[PATCH] drm: Fix possible race conditions while unplugging DRM device

[PATCH] drm: Fix possible race conditions while unplugging DRM device

[Oleksandr Andrushchenko]

From: Oleksandr Andrushchenko <oleksandr_andrushchenko@epam.com>

When unplugging a hotpluggable DRM device we first unregister it
with drm_dev_unregister and then set drm_device.unplugged flag which
is used to mark device critical sections with drm_dev_enter()/
drm_dev_exit() preventing access to device resources that are not
available after the device is gone.
But drm_dev_unregister may lead to hotplug uevent(s) fired to
user-space on card and/or connector removal, thus making it possible
for user-space to try accessing a disconnected device.

Fix this by first making sure device is properly marked as
disconnected and only then unregister it.

Fixes: bee330f3d672 ("drm: Use srcu to protect drm_device.unplugged")

Signed-off-by: Oleksandr Andrushchenko <oleksandr_andrushchenko@epam.com>
Reported-by: Andrii Chepurnyi <andrii_chepurnyi@epam.com>
Cc: "Noralf Trønnes" <noralf@tronnes.org>
---
 drivers/gpu/drm/drm_drv.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c
index b553a6f2ff0e..7af748ed1c58 100644
--- a/drivers/gpu/drm/drm_drv.c
+++ b/drivers/gpu/drm/drm_drv.c
@@ -369,13 +369,6 @@ EXPORT_SYMBOL(drm_dev_exit);
  */
 void drm_dev_unplug(struct drm_device *dev)
 {
-	drm_dev_unregister(dev);
-
-	mutex_lock(&drm_global_mutex);
-	if (dev->open_count == 0)
-		drm_dev_put(dev);
-	mutex_unlock(&drm_global_mutex);
-
 	/*
 	 * After synchronizing any critical read section is guaranteed to see
 	 * the new value of ->unplugged, and any critical section which might
@@ -384,6 +377,13 @@ void drm_dev_unplug(struct drm_device *dev)
 	 */
 	dev->unplugged = true;
 	synchronize_srcu(&drm_unplug_srcu);
+
+	drm_dev_unregister(dev);
+
+	mutex_lock(&drm_global_mutex);
+	if (dev->open_count == 0)
+		drm_dev_put(dev);
+	mutex_unlock(&drm_global_mutex);
 }
 EXPORT_SYMBOL(drm_dev_unplug);
 
-- 
2.17.0

Re: [PATCH] drm: Fix possible race conditions while unplugging DRM device

[Oleksandr Andrushchenko]

ping

On 05/22/2018 05:13 PM, Oleksandr Andrushchenko wrote:
> From: Oleksandr Andrushchenko <oleksandr_andrushchenko@epam.com>
>
> When unplugging a hotpluggable DRM device we first unregister it
> with drm_dev_unregister and then set drm_device.unplugged flag which
> is used to mark device critical sections with drm_dev_enter()/
> drm_dev_exit() preventing access to device resources that are not
> available after the device is gone.
> But drm_dev_unregister may lead to hotplug uevent(s) fired to
> user-space on card and/or connector removal, thus making it possible
> for user-space to try accessing a disconnected device.
>
> Fix this by first making sure device is properly marked as
> disconnected and only then unregister it.
>
> Fixes: bee330f3d672 ("drm: Use srcu to protect drm_device.unplugged")
>
> Signed-off-by: Oleksandr Andrushchenko <oleksandr_andrushchenko@epam.com>
> Reported-by: Andrii Chepurnyi <andrii_chepurnyi@epam.com>
> Cc: "Noralf Trønnes" <noralf@tronnes.org>
> ---
>   drivers/gpu/drm/drm_drv.c | 14 +++++++-------
>   1 file changed, 7 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c
> index b553a6f2ff0e..7af748ed1c58 100644
> --- a/drivers/gpu/drm/drm_drv.c
> +++ b/drivers/gpu/drm/drm_drv.c
> @@ -369,13 +369,6 @@ EXPORT_SYMBOL(drm_dev_exit);
>    */
>   void drm_dev_unplug(struct drm_device *dev)
>   {
> -	drm_dev_unregister(dev);
> -
> -	mutex_lock(&drm_global_mutex);
> -	if (dev->open_count == 0)
> -		drm_dev_put(dev);
> -	mutex_unlock(&drm_global_mutex);
> -
>   	/*
>   	 * After synchronizing any critical read section is guaranteed to see
>   	 * the new value of ->unplugged, and any critical section which might
> @@ -384,6 +377,13 @@ void drm_dev_unplug(struct drm_device *dev)
>   	 */
>   	dev->unplugged = true;
>   	synchronize_srcu(&drm_unplug_srcu);
> +
> +	drm_dev_unregister(dev);
> +
> +	mutex_lock(&drm_global_mutex);
> +	if (dev->open_count == 0)
> +		drm_dev_put(dev);
> +	mutex_unlock(&drm_global_mutex);
>   }
>   EXPORT_SYMBOL(drm_dev_unplug);
>   

