/*1* Created: Tue Feb 2 08:37:54 1999 by [email protected]2*3* Copyright 1999 Precision Insight, Inc., Cedar Park, Texas.4* Copyright 2000 VA Linux Systems, Inc., Sunnyvale, California.5* All Rights Reserved.6*7* Author Rickard E. (Rik) Faith <[email protected]>8* Author Gareth Hughes <[email protected]>9*10* Permission is hereby granted, free of charge, to any person obtaining a11* copy of this software and associated documentation files (the "Software"),12* to deal in the Software without restriction, including without limitation13* the rights to use, copy, modify, merge, publish, distribute, sublicense,14* and/or sell copies of the Software, and to permit persons to whom the15* Software is furnished to do so, subject to the following conditions:16*17* The above copyright notice and this permission notice (including the next18* paragraph) shall be included in all copies or substantial portions of the19* Software.20*21* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR22* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,23* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL24* VA LINUX SYSTEMS AND/OR ITS SUPPLIERS BE LIABLE FOR ANY CLAIM, DAMAGES OR25* OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,26* ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR27* OTHER DEALINGS IN THE SOFTWARE.28*/2930#include <linux/export.h>31#include <linux/slab.h>3233#include <drm/drm_auth.h>34#include <drm/drm_drv.h>35#include <drm/drm_file.h>36#include <drm/drm_lease.h>37#include <drm/drm_print.h>3839#include "drm_internal.h"4041/**42* DOC: master and authentication43*44* &struct drm_master is used to track groups of clients with open45* primary device nodes. For every &struct drm_file which has had at46* least once successfully became the device master (either through the47* SET_MASTER IOCTL, or implicitly through opening the primary device node when48* no one else is the current master that time) there exists one &drm_master.49* This is noted in &drm_file.is_master. All other clients have just a pointer50* to the &drm_master they are associated with.51*52* In addition only one &drm_master can be the current master for a &drm_device.53* It can be switched through the DROP_MASTER and SET_MASTER IOCTL, or54* implicitly through closing/opening the primary device node. See also55* drm_is_current_master().56*57* Clients can authenticate against the current master (if it matches their own)58* using the GETMAGIC and AUTHMAGIC IOCTLs. Together with exchanging masters,59* this allows controlled access to the device for an entire group of mutually60* trusted clients.61*/6263static bool drm_is_current_master_locked(struct drm_file *fpriv)64{65lockdep_assert_once(lockdep_is_held(&fpriv->master_lookup_lock) ||66lockdep_is_held(&fpriv->minor->dev->master_mutex));6768return fpriv->is_master && drm_lease_owner(fpriv->master) == fpriv->minor->dev->master;69}7071/**72* drm_is_current_master - checks whether @priv is the current master73* @fpriv: DRM file private74*75* Checks whether @fpriv is current master on its device. This decides whether a76* client is allowed to run DRM_MASTER IOCTLs.77*78* Most of the modern IOCTL which require DRM_MASTER are for kernel modesetting79* - the current master is assumed to own the non-shareable display hardware.80*/81bool drm_is_current_master(struct drm_file *fpriv)82{83bool ret;8485spin_lock(&fpriv->master_lookup_lock);86ret = drm_is_current_master_locked(fpriv);87spin_unlock(&fpriv->master_lookup_lock);8889return ret;90}91EXPORT_SYMBOL(drm_is_current_master);9293int drm_getmagic(struct drm_device *dev, void *data, struct drm_file *file_priv)94{95struct drm_auth *auth = data;96int ret = 0;9798guard(mutex)(&dev->master_mutex);99if (!file_priv->magic) {100ret = idr_alloc(&file_priv->master->magic_map, file_priv,1011, 0, GFP_KERNEL);102if (ret >= 0)103file_priv->magic = ret;104}105auth->magic = file_priv->magic;106107drm_dbg_core(dev, "%u\n", auth->magic);108109return ret < 0 ? ret : 0;110}111112int drm_authmagic(struct drm_device *dev, void *data,113struct drm_file *file_priv)114{115struct drm_auth *auth = data;116struct drm_file *file;117118drm_dbg_core(dev, "%u\n", auth->magic);119120guard(mutex)(&dev->master_mutex);121file = idr_find(&file_priv->master->magic_map, auth->magic);122if (file) {123file->authenticated = 1;124idr_replace(&file_priv->master->magic_map, NULL, auth->magic);125}126127return file ? 