 y y 0 0 Xorg 2344 0 n y 0 2 Xorg 2344 0 n y 0 3 Xorg 2344 0 n y 0 4 After: $ cat /sys/kernel/debug/dri/0/clients command tgid dev master a uid magic Xorg 830 0 y y 0 0 xfce4-session 880 0 n y 0 1 xfwm4 943 0 n y 0 2 neverball 1095 0 n y 0 3 *) More detailed and historically accurate description of various handover implementation kindly provided by Emil Velikov: """ The traditional model, the server was the orchestrator managing the primary device node. From the fd, to the master status and authentication. But looking at the fd alone, this has varied across the years. IIRC in the DRI1 days, Xorg (libdrm really) would have a list of open fd(s) and reuse those whenever needed, DRI2 the client was responsible for open() themselves and with DRI3 the fd was passed to the client. Around the inception of DRI3 and systemd-logind, the latter became another possible orchestrator. Whereby Xorg and Wayland compositors could ask it for the fd. For various reasons (hysterical and genuine ones) Xorg has a fallback path going the open(), whereas Wayland compositors are moving to solely relying on logind... some never had fallback even. Over the past few years, more projects have emerged which provide functionality similar (be that on API level, Dbus, or otherwise) to systemd-logind. """ v2: * Fixed typo in commit text and added a fine historical explanation from Emil. Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com> Cc: "Christian König" <christian.koenig@amd.com> Cc: Daniel Vetter <daniel@ffwll.ch> Acked-by: Christian König <christian.koenig@amd.com> Reviewed-by: Emil Velikov <emil.l.velikov@gmail.com> Reviewed-by: Rob Clark <robdclark@gmail.com> Tested-by: Rob Clark <robdclark@gmail.com> Link: https://patchwork.freedesktop.org/patch/msgid/20230621094824.2348732-1-tvrtko.ursulin@linux.intel.com Signed-off-by: Christian König <christian.koenig@amd.com> Stable-dep-of: 5a6c9a05e55c ("drm: Fix FD ownership check in drm_master_check_perm()") Signed-off-by: Sasha Levin <sashal@kernel.org> 2022-07-28T14:35:55+00:00 Danilo Krummrich dakr@redhat.com 2022-07-01T18:52:57+00:00 urn:sha1:3a6acb7dd69f9d8960009ed1ceb77dc5e532391a idr_init_base(), implemented by commit 6ce711f27500 ("idr: Make 1-based IDRs more efficient"), let us set an arbitrary base other than idr_init(), which uses base 0. Since, for this IDR, no ID < 1 is ever requested/allocated, using idr_init_base(&idr, 1) avoids unnecessary tree walks. Signed-off-by: Danilo Krummrich <dakr@redhat.com> Signed-off-by: Maxime Ripard <maxime@cerno.tech> Link: https://lore.kernel.org/r/20220701185303.284082-5-dakr@redhat.com 2022-07-28T14:35:55+00:00 Danilo Krummrich dakr@redhat.com 2022-07-01T18:52:56+00:00 urn:sha1:a49afeb4165361819b92b7991b97457bac4c674c idr_init_base(), implemented by commit 6ce711f27500 ("idr: Make 1-based IDRs more efficient"), let us set an arbitrary base other than idr_init(), which uses base 0. Since, for this IDR, no ID < 1 is ever requested/allocated, using idr_init_base(&idr, 1) avoids unnecessary tree walks. Signed-off-by: Danilo Krummrich <dakr@redhat.com> Signed-off-by: Maxime Ripard <maxime@cerno.tech> Link: https://lore.kernel.org/r/20220701185303.284082-4-dakr@redhat.com 2021-11-26T15:45:22+00:00 Claudio Suarez cssk@net-c.es 2021-11-26T10:49:49+00:00 urn:sha1:6e22dc35837790a84fc040f08e5094b2d5d91477 DRM_DEBUG_* and DRM_* log calls are deprecated. Change them to drm_dbg_* / drm_{err,info,...} calls in drm core files. To avoid making a very big patch, this change is split in smaller patches. This one includes drm_a*.c Signed-off-by: Claudio Suarez <cssk@net-c.es> Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> Link: https://patchwork.freedesktop.org/patch/msgid/YaC7zXW119tlzfVh@gineta.localdomain 2021-08-05T10:08:15+00:00 Desmond Cheong Zhi Xi desmondcheongzx@gmail.com 2021-08-02T10:59:57+00:00 urn:sha1:649839d7cf978f08377ba6486c46683d09a3e05d In drm_is_current_master_locked, accessing drm_file.master should be protected by either drm_file.master_lookup_lock or drm_device.master_mutex. This was previously awkward to assert with lockdep. Following patch ("locking/lockdep: Provide lockdep_assert{,_once}() helpers"), this assertion is now convenient. So we add in the assertion and explain this lock design in the kerneldoc. Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com> Acked-by: Boqun Feng <boqun.feng@gmail.com> Acked-by: Waiman Long <longman@redhat.com> Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org> Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> Link: https://patchwork.freedesktop.org/patch/msgid/20210802105957.77692-3-desmondcheongzx@gmail.com 2021-08-02T08:19:43+00:00 Cai Huoqing caihuoqing@baidu.com 2021-07-30T13:27:29+00:00 urn:sha1:0ae865ef92f1920bd2ca3fc7b6b5a9555b4641cc fix typo for drm v1->v2: respin with the change "iff ==> implies that" Signed-off-by: Cai Huoqing <caihuoqing@baidu.com> Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> Link: https://patchwork.freedesktop.org/patch/msgid/20210730132729.376-1-caihuoqing@baidu.com 2021-07-28T21:19:58+00:00 Desmond Cheong Zhi Xi desmondcheongzx@gmail.com 2021-07-24T11:18:22+00:00 urn:sha1:28be2405fb753927e18bc1a891617a430b2a0684 Inside drm_is_current_master, using the outer drm_device.master_mutex to protect reads of drm_file.master makes the function prone to creating lock hierarchy inversions. Instead, we can use the drm_file.master_lookup_lock that sits at the bottom of the lock hierarchy. Reported-by: Daniel Vetter <daniel.vetter@ffwll.ch> Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com> Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch> Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> Link: https://patchwork.freedesktop.org/patch/msgid/20210724111824.59266-2-desmondcheongzx@gmail.com 2021-07-23T01:32:43+00:00 Dave Airlie airlied@redhat.com 2021-07-23T01:31:50+00:00 urn:sha1:8da49a33dda7294c1af508f8aa81cd638d0afd62 drm-misc-next for v5.15-rc1: UAPI Changes: - Remove sysfs stats for dma-buf attachments, as it causes a performance regression. Previous merge is not in a rc kernel yet, so no userspace regression possible. Cross-subsystem Changes: - Sanitize user input in kyro's viewport ioctl. - Use refcount_t in fb_info->count - Assorted fixes to dma-buf. - Extend x86 efifb handling to all archs. - Fix neofb divide by 0. - Document corpro,gm7123 bridge dt bindings. Core Changes: - Slightly rework drm master handling. - Cleanup vgaarb handling. - Assorted fixes. Driver Changes: - Add support for ws2401 panel. - Assorted fixes to stm, ast, bochs. - Demidlayer ingenic irq. Signed-off-by: Dave Airlie <airlied@redhat.com> From: Maarten Lankhorst <maarten.lankhorst@linux.intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/2d0d2fe8-01fc-e216-c3fd-38db9e69944e@linux.intel.com 2021-07-20T18:22:19+00:00 Desmond Cheong Zhi Xi desmondcheongzx@gmail.com 2021-07-12T04:35:08+00:00 urn:sha1:56f0729a510f92151682ff6c89f69724d5595d6e drm_file->master pointers should be protected by drm_device.master_mutex or drm_file.master_lookup_lock when being dereferenced. However, in drm_lease.c, there are multiple instances where drm_file->master is accessed and dereferenced while neither lock is held. This makes drm_lease.c vulnerable to use-after-free bugs. We address this issue in 2 ways: 1. Add a new drm_file_get_master() function that calls drm_master_get on drm_file->master while holding on to drm_file.master_lookup_lock. Since drm_master_get increments the reference count of master, this prevents master from being freed until we unreference it with drm_master_put. 2. In each case where drm_file->master is directly accessed and eventually dereferenced in drm_lease.c, we wrap the access in a call to the new drm_file_get_master function, then unreference the master pointer once we are done using it. Reported-by: Daniel Vetter <daniel.vetter@ffwll.ch> Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com> Reviewed-by: Emil Velikov <emil.l.velikov@gmail.com> Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> Link: https://patchwork.freedesktop.org/patch/msgid/20210712043508.11584-6-desmondcheongzx@gmail.com