Patch "drm: Fix FD ownership check in drm_master_check_perm()" has been added to the 6.6-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Thu, 21 Dec 2023 09:53:55 -0500

This is a note to let you know that I've just added the patch titled

    drm: Fix FD ownership check in drm_master_check_perm()

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     drm-fix-fd-ownership-check-in-drm_master_check_perm.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 11903bfbdb14c1b0a0b280bc630c758a3c2385d9
Author: Lingkai Dong <Lingkai.Dong@xxxxxxx>
Date:   Wed Dec 6 13:51:58 2023 +0000

    drm: Fix FD ownership check in drm_master_check_perm()
    
    [ Upstream commit 5a6c9a05e55cb2972396cc991af9d74c8c15029a ]
    
    The DRM subsystem keeps a record of the owner of a DRM device file
    descriptor using thread group ID (TGID) instead of process ID (PID), to
    ensures all threads within the same userspace process are considered the
    owner. However, the DRM master ownership check compares the current
    thread's PID against the record, so the thread is incorrectly considered to
    be not the FD owner if the PID is not equal to the TGID. This causes DRM
    ioctls to be denied master privileges, even if the same thread that opened
    the FD performs an ioctl. Fix this by checking TGID.
    
    Fixes: 4230cea89cafb ("drm: Track clients by tgid and not tid")
    Signed-off-by: Lingkai Dong <lingkai.dong@xxxxxxx>
    Reviewed-by: Christian König <christian.koenig@xxxxxxx>
    Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@xxxxxxxxx>
    Cc: <stable@xxxxxxxxxxxxxxx> # v6.4+
    Link: https://patchwork.freedesktop.org/patch/msgid/PA6PR08MB107665920BE9A96658CDA04CE8884A@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    Signed-off-by: Christian König <christian.koenig@xxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/gpu/drm/drm_auth.c b/drivers/gpu/drm/drm_auth.c
index 2ed2585ded378..6899b3dc1f12a 100644
--- a/drivers/gpu/drm/drm_auth.c
+++ b/drivers/gpu/drm/drm_auth.c
@@ -236,7 +236,7 @@ static int
 drm_master_check_perm(struct drm_device *dev, struct drm_file *file_priv)
 {
 	if (file_priv->was_master &&
-	    rcu_access_pointer(file_priv->pid) == task_pid(current))
+	    rcu_access_pointer(file_priv->pid) == task_tgid(current))
 		return 0;
 
 	if (!capable(CAP_SYS_ADMIN))







