Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp5294227pxj;
        Tue, 22 Jun 2021 20:50:33 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxKbZXG4KhiYsujZLVmszHN1jVGuz1tbFHSziEOaubexnW8OthwZRkNgCTninxrsALp0t/S
X-Received: by 2002:aa7:dccb:: with SMTP id w11mr9227126edu.96.1624420233756;
        Tue, 22 Jun 2021 20:50:33 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1624420233; cv=none;
        d=google.com; s=arc-20160816;
        b=G+bQ2yPWJScJn0QL4l6Vhejo24iWKiud3YF4wLzYU4rAfEFypCih0l3nRlouyt0Bnr
         1OVxZWnIPRsxvQfWSHoxc2QuDgCd9GbokejKentDybDfOf5xXzxcWRt+12/it0105tFp
         +xrd93WsDzlAX0x1BY0AdmwQMzMSwC6znj5ht1zXM8s+hM/THtuodBzKBfCXQc31Wzjm
         GSA8MGZb/giTNGU8HTVLaMnP+sx43JnGtFSUBK9Qwpl8IJhXbKRHBJRXWTiRhxMOuvwG
         Ly6KHok4sXdbyGBZwQh3jBuYs8ADW+WWrbkJXahK/foHdu/ZiAiR7YxDmr4/WXrpR40r
         koJQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:content-language
         :in-reply-to:mime-version:user-agent:date:message-id:from:references
         :to:subject:dkim-signature;
        bh=yfvte9hUyFiYd2kHj7QDXnx/sjIUlGw0CWZs9V2GBVg=;
        b=AEFva6x8L0J5dfNIyW7peoz/CUgMb/u3FHUPBXT0GBJV20eM64ZwGfOnpT6VqgGP2/
         0j1glX0sq+Aj7cMqQ53SXD/m6ryPV5GAWicV24bmNZ+NumguEUXjuHavKby1G0n0aH1a
         6J/SMgOSj932LXVtFbpdkIUdIHRNnH9QG2hRuRuo+KQZlJTzul0k/v1dyxFYMUx0iivm
         ooLlxIeLlYMYkR4AVa33+vK4L09IrUlVWRSapUSBSFbUROpCK+ZhwxLtVZbKroUZpjmU
         iTP0EjUMoAz9rxG5oWB7aLEhsTiJJeIfMudrIKoDXqgv4phkYoMXEQp846zN5SaiqSkj
         IANg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=dW67Dovp;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id zd22si6883856ejb.303.2021.06.22.20.50.08;
        Tue, 22 Jun 2021 20:50:33 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=dW67Dovp;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230388AbhFWDvW (ORCPT <rfc822;macmurkernel@gmail.com>
        + 99 others); Tue, 22 Jun 2021 23:51:22 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56410 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229774AbhFWDvW (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 22 Jun 2021 23:51:22 -0400
Received: from mail-pj1-x1034.google.com (mail-pj1-x1034.google.com [IPv6:2607:f8b0:4864:20::1034])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B80C3C061574;
        Tue, 22 Jun 2021 20:49:05 -0700 (PDT)
Received: by mail-pj1-x1034.google.com with SMTP id h23so727713pjv.2;
        Tue, 22 Jun 2021 20:49:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=subject:to:references:from:message-id:date:user-agent:mime-version
         :in-reply-to:content-language:content-transfer-encoding;
        bh=yfvte9hUyFiYd2kHj7QDXnx/sjIUlGw0CWZs9V2GBVg=;
        b=dW67Dovp+hE3G/daqpHOocO9ySLua0BW/6bKax3Uf/E54F4pFqZ0SctPDx4465Shk8
         75MyNdgAdIdPz5uaoIOhyMPFIMX1/TSLVbIsJuIuJY9bPoq4n98w8dEJFUEpX0z2ay2l
         ls4adNqzQNnYWAHXgE3SF5x58TmUK8uHnhqN4CiEqUcOYXTEWBpo6wQoa2WfFTnIeRTb
