| Message ID | 20240308201150.25987-3-bethany.jamison@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | CVE-2023-39198 | expand |
On 24/03/08 02:11PM, Bethany Jamison wrote: > From: Emil Velikov <emil.velikov@collabora.com> > > With earlier patch we removed the overhead so now we can lift the helper > into the header effectively folding it with __drm_object_put. > > v2: drop struct_mutex references (Daniel) > > Signed-off-by: Emil Velikov <emil.velikov@collabora.com> > Acked-by: Sam Ravnborg <sam@ravnborg.org> (v1) > Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch> > Acked-by: Thomas Zimmermann <tzimmermann@suse.de> > Link: https://patchwork.freedesktop.org/patch/msgid/20200515095118.2743122-11-emil.l.velikov@gmail.com > (backported from commit b5d250744cccfb40024de663ea1f4da04e6d959c) There seemse to be a fix for this one in https://lore.kernel.org/all/20200520142347.29060-1-chris@chris-wilson.co.uk/ This fix landed in 5.9. See 0e799e840a07e9cd843149be6811fd895d20a5a0 > [bjamison: context conflict in a function b5d deletes, Bionic/upstream > were functionally the same with Bionic having an additional validation > check, accepted incoming change to delete the function] > CVE-2023-39198 > Signed-off-by: Bethany Jamison <bethany.jamison@canonical.com> > --- > drivers/gpu/drm/drm_gem.c | 30 ---------------------- > drivers/gpu/drm/i915/gem/i915_gem_object.h | 2 +- > include/drm/drm_drv.h | 2 -- > include/drm/drm_gem.h | 16 +++--------- > 4 files changed, 4 insertions(+), 46 deletions(-) > > diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c > index d801598299b6..663dc2130b91 100644 > --- a/drivers/gpu/drm/drm_gem.c > +++ b/drivers/gpu/drm/drm_gem.c > @@ -972,36 +972,6 @@ drm_gem_object_free(struct kref *kref) > } > EXPORT_SYMBOL(drm_gem_object_free); > > -/** > - * drm_gem_object_put_unlocked - drop a GEM buffer object reference > - * @obj: GEM buffer object > - * > - * This releases a reference to @obj. Callers must not hold the > - * &drm_device.struct_mutex lock when calling this function. > - * > - * See also __drm_gem_object_put(). > - */ > -void > -drm_gem_object_put_unlocked(struct drm_gem_object *obj) > -{ > - struct drm_device *dev; > - > - if (!obj) > - return; > - > - dev = obj->dev; > - > - if (dev->driver->gem_free_object) { > - might_lock(&dev->struct_mutex); > - if (kref_put_mutex(&obj->refcount, drm_gem_object_free, > - &dev->struct_mutex)) > - mutex_unlock(&dev->struct_mutex); > - } else { > - kref_put(&obj->refcount, drm_gem_object_free); > - } > -} > -EXPORT_SYMBOL(drm_gem_object_put_unlocked); > - > /** > * drm_gem_object_put - release a GEM buffer object reference > * @obj: GEM buffer object > diff --git a/drivers/gpu/drm/i915/gem/i915_gem_object.h b/drivers/gpu/drm/i915/gem/i915_gem_object.h > index 53172a4185da..49cdd66d4e73 100644 > --- a/drivers/gpu/drm/i915/gem/i915_gem_object.h > +++ b/drivers/gpu/drm/i915/gem/i915_gem_object.h > @@ -96,7 +96,7 @@ __attribute__((nonnull)) > static inline void > i915_gem_object_put(struct drm_i915_gem_object *obj) > { > - __drm_gem_object_put(&obj->base); > + drm_gem_object_put_unlocked(&obj->base); > } > > #define assert_object_held(obj) dma_resv_assert_held((obj)->base.resv) > diff --git a/include/drm/drm_drv.h b/include/drm/drm_drv.h > index 8976afe48c1c..4c86a42cbfca 100644 > --- a/include/drm/drm_drv.h > +++ b/include/drm/drm_drv.h > @@ -505,8 +505,6 @@ struct drm_driver { > * > * This is deprecated and should not be used by new drivers. Use > * &drm_gem_object_funcs.free instead. > - * Compared to @gem_free_object this is not encumbered with > - * &drm_device.struct_mutex legacy locking schemes. > */ > void (*gem_free_object_unlocked) (struct drm_gem_object *obj); > > diff --git a/include/drm/drm_gem.h b/include/drm/drm_gem.h > index 6aaba14f5972..8a40315750e3 100644 > --- a/include/drm/drm_gem.h > +++ b/include/drm/drm_gem.h > @@ -350,27 +350,17 @@ static inline void drm_gem_object_get(struct drm_gem_object *obj) > } > > /** > - * __drm_gem_object_put - raw function to release a GEM buffer object reference > + * drm_gem_object_put_unlocked - drop a GEM buffer object reference > * @obj: GEM buffer object > * > - * This function is meant to be used by drivers which are not encumbered with > - * &drm_device.struct_mutex legacy locking and which are using the > - * gem_free_object_unlocked callback. It avoids all the locking checks and > - * locking overhead of drm_gem_object_put() and drm_gem_object_put_unlocked(). > - * > - * Drivers should never call this directly in their code. Instead they should > - * wrap it up into a ``driver_gem_object_put(struct driver_gem_object *obj)`` > - * wrapper function, and use that. Shared code should never call this, to > - * avoid breaking drivers by accident which still depend upon > - * &drm_device.struct_mutex locking. > + * This releases a reference to @obj. > */ > static inline void > -__drm_gem_object_put(struct drm_gem_object *obj) > +drm_gem_object_put_unlocked(struct drm_gem_object *obj) > { > kref_put(&obj->refcount, drm_gem_object_free); > } > > -void drm_gem_object_put_unlocked(struct drm_gem_object *obj); > void drm_gem_object_put(struct drm_gem_object *obj); > > int drm_gem_handle_create(struct drm_file *file_priv,
On 08.03.24 21:11, Bethany Jamison wrote: > From: Emil Velikov <emil.velikov@collabora.com> > > With earlier patch we removed the overhead so now we can lift the helper > into the header effectively folding it with __drm_object_put. > > v2: drop struct_mutex references (Daniel) > > Signed-off-by: Emil Velikov <emil.velikov@collabora.com> > Acked-by: Sam Ravnborg <sam@ravnborg.org> (v1) > Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch> > Acked-by: Thomas Zimmermann <tzimmermann@suse.de> > Link: https://patchwork.freedesktop.org/patch/msgid/20200515095118.2743122-11-emil.l.velikov@gmail.com > (backported from commit b5d250744cccfb40024de663ea1f4da04e6d959c) > [bjamison: context conflict in a function b5d deletes, Bionic/upstream > were functionally the same with Bionic having an additional validation > check, accepted incoming change to delete the function] > CVE-2023-39198 > Signed-off-by: Bethany Jamison <bethany.jamison@canonical.com> > --- > drivers/gpu/drm/drm_gem.c | 30 ---------------------- > drivers/gpu/drm/i915/gem/i915_gem_object.h | 2 +- > include/drm/drm_drv.h | 2 -- > include/drm/drm_gem.h | 16 +++--------- > 4 files changed, 4 insertions(+), 46 deletions(-) > > diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c > index d801598299b6..663dc2130b91 100644 > --- a/drivers/gpu/drm/drm_gem.c > +++ b/drivers/gpu/drm/drm_gem.c > @@ -972,36 +972,6 @@ drm_gem_object_free(struct kref *kref) > } > EXPORT_SYMBOL(drm_gem_object_free); > > -/** > - * drm_gem_object_put_unlocked - drop a GEM buffer object reference > - * @obj: GEM buffer object > - * > - * This releases a reference to @obj. Callers must not hold the > - * &drm_device.struct_mutex lock when calling this function. > - * > - * See also __drm_gem_object_put(). > - */ > -void > -drm_gem_object_put_unlocked(struct drm_gem_object *obj) > -{ > - struct drm_device *dev; > - > - if (!obj) > - return; > - > - dev = obj->dev; > - > - if (dev->driver->gem_free_object) { > - might_lock(&dev->struct_mutex); > - if (kref_put_mutex(&obj->refcount, drm_gem_object_free, > - &dev->struct_mutex)) > - mutex_unlock(&dev->struct_mutex); > - } else { > - kref_put(&obj->refcount, drm_gem_object_free); > - } > -} > -EXPORT_SYMBOL(drm_gem_object_put_unlocked); > - > /** > * drm_gem_object_put - release a GEM buffer object reference > * @obj: GEM buffer object > diff --git a/drivers/gpu/drm/i915/gem/i915_gem_object.h b/drivers/gpu/drm/i915/gem/i915_gem_object.h > index 53172a4185da..49cdd66d4e73 100644 > --- a/drivers/gpu/drm/i915/gem/i915_gem_object.h > +++ b/drivers/gpu/drm/i915/gem/i915_gem_object.h > @@ -96,7 +96,7 @@ __attribute__((nonnull)) > static inline void > i915_gem_object_put(struct drm_i915_gem_object *obj) > { > - __drm_gem_object_put(&obj->base); > + drm_gem_object_put_unlocked(&obj->base); This seems to replace a function but the one that just got dropped. I think this is fixed up in later patches but would create issues when one tries to bisect. Generally I think this is the update to the patch where I was worried about a potential regression introduced by adding a helper function from a different set. Fixing that not necessarily means to pull all the code in which allow that helper to be used. A different approach would be to check what the helper does and how newer code calls it. And then check how it was done before. If I remember right the patch introducing the helper also changed a lot of call sites. So you could as well modify the one fix patch by replacing the call to the helper by whatever other callers did back in Focal. > } > > #define assert_object_held(obj) dma_resv_assert_held((obj)->base.resv) > diff --git a/include/drm/drm_drv.h b/include/drm/drm_drv.h > index 8976afe48c1c..4c86a42cbfca 100644 > --- a/include/drm/drm_drv.h > +++ b/include/drm/drm_drv.h > @@ -505,8 +505,6 @@ struct drm_driver { > * > * This is deprecated and should not be used by new drivers. Use > * &drm_gem_object_funcs.free instead. > - * Compared to @gem_free_object this is not encumbered with > - * &drm_device.struct_mutex legacy locking schemes. > */ > void (*gem_free_object_unlocked) (struct drm_gem_object *obj); > > diff --git a/include/drm/drm_gem.h b/include/drm/drm_gem.h > index 6aaba14f5972..8a40315750e3 100644 > --- a/include/drm/drm_gem.h > +++ b/include/drm/drm_gem.h > @@ -350,27 +350,17 @@ static inline void drm_gem_object_get(struct drm_gem_object *obj) > } > > /** > - * __drm_gem_object_put - raw function to release a GEM buffer object reference > + * drm_gem_object_put_unlocked - drop a GEM buffer object reference > * @obj: GEM buffer object > * > - * This function is meant to be used by drivers which are not encumbered with > - * &drm_device.struct_mutex legacy locking and which are using the > - * gem_free_object_unlocked callback. It avoids all the locking checks and > - * locking overhead of drm_gem_object_put() and drm_gem_object_put_unlocked(). > - * > - * Drivers should never call this directly in their code. Instead they should > - * wrap it up into a ``driver_gem_object_put(struct driver_gem_object *obj)`` > - * wrapper function, and use that. Shared code should never call this, to > - * avoid breaking drivers by accident which still depend upon > - * &drm_device.struct_mutex locking. > + * This releases a reference to @obj. > */ > static inline void > -__drm_gem_object_put(struct drm_gem_object *obj) > +drm_gem_object_put_unlocked(struct drm_gem_object *obj) > { > kref_put(&obj->refcount, drm_gem_object_free); > } > > -void drm_gem_object_put_unlocked(struct drm_gem_object *obj); > void drm_gem_object_put(struct drm_gem_object *obj); > > int drm_gem_handle_create(struct drm_file *file_priv,
diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c index d801598299b6..663dc2130b91 100644 --- a/drivers/gpu/drm/drm_gem.c +++ b/drivers/gpu/drm/drm_gem.c @@ -972,36 +972,6 @@ drm_gem_object_free(struct kref *kref) } EXPORT_SYMBOL(drm_gem_object_free); -/** - * drm_gem_object_put_unlocked - drop a GEM buffer object reference - * @obj: GEM buffer object - * - * This releases a reference to @obj. Callers must not hold the - * &drm_device.struct_mutex lock when calling this function. - * - * See also __drm_gem_object_put(). - */ -void -drm_gem_object_put_unlocked(struct drm_gem_object *obj) -{ - struct drm_device *dev; - - if (!obj) - return; - - dev = obj->dev; - - if (dev->driver->gem_free_object) { - might_lock(&dev->struct_mutex); - if (kref_put_mutex(&obj->refcount, drm_gem_object_free, - &dev->struct_mutex)) - mutex_unlock(&dev->struct_mutex); - } else { - kref_put(&obj->refcount, drm_gem_object_free); - } -} -EXPORT_SYMBOL(drm_gem_object_put_unlocked); - /** * drm_gem_object_put - release a GEM buffer object reference * @obj: GEM buffer object diff --git a/drivers/gpu/drm/i915/gem/i915_gem_object.h b/drivers/gpu/drm/i915/gem/i915_gem_object.h index 53172a4185da..49cdd66d4e73 100644 --- a/drivers/gpu/drm/i915/gem/i915_gem_object.h +++ b/drivers/gpu/drm/i915/gem/i915_gem_object.h @@ -96,7 +96,7 @@ __attribute__((nonnull)) static inline void i915_gem_object_put(struct drm_i915_gem_object *obj) { - __drm_gem_object_put(&obj->base); + drm_gem_object_put_unlocked(&obj->base); } #define assert_object_held(obj) dma_resv_assert_held((obj)->base.resv) diff --git a/include/drm/drm_drv.h b/include/drm/drm_drv.h index 8976afe48c1c..4c86a42cbfca 100644 --- a/include/drm/drm_drv.h +++ b/include/drm/drm_drv.h @@ -505,8 +505,6 @@ struct drm_driver { * * This is deprecated and should not be used by new drivers. Use * &drm_gem_object_funcs.free instead. - * Compared to @gem_free_object this is not encumbered with - * &drm_device.struct_mutex legacy locking schemes. */ void (*gem_free_object_unlocked) (struct drm_gem_object *obj); diff --git a/include/drm/drm_gem.h b/include/drm/drm_gem.h index 6aaba14f5972..8a40315750e3 100644 --- a/include/drm/drm_gem.h +++ b/include/drm/drm_gem.h @@ -350,27 +350,17 @@ static inline void drm_gem_object_get(struct drm_gem_object *obj) } /** - * __drm_gem_object_put - raw function to release a GEM buffer object reference + * drm_gem_object_put_unlocked - drop a GEM buffer object reference * @obj: GEM buffer object * - * This function is meant to be used by drivers which are not encumbered with - * &drm_device.struct_mutex legacy locking and which are using the - * gem_free_object_unlocked callback. It avoids all the locking checks and - * locking overhead of drm_gem_object_put() and drm_gem_object_put_unlocked(). - * - * Drivers should never call this directly in their code. Instead they should - * wrap it up into a ``driver_gem_object_put(struct driver_gem_object *obj)`` - * wrapper function, and use that. Shared code should never call this, to - * avoid breaking drivers by accident which still depend upon - * &drm_device.struct_mutex locking. + * This releases a reference to @obj. */ static inline void -__drm_gem_object_put(struct drm_gem_object *obj) +drm_gem_object_put_unlocked(struct drm_gem_object *obj) { kref_put(&obj->refcount, drm_gem_object_free); } -void drm_gem_object_put_unlocked(struct drm_gem_object *obj); void drm_gem_object_put(struct drm_gem_object *obj); int drm_gem_handle_create(struct drm_file *file_priv,