Re: [PATCH] drm: Fix possible race conditions while unplugging DRM device

[Daniel Vetter]

On Tue, May 22, 2018 at 05:13:04PM +0300, Oleksandr Andrushchenko wrote:
> From: Oleksandr Andrushchenko <oleksandr_andrushchenko@epam.com>
> 
> When unplugging a hotpluggable DRM device we first unregister it
> with drm_dev_unregister and then set drm_device.unplugged flag which
> is used to mark device critical sections with drm_dev_enter()/
> drm_dev_exit() preventing access to device resources that are not
> available after the device is gone.
> But drm_dev_unregister may lead to hotplug uevent(s) fired to
> user-space on card and/or connector removal, thus making it possible
> for user-space to try accessing a disconnected device.
> 
> Fix this by first making sure device is properly marked as
> disconnected and only then unregister it.
> 
> Fixes: bee330f3d672 ("drm: Use srcu to protect drm_device.unplugged")
> 
> Signed-off-by: Oleksandr Andrushchenko <oleksandr_andrushchenko@epam.com>
> Reported-by: Andrii Chepurnyi <andrii_chepurnyi@epam.com>
> Cc: "Noralf Trønnes" <noralf@tronnes.org>

Nice catch.

Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>

I think you need to push this to drm-misc-next-fixes to make sure it's on
the 4.17 train.
-Daniel

> ---
>  drivers/gpu/drm/drm_drv.c | 14 +++++++-------
>  1 file changed, 7 insertions(+), 7 deletions(-)
> 
> diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c
> index b553a6f2ff0e..7af748ed1c58 100644
> --- a/drivers/gpu/drm/drm_drv.c
> +++ b/drivers/gpu/drm/drm_drv.c
> @@ -369,13 +369,6 @@ EXPORT_SYMBOL(drm_dev_exit);
>   */
>  void drm_dev_unplug(struct drm_device *dev)
>  {
> -	drm_dev_unregister(dev);
> -
> -	mutex_lock(&drm_global_mutex);
> -	if (dev->open_count == 0)
> -		drm_dev_put(dev);
> -	mutex_unlock(&drm_global_mutex);
> -
>  	/*
>  	 * After synchronizing any critical read section is guaranteed to see
>  	 * the new value of ->unplugged, and any critical section which might
> @@ -384,6 +377,13 @@ void drm_dev_unplug(struct drm_device *dev)
>  	 */
>  	dev->unplugged = true;
>  	synchronize_srcu(&drm_unplug_srcu);
> +
> +	drm_dev_unregister(dev);
> +
> +	mutex_lock(&drm_global_mutex);
> +	if (dev->open_count == 0)
> +		drm_dev_put(dev);
> +	mutex_unlock(&drm_global_mutex);
>  }
>  EXPORT_SYMBOL(drm_dev_unplug);
>  
> -- 
> 2.17.0
> 
> _______________________________________________
> dri-devel mailing list
> dri-devel@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/dri-devel

