[PATCH OLK-5.10 15/15] drm/i915: Fix potential context UAFs

From: Rob Clark robdclark@chromium.org

mainline inclusion from mainline-v6.2-rc4 commit afce71ff6daa9c0f852df0727fe32c6fb107f0fa category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IALIQR CVE: CVE-2023-52913

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...

--------------------------------

gem_context_register() makes the context visible to userspace, and which point a separate thread can trigger the I915_GEM_CONTEXT_DESTROY ioctl. So we need to ensure that nothing uses the ctx ptr after this. And we need to ensure that adding the ctx to the xarray is the *last* thing that gem_context_register() does with the ctx pointer.

Signed-off-by: Rob Clark robdclark@chromium.org Fixes: eb4dedae920a ("drm/i915/gem: Delay tracking the GEM context until it is registered") Fixes: a4c1cdd34e2c ("drm/i915/gem: Delay context creation (v3)") Fixes: 49bd54b390c2 ("drm/i915: Track all user contexts per client") Cc: stable@vger.kernel.org # v5.10+ Reviewed-by: Tvrtko Ursulin tvrtko.ursulin@intel.com Reviewed-by: Andi Shyti andi.shyti@linux.intel.com [tursulin: Stable and fixes tags add/tidy.] Signed-off-by: Tvrtko Ursulin tvrtko.ursulin@intel.com Link: https://patchwork.freedesktop.org/patch/msgid/20230103234948.1218393-1-robdc... (cherry picked from commit bed4b455cf5374e68879be56971c1da563bcd90c) Signed-off-by: Rodrigo Vivi rodrigo.vivi@intel.com Conflicts: drivers/gpu/drm/i915/gem/i915_gem_context.c [Becasuse HULK-5.10 does not merge mainline patches, a4c1cdd34e2c ("drm/i915/gem: Delay context creation (v3)") and 49bd54b390c2 ("drm/i915: Track all user contexts per client")] Signed-off-by: Kaixiong Yu yukaixiong@huawei.com --- drivers/gpu/drm/i915/gem/i915_gem_context.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/gpu/drm/i915/gem/i915_gem_context.c b/drivers/gpu/drm/i915/gem/i915_gem_context.c index 4fd38101bb56..69cb530fc144 100644 --- a/drivers/gpu/drm/i915/gem/i915_gem_context.c +++ b/drivers/gpu/drm/i915/gem/i915_gem_context.c @@ -935,15 +935,15 @@ static int gem_context_register(struct i915_gem_context *ctx, snprintf(ctx->name, sizeof(ctx->name), "%s[%d]", current->comm, pid_nr(ctx->pid));

+ spin_lock(&i915->gem.contexts.lock); + list_add_tail(&ctx->link, &i915->gem.contexts.list); + spin_unlock(&i915->gem.contexts.lock); + /* And finally expose ourselves to userspace via the idr */ ret = xa_alloc(&fpriv->context_xa, id, ctx, xa_limit_32b, GFP_KERNEL); if (ret) goto err_pid;

- spin_lock(&i915->gem.contexts.lock); - list_add_tail(&ctx->link, &i915->gem.contexts.list); - spin_unlock(&i915->gem.contexts.lock); - return 0;

err_pid: