All of lore.kernel.org
 help / color / mirror / Atom feed
From: Daniel Vetter <daniel@ffwll.ch>
To: ville.syrjala@linux.intel.com
Cc: intel-gfx@lists.freedesktop.org
Subject: Re: [PATCH 5/5] drm/i915: Make i915_pipe_crc_read() oops proof
Date: Wed, 10 Dec 2014 11:00:02 +0100	[thread overview]
Message-ID: <20141210100002.GI27182@phenom.ffwll.local> (raw)
In-Reply-To: <1418153312-25319-6-git-send-email-ville.syrjala@linux.intel.com>

On Tue, Dec 09, 2014 at 09:28:32PM +0200, ville.syrjala@linux.intel.com wrote:
> From: Ville Syrjälä <ville.syrjala@linux.intel.com>
> 
> Currently i915_pipe_crc_read() will drop pipe_crc->lock for the entire
> duration of the copy_to_user() loop, which means it'll access
> pipe_crc->entries without any protection. If another thread sneaks in
> and frees pipe_crc->entries the code will oops.
> 
> Reorganize the code to hold the lock around everything except
> copy_to_user(). After the copy the lock is reacquired and the the number
> of available entries is rechecked.
> 
> Since this is a debug feature simplify the error handling a bit by
> consuming the crc entry even if copy_to_user() would fail.
> 
> Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>

While you go to all this trouble with making the debugfs interface safe
against stupid userspace: set_source has a potential leak when ->entries
is already allocated when we set it. An unconditional
kfree(pipe_crc->entries); before should be all we need since kfree can
handle this. I'll smash a patch on top.