         /pecruYEb4RSRHwZ4dfG8AiYzdpWmPCe+1dwHjAlbIyYZyFe1jWlpeReaeMKRei+PHTX
         KLle+PUGyZAQ5BBWs9AKO+Xe2k9HGT0kiRwEgIqgOjt2rlL21JlBgS5xOnk8wOnkm9Gb
         n7Fg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=yfvte9hUyFiYd2kHj7QDXnx/sjIUlGw0CWZs9V2GBVg=;
        b=PH8ZkrXX1lPSVYgvFWZJHakq4IcoJRSG0D710bvEWbJ4RiB0NfXsoSp2rwDXWX3YFg
         w4jVhJuRmGMIIsdyMDWEK4oB0PIgOVpEbMm9rcHgmPWMgfMCFok95I44NQq/grGCWX3U
         Q5qtw01/wr+mXu+2Bobk9r5ipTXuOm5FwFQnS8LLZdJKz78k8kbOEOh1tbcqSehvLOAS
         TEJCNxSFSO2iVcEpsbQhtDKQr4FNcDHKu4PzcHmhTUknwKGXcPBicZuQWX2xnx3GSp8W
         LhOA6LZHmRwVxSa3slZbHMNTGY8dPPFrkItvQsUYfFiLw5viGZa+VVF8GTN3mIvRlQtm
         V3Kg==
X-Gm-Message-State: AOAM530b9kZYe40LpuxWqZdVtmJcicu1scSTxSPdSzoxbC5hijNyIZNs
        oI9c9FsQc/5Mrc7cSy1zgL8=
X-Received: by 2002:a17:90a:5d16:: with SMTP id s22mr7294045pji.48.1624420145213;
        Tue, 22 Jun 2021 20:49:05 -0700 (PDT)
Received: from [192.168.1.237] ([118.200.190.93])
        by smtp.gmail.com with ESMTPSA id 81sm13142274pgg.85.2021.06.22.20.49.00
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Tue, 22 Jun 2021 20:49:04 -0700 (PDT)
Subject: Re: [PATCH v3 2/2] drm: protect drm_master pointers in drm_lease.c
To:     maarten.lankhorst@linux.intel.com, mripard@kernel.org,
        tzimmermann@suse.de, airlied@linux.ie, sumit.semwal@linaro.org,
        christian.koenig@amd.com, dri-devel@lists.freedesktop.org,
        linux-kernel@vger.kernel.org, linux-media@vger.kernel.org,
        linaro-mm-sig@lists.linaro.org, skhan@linuxfoundation.org,
        gregkh@linuxfoundation.org,
        linux-kernel-mentees@lists.linuxfoundation.org,
        emil.l.velikov@gmail.com
References: <20210620110327.4964-1-desmondcheongzx@gmail.com>
 <20210620110327.4964-3-desmondcheongzx@gmail.com>
 <YNCmeYdY8giE8M9b@phenom.ffwll.local>
From:   Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
Message-ID: <99ee7966-09da-3942-0afe-ee1f185620d6@gmail.com>
Date:   Wed, 23 Jun 2021 11:48:59 +0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.11.0
MIME-Version: 1.0
In-Reply-To: <YNCmeYdY8giE8M9b@phenom.ffwll.local>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 21/6/21 10:47 pm, Daniel Vetter wrote:
> On Sun, Jun 20, 2021 at 07:03:27PM +0800, Desmond Cheong Zhi Xi wrote:
>> diff --git a/drivers/gpu/drm/drm_auth.c b/drivers/gpu/drm/drm_auth.c
>> index 86d4b72e95cb..0c64a77c67a6 100644
>> --- a/drivers/gpu/drm/drm_auth.c
>> +++ b/drivers/gpu/drm/drm_auth.c
>> @@ -384,6 +384,28 @@ struct drm_master *drm_master_get(struct drm_master *master)
>>   }
>>   EXPORT_SYMBOL(drm_master_get);
>>   
>> +/**
>> + * drm_file_get_master - reference @file_priv->master
>> + * @file_priv: DRM file private
>> + *
>> + * Increments the reference count of @file_priv->master and returns
> 
> Does this format correctly? I'd go with "&drm_file.master of @file_priv".
> 