0 : -EINVAL;128}129130struct drm_master *drm_master_create(struct drm_device *dev)131{132struct drm_master *master;133134master = kzalloc(sizeof(*master), GFP_KERNEL);135if (!master)136return NULL;137138kref_init(&master->refcount);139idr_init_base(&master->magic_map, 1);140master->dev = dev;141142/* initialize the tree of output resource lessees */143INIT_LIST_HEAD(&master->lessees);144INIT_LIST_HEAD(&master->lessee_list);145idr_init(&master->leases);146idr_init_base(&master->lessee_idr, 1);147148return master;149}150151static void drm_set_master(struct drm_device *dev, struct drm_file *fpriv,152bool new_master)153{154dev->master = drm_master_get(fpriv->master);155if (dev->driver->master_set)156dev->driver->master_set(dev, fpriv, new_master);157158fpriv->was_master = true;159}160161static int drm_new_set_master(struct drm_device *dev, struct drm_file *fpriv)162{163struct drm_master *old_master;164struct drm_master *new_master;165166lockdep_assert_held_once(&dev->master_mutex);167168WARN_ON(fpriv->is_master);169old_master = fpriv->master;170new_master = drm_master_create(dev);171if (!new_master)172return -ENOMEM;173spin_lock(&fpriv->master_lookup_lock);174fpriv->master = new_master;175spin_unlock(&fpriv->master_lookup_lock);176177fpriv->is_master = 1;178fpriv->authenticated = 1;179180drm_set_master(dev, fpriv, true);181182if (old_master)183drm_master_put(&old_master);184185return 0;186}187188/*189* In the olden days the SET/DROP_MASTER ioctls used to return EACCES when190* CAP_SYS_ADMIN was not set. This was used to prevent rogue applications191* from becoming master and/or failing to release it.192*193* At the same time, the first client (for a given VT) is _always_ master.194* Thus in order for the ioctls to succeed, one had to _explicitly_ run the195* application as root or flip the setuid bit.196*197* If the CAP_SYS_ADMIN was missing, no other client could become master...198* EVER :-( Leading to a) the graphics session dying badly or b) a completely199* locked session.200*201*202* As some point systemd-logind was introduced to orchestrate and delegate203* master as applicable. It does so by opening the fd and passing it to users204* while in itself logind a) does the set/drop master per users' request and205* b) * implicitly drops master on VT switch.206*207* Even though logind looks like the future, there are a few issues:208* - some platforms don't have equivalent (Android, CrOS, some BSDs) so209* root is required _solely_ for SET/DROP MASTER.210* - applications may not be updated to use it,211* - any client which fails to drop master* can DoS the application using212* logind, to a varying degree.213*214* * Either due missing CAP_SYS_ADMIN or simply not calling DROP_MASTER.215*216*217* Here we implement the next best thing:218* - ensure the logind style of fd passing works unchanged, and219* - allow a client to drop/set master, iff it is/was master at a given point220* in time.221*222* Note: DROP_MASTER cannot be free for all, as an arbitrator user could:223* - DoS/crash the arbitrator - details would be implementation specific224* - open the node, become master implicitly and cause issues225*226* As a result this fixes the following when using root-less build w/o logind227* - startx228* - weston229* - various compositors based on wlroots230*/231static int232drm_master_check_perm(struct drm_device *dev, struct drm_file *file_priv)233{234if (file_priv->was_master &&235rcu_access_pointer(file_priv->pid) == task_tgid(current))236return 0;237238if (!capable(CAP_SYS_ADMIN))239return -EACCES;240241return 0;242}243244int drm_setmaster_ioctl(struct drm_device *dev, void *data,245struct drm_file *file_priv)246{247int ret;248249guard(mutex)(&dev->master_mutex);250251ret = drm_master_check_perm(dev, file_priv);252if (ret)253return ret;254255if (drm_is_current_master_locked(file_priv))256return ret;257258if (dev->master)259return -EBUSY;260261if (!file_priv->master)262return -EINVAL;263264if (!file_priv->is_master)265return drm_new_set_master(dev, file_priv);266267if (file_priv->master->lessor != NULL) {268drm_dbg_lease(dev,269"Attempt to set lessee %d as master\n",270file_priv->master->lessee_id);271return -EINVAL;272}273274drm_set_master(dev, file_priv, false);275276return ret;277}278279static void drm_drop_master(struct