DivestOS/Patches/Linux_CVEs/CVE-2016-2504/3.18/0002.patch

81 lines
2.5 KiB
Diff
Raw Normal View History

2017-11-07 17:32:46 -05:00
From 75adbb8cebfe17ace640e6bd89582c1d72196378 Mon Sep 17 00:00:00 2001
From: Jordan Crouse <jcrouse@codeaurora.org>
Date: Tue, 3 May 2016 14:11:03 -0600
2017-11-07 17:32:46 -05:00
Subject: msm: kgsl: Defer adding the mem entry to a process
If we add the mem entry pointer in the process mem_idr too early
other threads can do operations on the entry by guessing the ID
or GPU address before the object gets returned by the creating
operation.
Allocate an ID for the object but don't assign the pointer until
right before the creating function returns ensuring that another
operation can't access it until it is ready.
CRs-Fixed: 1002974
Change-Id: Ic0dedbadc0dd2125bd2a7bcc152972c0555e07f8
Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
---
drivers/gpu/msm/kgsl.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/msm/kgsl.c b/drivers/gpu/msm/kgsl.c
2017-11-07 17:32:46 -05:00
index 738b2f4..8e68a88 100644
--- a/drivers/gpu/msm/kgsl.c
+++ b/drivers/gpu/msm/kgsl.c
@@ -388,6 +388,17 @@ kgsl_mem_entry_untrack_gpuaddr(struct kgsl_process_private *process,
kgsl_mmu_put_gpuaddr(pagetable, &entry->memdesc);
}
+/* Commit the entry to the process so it can be accessed by other operations */
+static void kgsl_mem_entry_commit_process(struct kgsl_mem_entry *entry)
+{
+ if (!entry)
+ return;
+
+ spin_lock(&entry->priv->mem_lock);
+ idr_replace(&entry->priv->mem_idr, entry, entry->id);
+ spin_unlock(&entry->priv->mem_lock);
+}
+
/**
* kgsl_mem_entry_attach_process - Attach a mem_entry to its owner process
* @entry: the memory entry
@@ -418,7 +429,8 @@ kgsl_mem_entry_attach_process(struct kgsl_mem_entry *entry,
idr_preload(GFP_KERNEL);
spin_lock(&process->mem_lock);
- id = idr_alloc(&process->mem_idr, entry, 1, 0, GFP_NOWAIT);
+ /* Allocate the ID but don't attach the pointer just yet */
+ id = idr_alloc(&process->mem_idr, NULL, 1, 0, GFP_NOWAIT);
spin_unlock(&process->mem_lock);
idr_preload_end();
@@ -2317,6 +2329,7 @@ long kgsl_ioctl_gpuobj_import(struct kgsl_device_private *dev_priv,
trace_kgsl_mem_map(entry, fd);
+ kgsl_mem_entry_commit_process(entry);
return 0;
unmap:
@@ -2580,6 +2593,7 @@ long kgsl_ioctl_map_user_mem(struct kgsl_device_private *dev_priv,
trace_kgsl_mem_map(entry, param->fd);
+ kgsl_mem_entry_commit_process(entry);
return result;
error_attach:
@@ -2971,6 +2985,7 @@ static struct kgsl_mem_entry *gpumem_alloc_entry(
entry->memdesc.size);
trace_kgsl_mem_alloc(entry);
+ kgsl_mem_entry_commit_process(entry);
return entry;
err:
kfree(entry);
2017-11-07 17:32:46 -05:00
--
cgit v1.1