From: Oleksandr Andrushchenko oleksandr_andrushchenko@epam.com
When unplugging a hotpluggable DRM device we first unregister it with drm_dev_unregister and then set drm_device.unplugged flag which is used to mark device critical sections with drm_dev_enter()/ drm_dev_exit() preventing access to device resources that are not available after the device is gone. But drm_dev_unregister may lead to hotplug uevent(s) fired to user-space on card and/or connector removal, thus making it possible for user-space to try accessing a disconnected device.
Fix this by first making sure device is properly marked as disconnected and only then unregister it.
Fixes: bee330f3d672 ("drm: Use srcu to protect drm_device.unplugged")
Signed-off-by: Oleksandr Andrushchenko oleksandr_andrushchenko@epam.com Reported-by: Andrii Chepurnyi andrii_chepurnyi@epam.com Cc: "Noralf Trønnes" noralf@tronnes.org --- drivers/gpu/drm/drm_drv.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c index b553a6f2ff0e..7af748ed1c58 100644 --- a/drivers/gpu/drm/drm_drv.c +++ b/drivers/gpu/drm/drm_drv.c @@ -369,13 +369,6 @@ EXPORT_SYMBOL(drm_dev_exit); */ void drm_dev_unplug(struct drm_device *dev) { - drm_dev_unregister(dev); - - mutex_lock(&drm_global_mutex); - if (dev->open_count == 0) - drm_dev_put(dev); - mutex_unlock(&drm_global_mutex); - /* * After synchronizing any critical read section is guaranteed to see * the new value of ->unplugged, and any critical section which might @@ -384,6 +377,13 @@ void drm_dev_unplug(struct drm_device *dev) */ dev->unplugged = true; synchronize_srcu(&drm_unplug_srcu); + + drm_dev_unregister(dev); + + mutex_lock(&drm_global_mutex); + if (dev->open_count == 0) + drm_dev_put(dev); + mutex_unlock(&drm_global_mutex); } EXPORT_SYMBOL(drm_dev_unplug);
ping
On 05/22/2018 05:13 PM, Oleksandr Andrushchenko wrote:
From: Oleksandr Andrushchenko oleksandr_andrushchenko@epam.com
When unplugging a hotpluggable DRM device we first unregister it with drm_dev_unregister and then set drm_device.unplugged flag which is used to mark device critical sections with drm_dev_enter()/ drm_dev_exit() preventing access to device resources that are not available after the device is gone. But drm_dev_unregister may lead to hotplug uevent(s) fired to user-space on card and/or connector removal, thus making it possible for user-space to try accessing a disconnected device.
Fix this by first making sure device is properly marked as disconnected and only then unregister it.
Fixes: bee330f3d672 ("drm: Use srcu to protect drm_device.unplugged")
Signed-off-by: Oleksandr Andrushchenko oleksandr_andrushchenko@epam.com Reported-by: Andrii Chepurnyi andrii_chepurnyi@epam.com Cc: "Noralf Trønnes" noralf@tronnes.org
drivers/gpu/drm/drm_drv.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c index b553a6f2ff0e..7af748ed1c58 100644 --- a/drivers/gpu/drm/drm_drv.c +++ b/drivers/gpu/drm/drm_drv.c @@ -369,13 +369,6 @@ EXPORT_SYMBOL(drm_dev_exit); */ void drm_dev_unplug(struct drm_device *dev) {
- drm_dev_unregister(dev);
- mutex_lock(&drm_global_mutex);
- if (dev->open_count == 0)
drm_dev_put(dev);- mutex_unlock(&drm_global_mutex);
- /*
- After synchronizing any critical read section is guaranteed to see
- the new value of ->unplugged, and any critical section which might
@@ -384,6 +377,13 @@ void drm_dev_unplug(struct drm_device *dev) */ dev->unplugged = true; synchronize_srcu(&drm_unplug_srcu);
- drm_dev_unregister(dev);
- mutex_lock(&drm_global_mutex);
- if (dev->open_count == 0)
drm_dev_put(dev);- mutex_unlock(&drm_global_mutex); } EXPORT_SYMBOL(drm_dev_unplug);
On Tue, May 22, 2018 at 05:13:04PM +0300, Oleksandr Andrushchenko wrote:
From: Oleksandr Andrushchenko oleksandr_andrushchenko@epam.com
When unplugging a hotpluggable DRM device we first unregister it with drm_dev_unregister and then set drm_device.unplugged flag which is used to mark device critical sections with drm_dev_enter()/ drm_dev_exit() preventing access to device resources that are not available after the device is gone. But drm_dev_unregister may lead to hotplug uevent(s) fired to user-space on card and/or connector removal, thus making it possible for user-space to try accessing a disconnected device.
Fix this by first making sure device is properly marked as disconnected and only then unregister it.
