From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from mail.linuxfoundation.org ([140.211.169.12]:33168 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751263AbcIORSM (ORCPT
        <rfc822;stable@vger.kernel.org>); Thu, 15 Sep 2016 13:18:12 -0400
Date: Thu, 15 Sep 2016 19:18:18 +0200
From: Greg KH <gregkh@linuxfoundation.org>
To: Rob Clark <robdclark@gmail.com>
Cc: stable@vger.kernel.org
Subject: Re: [PATCH] drm/msm: protect against faults from copy_from_user() in
 submit ioctl
Message-ID: <20160915171818.GB3866@kroah.com>
References: <1473950397-14355-1-git-send-email-robdclark@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1473950397-14355-1-git-send-email-robdclark@gmail.com>
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

On Thu, Sep 15, 2016 at 10:39:57AM -0400, Rob Clark wrote:
> commit d78d383ab354b0b9e1d23404ae0d9fbdeb9aa035 upstream.
> 
> An evil userspace could try to cause deadlock by passing an unfaulted-in
> GEM bo as submit->bos (or submit->cmds) table.  Which will trigger
> msm_gem_fault() while we already hold struct_mutex.  See:
> 
> https://github.com/freedreno/msmtest/blob/master/evilsubmittest.c
> 
> Cc: stable@vger.kernel.org
> Signed-off-by: Rob Clark <robdclark@gmail.com>
> ---
>  drivers/gpu/drm/msm/msm_drv.h        | 6 ++++++
>  drivers/gpu/drm/msm/msm_gem.c        | 9 +++++++++
>  drivers/gpu/drm/msm/msm_gem_submit.c | 2 ++
>  3 files changed, 17 insertions(+)

What stable kernel(s) do you want this applied to?

thanks,

greg k-h