[PATCH 3.12 058/119] drm/msm: fix use of copy_from_user() while holding spinlock
From: Jiri Slaby <hidden>
Date: 2016-09-29 10:28:47
Also in:
lkml
Subsystem:
drm driver for qualcomm display hardware, drm drivers, the rest · Maintainers:
Rob Clark, Dmitry Baryshkov, David Airlie, Simona Vetter, Linus Torvalds
From: Rob Clark <redacted> 3.12-stable review patch. If anyone has any objections, please let me know. =============== commit 89f82cbb0d5c0ab768c8d02914188aa2211cd2e3 upstream. Use instead __copy_from_user_inatomic() and fallback to slow-path where we drop and re-aquire the lock in case of fault. Reported-by: Vaishali Thakkar <redacted> Signed-off-by: Rob Clark <redacted> Signed-off-by: Jiri Slaby <redacted> --- drivers/gpu/drm/msm/msm_gem_submit.c | 27 ++++++++++++++++++++++----- 1 file changed, 22 insertions(+), 5 deletions(-)
diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c
index 5281d4bc37f7..d0fc019be5df 100644
--- a/drivers/gpu/drm/msm/msm_gem_submit.c
+++ b/drivers/gpu/drm/msm/msm_gem_submit.c@@ -56,6 +56,14 @@ static struct msm_gem_submit *submit_create(struct drm_device *dev, return submit; } +static inline unsigned long __must_check +copy_from_user_inatomic(void *to, const void __user *from, unsigned long n) +{ + if (access_ok(VERIFY_READ, from, n)) + return __copy_from_user_inatomic(to, from, n); + return -EFAULT; +} + static int submit_lookup_objects(struct msm_gem_submit *submit, struct drm_msm_gem_submit *args, struct drm_file *file) {
@@ -63,6 +71,7 @@ static int submit_lookup_objects(struct msm_gem_submit *submit, int ret = 0; spin_lock(&file->table_lock); + pagefault_disable(); for (i = 0; i < args->nr_bos; i++) { struct drm_msm_gem_submit_bo submit_bo;
@@ -71,10 +80,15 @@ static int submit_lookup_objects(struct msm_gem_submit *submit, void __user *userptr = to_user_ptr(args->bos + (i * sizeof(submit_bo))); - ret = copy_from_user(&submit_bo, userptr, sizeof(submit_bo)); - if (ret) { - ret = -EFAULT; - goto out_unlock; + ret = copy_from_user_inatomic(&submit_bo, userptr, sizeof(submit_bo)); + if (unlikely(ret)) { + pagefault_enable(); + spin_unlock(&file->table_lock); + ret = copy_from_user(&submit_bo, userptr, sizeof(submit_bo)); + if (ret) + goto out; + spin_lock(&file->table_lock); + pagefault_disable(); } if (submit_bo.flags & BO_INVALID_FLAGS) {
@@ -114,9 +128,12 @@ static int submit_lookup_objects(struct msm_gem_submit *submit, } out_unlock: - submit->nr_bos = i; + pagefault_enable(); spin_unlock(&file->table_lock); +out: + submit->nr_bos = i; + return ret; }
--
2.10.0