-- 
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch

Re: [PATCH] drm: Fix possible race conditions while unplugging DRM device

[Oleksandr Andrushchenko]

On 05/29/2018 10:02 AM, Daniel Vetter wrote:
> On Tue, May 22, 2018 at 05:13:04PM +0300, Oleksandr Andrushchenko wrote:
>> From: Oleksandr Andrushchenko <oleksandr_andrushchenko@epam.com>
>>
>> When unplugging a hotpluggable DRM device we first unregister it
>> with drm_dev_unregister and then set drm_device.unplugged flag which
>> is used to mark device critical sections with drm_dev_enter()/
>> drm_dev_exit() preventing access to device resources that are not
>> available after the device is gone.
>> But drm_dev_unregister may lead to hotplug uevent(s) fired to
>> user-space on card and/or connector removal, thus making it possible
>> for user-space to try accessing a disconnected device.
>>
>> Fix this by first making sure device is properly marked as
>> disconnected and only then unregister it.
>>
>> Fixes: bee330f3d672 ("drm: Use srcu to protect drm_device.unplugged")
>>
>> Signed-off-by: Oleksandr Andrushchenko <oleksandr_andrushchenko@epam.com>
>> Reported-by: Andrii Chepurnyi <andrii_chepurnyi@epam.com>
>> Cc: "Noralf Trønnes" <noralf@tronnes.org>
> Nice catch.
>
> Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
>
> I think you need to push this to drm-misc-next-fixes to make sure it's on
> the 4.17 train.
Sure, after I have r-b from Noralf
> -Daniel
>
>> ---
>>   drivers/gpu/drm/drm_drv.c | 14 +++++++-------
>>   1 file changed, 7 insertions(+), 7 deletions(-)
>>
>> diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c
>> index b553a6f2ff0e..7af748ed1c58 100644
>> --- a/drivers/gpu/drm/drm_drv.c
>> +++ b/drivers/gpu/drm/drm_drv.c
>> @@ -369,13 +369,6 @@ EXPORT_SYMBOL(drm_dev_exit);
>>    */
>>   void drm_dev_unplug(struct drm_device *dev)
>>   {
>> -	drm_dev_unregister(dev);
>> -
>> -	mutex_lock(&drm_global_mutex);
>> -	if (dev->open_count == 0)
>> -		drm_dev_put(dev);
>> -	mutex_unlock(&drm_global_mutex);
>> -
>>   	/*
>>   	 * After synchronizing any critical read section is guaranteed to see
>>   	 * the new value of ->unplugged, and any critical section which might
>> @@ -384,6 +377,13 @@ void drm_dev_unplug(struct drm_device *dev)
>>   	 */
>>   	dev->unplugged = true;
>>   	synchronize_srcu(&drm_unplug_srcu);
>> +
>> +	drm_dev_unregister(dev);
>> +
>> +	mutex_lock(&drm_global_mutex);
>> +	if (dev->open_count == 0)
>> +		drm_dev_put(dev);
>> +	mutex_unlock(&drm_global_mutex);
>>   }
>>   EXPORT_SYMBOL(drm_dev_unplug);
>>   
>> -- 
>> 2.17.0
>>
>> _______________________________________________
>> dri-devel mailing list
>> dri-devel@lists.freedesktop.org
>> https://lists.freedesktop.org/mailman/listinfo/dri-devel

Re: [PATCH] drm: Fix possible race conditions while unplugging DRM device

[Daniel Vetter]