Entire series merged, thanks.
-Daniel

> ---
>  drivers/gpu/drm/i915/i915_debugfs.c | 39 +++++++++++++++++++++----------------
>  1 file changed, 22 insertions(+), 17 deletions(-)
> 
> diff --git a/drivers/gpu/drm/i915/i915_debugfs.c b/drivers/gpu/drm/i915/i915_debugfs.c
> index d9d5f1f..1c61564 100644
> --- a/drivers/gpu/drm/i915/i915_debugfs.c
> +++ b/drivers/gpu/drm/i915/i915_debugfs.c
> @@ -2858,7 +2858,7 @@ i915_pipe_crc_read(struct file *filep, char __user *user_buf, size_t count,
>  	struct drm_i915_private *dev_priv = dev->dev_private;
>  	struct intel_pipe_crc *pipe_crc = &dev_priv->pipe_crc[info->pipe];
>  	char buf[PIPE_CRC_BUFFER_LEN];
> -	int head, tail, n_entries, n;
> +	int n_entries;
>  	ssize_t bytes_read;
>  
>  	/*
> @@ -2890,36 +2890,39 @@ i915_pipe_crc_read(struct file *filep, char __user *user_buf, size_t count,
>  	}
>  
>  	/* We now have one or more entries to read */
> -	head = pipe_crc->head;
> -	tail = pipe_crc->tail;
> -	n_entries = min((size_t)CIRC_CNT(head, tail, INTEL_PIPE_CRC_ENTRIES_NR),
> -			count / PIPE_CRC_LINE_LEN);
> -	spin_unlock_irq(&pipe_crc->lock);
> +	n_entries = count / PIPE_CRC_LINE_LEN;
>  
>  	bytes_read = 0;
> -	n = 0;
> -	do {
> -		struct intel_pipe_crc_entry *entry = &pipe_crc->entries[tail];
> +	while (n_entries > 0) {
> +		struct intel_pipe_crc_entry *entry =
> +			&pipe_crc->entries[pipe_crc->tail];
>  		int ret;
>  
> +		if (CIRC_CNT(pipe_crc->head, pipe_crc->tail,
> +			     INTEL_PIPE_CRC_ENTRIES_NR) < 1)
> +			break;
> +
> +		BUILD_BUG_ON_NOT_POWER_OF_2(INTEL_PIPE_CRC_ENTRIES_NR);
> +		pipe_crc->tail = (pipe_crc->tail + 1) & (INTEL_PIPE_CRC_ENTRIES_NR - 1);
> +
>  		bytes_read += snprintf(buf, PIPE_CRC_BUFFER_LEN,
>  				       "%8u %8x %8x %8x %8x %8x\n",
>  				       entry->frame, entry->crc[0],
>  				       entry->crc[1], entry->crc[2],
>  				       entry->crc[3], entry->crc[4]);
>  
> -		ret = copy_to_user(user_buf + n * PIPE_CRC_LINE_LEN,
> -				   buf, PIPE_CRC_LINE_LEN);
> +		spin_unlock_irq(&pipe_crc->lock);
> +
> +		ret = copy_to_user(user_buf, buf, PIPE_CRC_LINE_LEN);
>  		if (ret == PIPE_CRC_LINE_LEN)
>  			return -EFAULT;
>  
> -		BUILD_BUG_ON_NOT_POWER_OF_2(INTEL_PIPE_CRC_ENTRIES_NR);
> -		tail = (tail + 1) & (INTEL_PIPE_CRC_ENTRIES_NR - 1);
> -		n++;
> -	} while (--n_entries);
> +		user_buf += PIPE_CRC_LINE_LEN;
> +		n_entries--;
> +
> +		spin_lock_irq(&pipe_crc->lock);
> +	}
>  
> -	spin_lock_irq(&pipe_crc->lock);
> -	pipe_crc->tail = tail;
>  	spin_unlock_irq(&pipe_crc->lock);
>  
>  	return bytes_read;
> @@ -3456,6 +3459,8 @@ static int pipe_crc_set_source(struct drm_device *dev, enum pipe pipe,
>  		spin_lock_irq(&pipe_crc->lock);
>  		entries = pipe_crc->entries;
>  		pipe_crc->entries = NULL;
> +		pipe_crc->head = 0;
> +		pipe_crc->tail = 0;
>  		spin_unlock_irq(&pipe_crc->lock);
>  
>  		kfree(entries);
> -- 
> 2.0.4
> 
> _______________________________________________
> Intel-gfx mailing list
> Intel-gfx@lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/intel-gfx

-- 
Daniel Vetter
Software Engineer, Intel Corporation
+41 (0) 79 365 57 48 - http://blog.ffwll.ch
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/intel-gfx

  reply	other threads:[~2014-12-10  9:59 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-12-09 19:28 [PATCH 0/5] drm/i915: CRC fixes ville.syrjala
2014-12-09 19:28 ` [PATCH 1/5] drm/i915: Engage the DP scramble reset for pipe C on CHV ville.syrjala
2014-12-09 19:28 ` [PATCH 2/5] drm/i915: Fix CRC support for DP port D " ville.syrjala
2014-12-10  9:49   ` Daniel Vetter
2014-12-09 19:28 ` [PATCH 3/5] drm/i915: Protect pipe_crc->entries update ville.syrjala
2014-12-09 19:28 ` [PATCH 4/5] drm/i915: Allocate the pipe_crc->entires with kcalloc() ville.syrjala
2014-12-09 19:28 ` [PATCH 5/5] drm/i915: Make i915_pipe_crc_read() oops proof ville.syrjala
2014-12-10 10:00   ` Daniel Vetter [this message]
2014-12-10 10:02   ` [PATCH] drm/i915: Protect against leaks in pipe_crc_set_source Daniel Vetter
2014-12-10 14:45     ` Ville Syrjälä
2014-12-10 10:06   ` [PATCH 5/5] drm/i915: Make i915_pipe_crc_read() oops proof shuang.he

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20141210100002.GI27182@phenom.ffwll.local \
    --to=daniel@ffwll.ch \
    --cc=intel-gfx@lists.freedesktop.org \
    --cc=ville.syrjala@linux.intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.