Got it. "file_priv->master" was bolded, but no link to drm_file.master 
was generated. I'll update this.

>> + * @file_priv->master.
>> + *
>> + * Master pointers returned from this function should be unreferenced using
>> + * drm_master_put().
>> + */
>> +struct drm_master *drm_file_get_master(struct drm_file *file_priv)
>> +{
>> +	struct drm_master *master;
>> +
>> +	mutex_lock(&file_priv->master->dev->master_mutex);
>> +	master = drm_master_get(file_priv->master);
>> +	mutex_unlock(&file_priv->master->dev->master_mutex);
>> +
>> +	return master;
>> +}
>> +EXPORT_SYMBOL(drm_file_get_master);
>> +
>>   static void drm_master_destroy(struct kref *kref)
>>   {
>>   	struct drm_master *master = container_of(kref, struct drm_master, refcount);
>> diff --git a/drivers/gpu/drm/drm_lease.c b/drivers/gpu/drm/drm_lease.c
>> index da4f085fc09e..65eab82f8acc 100644
>> --- a/drivers/gpu/drm/drm_lease.c
>> +++ b/drivers/gpu/drm/drm_lease.c
>> @@ -107,10 +107,17 @@ static bool _drm_has_leased(struct drm_master *master, int id)
>>    */
>>   bool _drm_lease_held(struct drm_file *file_priv, int id)
>>   {
>> +	bool ret;
>> +	struct drm_master *master;
>> +
>>   	if (!file_priv || !file_priv->master)
> 
> So here we still have a ->master access outside of the locked code
> section. I think the best fix for that would be to move the NULL check
> into drm_file_get_master (where we grab the lock already anyway), and
> update the kerneldoc to state that it might return NULL.
> 
> Same with all the checks for ->master below.
> 

Moving the check into drm_file_get_master sounds good. Grabbing the lock 
before performing the NULL check poses a little chicken-and-egg problem 
though.

It's true that without the lock, even if file_priv->master passes the 
NULL check, it could be freed in the time between the check and grabbing 
the lock.

However, based on the original code, it seems there's the possibility 
that file_priv->master might be NULL. In this case, grabbing the lock 
results in a null ptr dereference because we get the mutex via 
&file_priv->master->dev->master_mutex.

By this reasoning, I think the safer method is still to perform the NULL 
check before grabbing the lock.