On Tue, May 29, 2018 at 10:09:57AM +0300, Oleksandr Andrushchenko wrote:
> On 05/29/2018 10:02 AM, Daniel Vetter wrote:
> > On Tue, May 22, 2018 at 05:13:04PM +0300, Oleksandr Andrushchenko wrote:
> > > From: Oleksandr Andrushchenko <oleksandr_andrushchenko@epam.com>
> > > 
> > > When unplugging a hotpluggable DRM device we first unregister it
> > > with drm_dev_unregister and then set drm_device.unplugged flag which
> > > is used to mark device critical sections with drm_dev_enter()/
> > > drm_dev_exit() preventing access to device resources that are not
> > > available after the device is gone.
> > > But drm_dev_unregister may lead to hotplug uevent(s) fired to
> > > user-space on card and/or connector removal, thus making it possible
> > > for user-space to try accessing a disconnected device.
> > > 
> > > Fix this by first making sure device is properly marked as
> > > disconnected and only then unregister it.
> > > 
> > > Fixes: bee330f3d672 ("drm: Use srcu to protect drm_device.unplugged")
> > > 
> > > Signed-off-by: Oleksandr Andrushchenko <oleksandr_andrushchenko@epam.com>
> > > Reported-by: Andrii Chepurnyi <andrii_chepurnyi@epam.com>
> > > Cc: "Noralf Trønnes" <noralf@tronnes.org>
> > Nice catch.
> > 
> > Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
> > 
> > I think you need to push this to drm-misc-next-fixes to make sure it's on
> > the 4.17 train.
> Sure, after I have r-b from Noralf

Noralf's occasionally occupied with other things and doesn't have time to
look at patches. I think it's ok to just push after a few more days, even
if he doesn't respond. Same holds for other people really.
-Daniel

> > -Daniel
> > 
> > > ---
> > >   drivers/gpu/drm/drm_drv.c | 14 +++++++-------
> > >   1 file changed, 7 insertions(+), 7 deletions(-)
> > > 
> > > diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c
> > > index b553a6f2ff0e..7af748ed1c58 100644
> > > --- a/drivers/gpu/drm/drm_drv.c
> > > +++ b/drivers/gpu/drm/drm_drv.c
> > > @@ -369,13 +369,6 @@ EXPORT_SYMBOL(drm_dev_exit);
> > >    */
> > >   void drm_dev_unplug(struct drm_device *dev)
> > >   {
> > > -	drm_dev_unregister(dev);
> > > -
> > > -	mutex_lock(&drm_global_mutex);
> > > -	if (dev->open_count == 0)
> > > -		drm_dev_put(dev);
> > > -	mutex_unlock(&drm_global_mutex);
> > > -
> > >   	/*
> > >   	 * After synchronizing any critical read section is guaranteed to see
> > >   	 * the new value of ->unplugged, and any critical section which might
> > > @@ -384,6 +377,13 @@ void drm_dev_unplug(struct drm_device *dev)
> > >   	 */
> > >   	dev->unplugged = true;
> > >   	synchronize_srcu(&drm_unplug_srcu);
> > > +
> > > +	drm_dev_unregister(dev);
> > > +
> > > +	mutex_lock(&drm_global_mutex);
> > > +	if (dev->open_count == 0)
> > > +		drm_dev_put(dev);
> > > +	mutex_unlock(&drm_global_mutex);
> > >   }
> > >   EXPORT_SYMBOL(drm_dev_unplug);
> > > -- 
> > > 2.17.0
> > > 
> > > _______________________________________________
> > > dri-devel mailing list
> > > dri-devel@lists.freedesktop.org
> > > https://lists.freedesktop.org/mailman/listinfo/dri-devel
> 
> _______________________________________________
> dri-devel mailing list
> dri-devel@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/dri-devel

-- 
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch

Re: [PATCH] drm: Fix possible race conditions while unplugging DRM device

[Oleksandr Andrushchenko]