drm_device *dev,280struct drm_file *fpriv)281{282if (dev->driver->master_drop)283dev->driver->master_drop(dev, fpriv);284drm_master_put(&dev->master);285}286287int drm_dropmaster_ioctl(struct drm_device *dev, void *data,288struct drm_file *file_priv)289{290int ret;291292guard(mutex)(&dev->master_mutex);293294ret = drm_master_check_perm(dev, file_priv);295if (ret)296return ret;297298if (!drm_is_current_master_locked(file_priv))299return -EINVAL;300301if (!dev->master)302return -EINVAL;303304if (file_priv->master->lessor != NULL) {305drm_dbg_lease(dev,306"Attempt to drop lessee %d as master\n",307file_priv->master->lessee_id);308return -EINVAL;309}310311drm_drop_master(dev, file_priv);312313return ret;314}315316int drm_master_open(struct drm_file *file_priv)317{318struct drm_device *dev = file_priv->minor->dev;319int ret = 0;320321/* if there is no current master make this fd it, but do not create322* any master object for render clients323*/324guard(mutex)(&dev->master_mutex);325if (!dev->master) {326ret = drm_new_set_master(dev, file_priv);327} else {328spin_lock(&file_priv->master_lookup_lock);329file_priv->master = drm_master_get(dev->master);330spin_unlock(&file_priv->master_lookup_lock);331}332333return ret;334}335336void drm_master_release(struct drm_file *file_priv)337{338struct drm_device *dev = file_priv->minor->dev;339struct drm_master *master;340341guard(mutex)(&dev->master_mutex);342master = file_priv->master;343if (file_priv->magic)344idr_remove(&file_priv->master->magic_map, file_priv->magic);345346if (!drm_is_current_master_locked(file_priv))347goto out;348349if (dev->master == file_priv->master)350drm_drop_master(dev, file_priv);351out:352if (drm_core_check_feature(dev, DRIVER_MODESET) && file_priv->is_master) {353/* Revoke any leases held by this or lessees, but only if354* this is the "real" master355*/356drm_lease_revoke(master);357}358359/* drop the master reference held by the file priv */360if (file_priv->master)361drm_master_put(&file_priv->master);362}363364/**365* drm_master_get - reference a master pointer366* @master: &struct drm_master367*368* Increments the reference count of @master and returns a pointer to @master.369*/370struct drm_master *drm_master_get(struct drm_master *master)371{372kref_get(&master->refcount);373return master;374}375EXPORT_SYMBOL(drm_master_get);376377/**378* drm_file_get_master - reference &drm_file.master of @file_priv379* @file_priv: DRM file private380*381* Increments the reference count of @file_priv's &drm_file.master and returns382* the &drm_file.master. If @file_priv has no &drm_file.master, returns NULL.383*384* Master pointers returned from this function should be unreferenced using385* drm_master_put().386*/387struct drm_master *drm_file_get_master(struct drm_file *file_priv)388{389struct drm_master *master = NULL;390391spin_lock(&file_priv->master_lookup_lock);392if (!file_priv->master)393goto unlock;394master = drm_master_get(file_priv->master);395396unlock:397spin_unlock(&file_priv->master_lookup_lock);398return master;399}400EXPORT_SYMBOL(drm_file_get_master);401402static void drm_master_destroy(struct kref *kref)403{404struct drm_master *master = container_of(kref, struct drm_master, refcount);405struct drm_device *dev = master->dev;406407if (drm_core_check_feature(dev, DRIVER_MODESET))408drm_lease_destroy(master);409410idr_destroy(&master->magic_map);411idr_destroy(&master->leases);412idr_destroy(&master->lessee_idr);413414kfree(master->unique);415kfree(master);416}417418/**419* drm_master_put - unreference and clear a master pointer420* @master: pointer to a pointer of &struct drm_master421*422* This decrements the &drm_master behind @master and sets it to NULL.423*/424void drm_master_put(struct drm_master **master)425{426kref_put(&(*master)->refcount, drm_master_destroy);427*master = NULL;428}429EXPORT_SYMBOL(drm_master_put);430431/* Used by drm_client and drm_fb_helper */432bool drm_master_internal_acquire(struct drm_device *dev)433{434mutex_lock(&dev->master_mutex);435if (dev->master) {436mutex_unlock(&dev->master_mutex);437return false;438}439440return true;441}442EXPORT_SYMBOL(drm_master_internal_acquire);443444/* Used by drm_client and drm_fb_helper */445void drm_master_internal_release(struct drm_device *dev)446{447mutex_unlock(&dev->master_mutex);448}449EXPORT_SYMBOL(drm_master_internal_release);450451452