>>   		return true;
>>   
>> -	return _drm_lease_held_master(file_priv->master, id);
>> +	master = drm_file_get_master(file_priv);
>> +	ret = _drm_lease_held_master(master, id);
>> +	drm_master_put(&master);
>> +
>> +	return ret;
>>   }
>>   
>>   /**
>> @@ -132,10 +139,11 @@ bool drm_lease_held(struct drm_file *file_priv, int id)
>>   	if (!file_priv || !file_priv->master || !file_priv->master->lessor)
>>   		return true;
> 
> master->lessor dereferenced outside the lock or without holding a
> reference.
> 
>>   
>> -	master = file_priv->master;
>> +	master = drm_file_get_master(file_priv);
>>   	mutex_lock(&master->dev->mode_config.idr_mutex);
>>   	ret = _drm_lease_held_master(master, id);
>>   	mutex_unlock(&master->dev->mode_config.idr_mutex);
>> +	drm_master_put(&master);
>>   	return ret;
>>   }
>>   
>> @@ -158,7 +166,7 @@ uint32_t drm_lease_filter_crtcs(struct drm_file *file_priv, uint32_t crtcs_in)
>>   	if (!file_priv || !file_priv->master || !file_priv->master->lessor)
>>   		return crtcs_in;
> 
> Same here.
> 
>>   
>> -	master = file_priv->master;
>> +	master = drm_file_get_master(file_priv);
>>   	dev = master->dev;
>>   
>>   	count_in = count_out = 0;
>> @@ -177,6 +185,7 @@ uint32_t drm_lease_filter_crtcs(struct drm_file *file_priv, uint32_t crtcs_in)
>>   		count_in++;
>>   	}
>>   	mutex_unlock(&master->dev->mode_config.idr_mutex);
>> +	drm_master_put(&master);
>>   	return crtcs_out;
>>   }
>>   
>> @@ -490,7 +499,7 @@ int drm_mode_create_lease_ioctl(struct drm_device *dev,
>>   	size_t object_count;
>>   	int ret = 0;
>>   	struct idr leases;
>> -	struct drm_master *lessor = lessor_priv->master;
>> +	struct drm_master *lessor;
>>   	struct drm_master *lessee = NULL;
>>   	struct file *lessee_file = NULL;
>>   	struct file *lessor_file = lessor_priv->filp;
>> @@ -502,12 +511,6 @@ int drm_mode_create_lease_ioctl(struct drm_device *dev,
>>   	if (!drm_core_check_feature(dev, DRIVER_MODESET))
>>   		return -EOPNOTSUPP;
>>   
>> -	/* Do not allow sub-leases */
>> -	if (lessor->lessor) {
>> -		DRM_DEBUG_LEASE("recursive leasing not allowed\n");
>> -		return -EINVAL;
>> -	}
>> -
>>   	/* need some objects */
>>   	if (cl->object_count == 0) {
>>   		DRM_DEBUG_LEASE("no objects in lease\n");
>> @@ -519,12 +522,22 @@ int drm_mode_create_lease_ioctl(struct drm_device *dev,
>>   		return -EINVAL;
>>   	}
>>   
>> +	lessor = drm_file_get_master(lessor_priv);
>> +	/* Do not allow sub-leases */
>> +	if (lessor->lessor) {
> 
> Here we check after grabbing the reference, so looks correct.
> 
>> +		DRM_DEBUG_LEASE("recursive leasing not allowed\n");
>> +		ret = -EINVAL;
>> +		goto out_lessor;
>> +	}
>> +
>>   	object_count = cl->object_count;
>>   
>>   	object_ids = memdup_user(u64_to_user_ptr(cl->object_ids),
>>   			array_size(object_count, sizeof(__u32)));
>> -	if (IS_ERR(object_ids))
>> -		return PTR_ERR(object_ids);
>> +	if (IS_ERR(object_ids)) {
>> +		ret = PTR_ERR(object_ids);
>> +		goto out_lessor;
>> +	}
>>   
>>   	idr_init(&leases);
>>   
>> @@ -535,14 +548,15 @@ int drm_mode_create_lease_ioctl(struct drm_device *dev,
>>   	if (ret) {
>>   		DRM_DEBUG_LEASE("lease object lookup failed: %i\n", ret);
>>   		idr_destroy(&leases);
>> -		return ret;
>> +		goto out_lessor;
>>   	}
>>   
>>   	/* Allocate a file descriptor for the lease */
>>   	fd = get_unused_fd_flags(cl->flags & (O_CLOEXEC | O_NONBLOCK));
>>   	if (fd < 0) {
>>   		idr_destroy(&leases);
>> -		return fd;
>> +		ret = fd;
>> +		goto out_lessor;
>>   	}
>>   
>>   	DRM_DEBUG_LEASE("Creating lease\n");
>> @@ -578,6 +592,7 @@ int drm_mode_create_lease_ioctl(struct drm_device *dev,
>>   	/* Hook up the fd */
>>   	fd_install(fd, lessee_file);
>>   
>> +	drm_master_put(&lessor);
>>   	DRM_DEBUG_LEASE("drm_mode_create_lease_ioctl succeeded\n");
>>   	return 0;
>>   
>> @@ -587,6 +602,8 @@ int drm_mode_create_lease_ioctl(struct drm_device *dev,
>>   out_leases:
>>   	put_unused_fd(fd);
>>   
>> +out_lessor:
>> +	drm_master_put(&lessor);
>>   	DRM_DEBUG_LEASE("drm_mode_create_lease_ioctl failed: %d\n", ret);
>>   	return ret;
>>   }
>> @@ -609,7 +626,7 @@ int drm_mode_list_lessees_ioctl(struct drm_device *dev,
>>   	struct drm_mode_list_lessees *arg = data;
>>   	__u32 __user *lessee_ids = (__u32 __user *) (uintptr_t) (arg->lessees_ptr);
>>   	__u32 count_lessees = arg->count_lessees;
>> -	struct drm_master *lessor = lessor_priv->master, *lessee;