On 05/29/2018 10:49 AM, Daniel Vetter wrote:
> On Tue, May 29, 2018 at 10:09:57AM +0300, Oleksandr Andrushchenko wrote:
>> On 05/29/2018 10:02 AM, Daniel Vetter wrote:
>>> On Tue, May 22, 2018 at 05:13:04PM +0300, Oleksandr Andrushchenko wrote:
>>>> From: Oleksandr Andrushchenko <oleksandr_andrushchenko@epam.com>
>>>>
>>>> When unplugging a hotpluggable DRM device we first unregister it
>>>> with drm_dev_unregister and then set drm_device.unplugged flag which
>>>> is used to mark device critical sections with drm_dev_enter()/
>>>> drm_dev_exit() preventing access to device resources that are not
>>>> available after the device is gone.
>>>> But drm_dev_unregister may lead to hotplug uevent(s) fired to
>>>> user-space on card and/or connector removal, thus making it possible
>>>> for user-space to try accessing a disconnected device.
>>>>
>>>> Fix this by first making sure device is properly marked as
>>>> disconnected and only then unregister it.
>>>>
>>>> Fixes: bee330f3d672 ("drm: Use srcu to protect drm_device.unplugged")
>>>>
>>>> Signed-off-by: Oleksandr Andrushchenko <oleksandr_andrushchenko@epam.com>
>>>> Reported-by: Andrii Chepurnyi <andrii_chepurnyi@epam.com>
>>>> Cc: "Noralf Trønnes" <noralf@tronnes.org>
>>> Nice catch.
>>>
>>> Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
>>>
>>> I think you need to push this to drm-misc-next-fixes to make sure it's on
>>> the 4.17 train.
>> Sure, after I have r-b from Noralf
> Noralf's occasionally occupied with other things and doesn't have time to
> look at patches. I think it's ok to just push after a few more days, even
> if he doesn't respond. Same holds for other people really.
> -Daniel
>
Applied to drm-misc-next-fixes
>>> -Daniel
>>>
>>>> ---
>>>>    drivers/gpu/drm/drm_drv.c | 14 +++++++-------
>>>>    1 file changed, 7 insertions(+), 7 deletions(-)
>>>>
>>>> diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c
>>>> index b553a6f2ff0e..7af748ed1c58 100644
>>>> --- a/drivers/gpu/drm/drm_drv.c
>>>> +++ b/drivers/gpu/drm/drm_drv.c
>>>> @@ -369,13 +369,6 @@ EXPORT_SYMBOL(drm_dev_exit);
>>>>     */
>>>>    void drm_dev_unplug(struct drm_device *dev)
>>>>    {
>>>> -	drm_dev_unregister(dev);
>>>> -
>>>> -	mutex_lock(&drm_global_mutex);
>>>> -	if (dev->open_count == 0)
>>>> -		drm_dev_put(dev);
>>>> -	mutex_unlock(&drm_global_mutex);
>>>> -
>>>>    	/*
>>>>    	 * After synchronizing any critical read section is guaranteed to see
>>>>    	 * the new value of ->unplugged, and any critical section which might
>>>> @@ -384,6 +377,13 @@ void drm_dev_unplug(struct drm_device *dev)
>>>>    	 */
>>>>    	dev->unplugged = true;
>>>>    	synchronize_srcu(&drm_unplug_srcu);
>>>> +
>>>> +	drm_dev_unregister(dev);
>>>> +
>>>> +	mutex_lock(&drm_global_mutex);
>>>> +	if (dev->open_count == 0)
>>>> +		drm_dev_put(dev);
>>>> +	mutex_unlock(&drm_global_mutex);
>>>>    }
>>>>    EXPORT_SYMBOL(drm_dev_unplug);
>>>> -- 
>>>> 2.17.0
>>>>
>>>> _______________________________________________
>>>> dri-devel mailing list
>>>> dri-devel@lists.freedesktop.org
>>>> https://lists.freedesktop.org/mailman/listinfo/dri-devel
>> _______________________________________________
>> dri-devel mailing list
>> dri-devel@lists.freedesktop.org
>> https://lists.freedesktop.org/mailman/listinfo/dri-devel