Fixes: bee330f3d672 ("drm: Use srcu to protect drm_device.unplugged")
Signed-off-by: Oleksandr Andrushchenko oleksandr_andrushchenko@epam.com Reported-by: Andrii Chepurnyi andrii_chepurnyi@epam.com Cc: "Noralf Trønnes" noralf@tronnes.org
Nice catch.
Reviewed-by: Daniel Vetter daniel.vetter@ffwll.ch
I think you need to push this to drm-misc-next-fixes to make sure it's on the 4.17 train. -Daniel
drivers/gpu/drm/drm_drv.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c index b553a6f2ff0e..7af748ed1c58 100644 --- a/drivers/gpu/drm/drm_drv.c +++ b/drivers/gpu/drm/drm_drv.c @@ -369,13 +369,6 @@ EXPORT_SYMBOL(drm_dev_exit); */ void drm_dev_unplug(struct drm_device *dev) {
- drm_dev_unregister(dev);
- mutex_lock(&drm_global_mutex);
- if (dev->open_count == 0)
drm_dev_put(dev);- mutex_unlock(&drm_global_mutex);
- /*
- After synchronizing any critical read section is guaranteed to see
- the new value of ->unplugged, and any critical section which might
@@ -384,6 +377,13 @@ void drm_dev_unplug(struct drm_device *dev) */ dev->unplugged = true; synchronize_srcu(&drm_unplug_srcu);
- drm_dev_unregister(dev);
- mutex_lock(&drm_global_mutex);
- if (dev->open_count == 0)
drm_dev_put(dev);- mutex_unlock(&drm_global_mutex);
} EXPORT_SYMBOL(drm_dev_unplug);
-- 2.17.0
dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
On 05/29/2018 10:02 AM, Daniel Vetter wrote:
On Tue, May 22, 2018 at 05:13:04PM +0300, Oleksandr Andrushchenko wrote:
From: Oleksandr Andrushchenko oleksandr_andrushchenko@epam.com
When unplugging a hotpluggable DRM device we first unregister it with drm_dev_unregister and then set drm_device.unplugged flag which is used to mark device critical sections with drm_dev_enter()/ drm_dev_exit() preventing access to device resources that are not available after the device is gone. But drm_dev_unregister may lead to hotplug uevent(s) fired to user-space on card and/or connector removal, thus making it possible for user-space to try accessing a disconnected device.
Fix this by first making sure device is properly marked as disconnected and only then unregister it.
Fixes: bee330f3d672 ("drm: Use srcu to protect drm_device.unplugged")
Signed-off-by: Oleksandr Andrushchenko oleksandr_andrushchenko@epam.com Reported-by: Andrii Chepurnyi andrii_chepurnyi@epam.com Cc: "Noralf Trønnes" noralf@tronnes.org
Nice catch.
Reviewed-by: Daniel Vetter daniel.vetter@ffwll.ch
I think you need to push this to drm-misc-next-fixes to make sure it's on the 4.17 train.
Sure, after I have r-b from Noralf
-Daniel
drivers/gpu/drm/drm_drv.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c index b553a6f2ff0e..7af748ed1c58 100644 --- a/drivers/gpu/drm/drm_drv.c +++ b/drivers/gpu/drm/drm_drv.c @@ -369,13 +369,6 @@ EXPORT_SYMBOL(drm_dev_exit); */ void drm_dev_unplug(struct drm_device *dev) {
- drm_dev_unregister(dev);
- mutex_lock(&drm_global_mutex);
- if (dev->open_count == 0)
drm_dev_put(dev);- mutex_unlock(&drm_global_mutex);
- /*
- After synchronizing any critical read section is guaranteed to see
- the new value of ->unplugged, and any critical section which might
@@ -384,6 +377,13 @@ void drm_dev_unplug(struct drm_device *dev) */ dev->unplugged = true; synchronize_srcu(&drm_unplug_srcu);
- drm_dev_unregister(dev);
- mutex_lock(&drm_global_mutex);
- if (dev->open_count == 0)
drm_dev_put(dev);- mutex_unlock(&drm_global_mutex); } EXPORT_SYMBOL(drm_dev_unplug);
-- 2.17.0
dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
On Tue, May 29, 2018 at 10:09:57AM +0300, Oleksandr Andrushchenko wrote:
On 05/29/2018 10:02 AM, Daniel Vetter wrote:
On Tue, May 22, 2018 at 05:13:04PM +0300, Oleksandr Andrushchenko wrote:
From: Oleksandr Andrushchenko oleksandr_andrushchenko@epam.com
When unplugging a hotpluggable DRM device we first unregister it with drm_dev_unregister and then set drm_device.unplugged flag which is used to mark device critical sections with drm_dev_enter()/ drm_dev_exit() preventing access to device resources that are not available after the device is gone. But drm_dev_unregister may lead to hotplug uevent(s) fired to user-space on card and/or connector removal, thus making it possible for user-space to try accessing a disconnected device.
Fix this by first making sure device is properly marked as disconnected and only then unregister it.