>> +	struct drm_master *lessor, *lessee;
>>   	int count;
>>   	int ret = 0;
>>   
>> @@ -620,6 +637,7 @@ int drm_mode_list_lessees_ioctl(struct drm_device *dev,
>>   	if (!drm_core_check_feature(dev, DRIVER_MODESET))
>>   		return -EOPNOTSUPP;
>>   
>> +	lessor = drm_file_get_master(lessor_priv);
>>   	DRM_DEBUG_LEASE("List lessees for %d\n", lessor->lessee_id);
>>   
>>   	mutex_lock(&dev->mode_config.idr_mutex);
>> @@ -643,6 +661,7 @@ int drm_mode_list_lessees_ioctl(struct drm_device *dev,
>>   		arg->count_lessees = count;
>>   
>>   	mutex_unlock(&dev->mode_config.idr_mutex);
>> +	drm_master_put(&lessor);
>>   
>>   	return ret;
>>   }
>> @@ -662,7 +681,7 @@ int drm_mode_get_lease_ioctl(struct drm_device *dev,
>>   	struct drm_mode_get_lease *arg = data;
>>   	__u32 __user *object_ids = (__u32 __user *) (uintptr_t) (arg->objects_ptr);
>>   	__u32 count_objects = arg->count_objects;
>> -	struct drm_master *lessee = lessee_priv->master;
>> +	struct drm_master *lessee;
>>   	struct idr *object_idr;
>>   	int count;
>>   	void *entry;
>> @@ -676,6 +695,7 @@ int drm_mode_get_lease_ioctl(struct drm_device *dev,
>>   	if (!drm_core_check_feature(dev, DRIVER_MODESET))
>>   		return -EOPNOTSUPP;
>>   
>> +	lessee = drm_file_get_master(lessee_priv);
>>   	DRM_DEBUG_LEASE("get lease for %d\n", lessee->lessee_id);
>>   
>>   	mutex_lock(&dev->mode_config.idr_mutex);
>> @@ -703,6 +723,7 @@ int drm_mode_get_lease_ioctl(struct drm_device *dev,
>>   		arg->count_objects = count;
>>   
>>   	mutex_unlock(&dev->mode_config.idr_mutex);
>> +	drm_master_put(&lessee);
>>   
>>   	return ret;
>>   }
>> @@ -721,7 +742,7 @@ int drm_mode_revoke_lease_ioctl(struct drm_device *dev,
>>   				void *data, struct drm_file *lessor_priv)
>>   {
>>   	struct drm_mode_revoke_lease *arg = data;
>> -	struct drm_master *lessor = lessor_priv->master;
>> +	struct drm_master *lessor;
>>   	struct drm_master *lessee;
>>   	int ret = 0;
>>   
>> @@ -731,6 +752,7 @@ int drm_mode_revoke_lease_ioctl(struct drm_device *dev,
>>   	if (!drm_core_check_feature(dev, DRIVER_MODESET))
>>   		return -EOPNOTSUPP;
>>   
>> +	lessor = drm_file_get_master(lessor_priv);
>>   	mutex_lock(&dev->mode_config.idr_mutex);
>>   
>>   	lessee = _drm_find_lessee(lessor, arg->lessee_id);
>> @@ -751,6 +773,7 @@ int drm_mode_revoke_lease_ioctl(struct drm_device *dev,
>>   
>>   fail:
>>   	mutex_unlock(&dev->mode_config.idr_mutex);
>> +	drm_master_put(&lessor);
>>   
>>   	return ret;
>>   }
>> diff --git a/include/drm/drm_auth.h b/include/drm/drm_auth.h
>> index 6bf8b2b78991..f99d3417f304 100644
>> --- a/include/drm/drm_auth.h
>> +++ b/include/drm/drm_auth.h
>> @@ -107,6 +107,7 @@ struct drm_master {
>>   };
>>   
>>   struct drm_master *drm_master_get(struct drm_master *master);
>> +struct drm_master *drm_file_get_master(struct drm_file *file_priv);
>>   void drm_master_put(struct drm_master **master);
>>   bool drm_is_current_master(struct drm_file *fpriv);
>>   
>> diff --git a/include/drm/drm_file.h b/include/drm/drm_file.h
>> index b81b3bfb08c8..e9931fca4ab7 100644
>> --- a/include/drm/drm_file.h
>> +++ b/include/drm/drm_file.h
>> @@ -226,9 +226,18 @@ struct drm_file {
>>   	/**
>>   	 * @master:
>>   	 *
>> -	 * Master this node is currently associated with. Only relevant if
>> -	 * drm_is_primary_client() returns true. Note that this only
>> -	 * matches &drm_device.master if the master is the currently active one.
>> +	 * Master this node is currently associated with. Protected by struct
>> +	 * &drm_device.master_mutex.
>> +	 *
>> +	 * Only relevant if drm_is_primary_client() returns true. Note that
>> +	 * this only matches &drm_device.master if the master is the currently
>> +	 * active one.
>> +	 *
>> +	 * When obtaining a copy of this pointer, it is recommended to either
>> +	 * hold struct &drm_device.master_mutex for the duration of the
>> +	 * pointer's use, or to use drm_file_get_master() if struct
>> +	 * &drm_device.master_mutex is not currently held and there is no other
>> +	 * need to hold it. This prevents @master from being freed during use.
>>   	 *
>>   	 * See also @authentication and @is_master and the :ref:`section on
>>   	 * primary nodes and authentication <drm_primary_node>`.
>> -- 
>> 2.25.1
>>
> 

Thanks for the feedback, Daniel. I'll send out an updated patch to 
address these issues.

Best wishes,
Desmond