Fixes: bee330f3d672 ("drm: Use srcu to protect drm_device.unplugged")
Signed-off-by: Oleksandr Andrushchenko oleksandr_andrushchenko@epam.com Reported-by: Andrii Chepurnyi andrii_chepurnyi@epam.com Cc: "Noralf Trønnes" noralf@tronnes.org
Nice catch.
Reviewed-by: Daniel Vetter daniel.vetter@ffwll.ch
I think you need to push this to drm-misc-next-fixes to make sure it's on the 4.17 train.
Sure, after I have r-b from Noralf
Noralf's occasionally occupied with other things and doesn't have time to look at patches. I think it's ok to just push after a few more days, even if he doesn't respond. Same holds for other people really. -Daniel
-Daniel
drivers/gpu/drm/drm_drv.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c index b553a6f2ff0e..7af748ed1c58 100644 --- a/drivers/gpu/drm/drm_drv.c +++ b/drivers/gpu/drm/drm_drv.c @@ -369,13 +369,6 @@ EXPORT_SYMBOL(drm_dev_exit); */ void drm_dev_unplug(struct drm_device *dev) {
- drm_dev_unregister(dev);
- mutex_lock(&drm_global_mutex);
- if (dev->open_count == 0)
drm_dev_put(dev);- mutex_unlock(&drm_global_mutex);
- /*
- After synchronizing any critical read section is guaranteed to see
- the new value of ->unplugged, and any critical section which might
@@ -384,6 +377,13 @@ void drm_dev_unplug(struct drm_device *dev) */ dev->unplugged = true; synchronize_srcu(&drm_unplug_srcu);
- drm_dev_unregister(dev);
- mutex_lock(&drm_global_mutex);
- if (dev->open_count == 0)
drm_dev_put(dev);- mutex_unlock(&drm_global_mutex); } EXPORT_SYMBOL(drm_dev_unplug);
-- 2.17.0
dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
On 05/29/2018 10:49 AM, Daniel Vetter wrote:
On Tue, May 29, 2018 at 10:09:57AM +0300, Oleksandr Andrushchenko wrote:
On 05/29/2018 10:02 AM, Daniel Vetter wrote:
On Tue, May 22, 2018 at 05:13:04PM +0300, Oleksandr Andrushchenko wrote:
From: Oleksandr Andrushchenko oleksandr_andrushchenko@epam.com
When unplugging a hotpluggable DRM device we first unregister it with drm_dev_unregister and then set drm_device.unplugged flag which is used to mark device critical sections with drm_dev_enter()/ drm_dev_exit() preventing access to device resources that are not available after the device is gone. But drm_dev_unregister may lead to hotplug uevent(s) fired to user-space on card and/or connector removal, thus making it possible for user-space to try accessing a disconnected device.
Fix this by first making sure device is properly marked as disconnected and only then unregister it.
Fixes: bee330f3d672 ("drm: Use srcu to protect drm_device.unplugged")
Signed-off-by: Oleksandr Andrushchenko oleksandr_andrushchenko@epam.com Reported-by: Andrii Chepurnyi andrii_chepurnyi@epam.com Cc: "Noralf Trønnes" noralf@tronnes.org
Nice catch.
Reviewed-by: Daniel Vetter daniel.vetter@ffwll.ch
I think you need to push this to drm-misc-next-fixes to make sure it's on the 4.17 train.
Sure, after I have r-b from Noralf
Noralf's occasionally occupied with other things and doesn't have time to look at patches. I think it's ok to just push after a few more days, even if he doesn't respond. Same holds for other people really. -Daniel
Applied to drm-misc-next-fixes
-Daniel
drivers/gpu/drm/drm_drv.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c index b553a6f2ff0e..7af748ed1c58 100644 --- a/drivers/gpu/drm/drm_drv.c +++ b/drivers/gpu/drm/drm_drv.c @@ -369,13 +369,6 @@ EXPORT_SYMBOL(drm_dev_exit); */ void drm_dev_unplug(struct drm_device *dev) {
- drm_dev_unregister(dev);
- mutex_lock(&drm_global_mutex);
- if (dev->open_count == 0)
drm_dev_put(dev);- mutex_unlock(&drm_global_mutex);
- /*
- After synchronizing any critical read section is guaranteed to see
- the new value of ->unplugged, and any critical section which might
@@ -384,6 +377,13 @@ void drm_dev_unplug(struct drm_device *dev) */ dev->unplugged = true; synchronize_srcu(&drm_unplug_srcu);
- drm_dev_unregister(dev);
- mutex_lock(&drm_global_mutex);
- if (dev->open_count == 0)
drm_dev_put(dev);- mutex_unlock(&drm_global_mutex); } EXPORT_SYMBOL(drm_dev_unplug);
-- 2.17.0
dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
dri-devel@lists.freedesktop.org
-
Daniel Vetter -
Oleksandr Andrushchenko