[linux-block.git] / drivers / gpu / drm / drm_auth.c

/*
 * Created: Tue Feb  2 08:37:54 1999 by faith@valinux.com
 *
 * Copyright 1999 Precision Insight, Inc., Cedar Park, Texas.
 * Copyright 2000 VA Linux Systems, Inc., Sunnyvale, California.
 * All Rights Reserved.
 *
 * Author Rickard E. (Rik) Faith <faith@valinux.com>
 * Author Gareth Hughes <gareth@valinux.com>
 *
 * Permission is hereby granted, free of charge, to any person obtaining a
 * copy of this software and associated documentation files (the "Software"),
 * to deal in the Software without restriction, including without limitation
 * the rights to use, copy, modify, merge, publish, distribute, sublicense,
 * and/or sell copies of the Software, and to permit persons to whom the
 * Software is furnished to do so, subject to the following conditions:
 *
 * The above copyright notice and this permission notice (including the next
 * paragraph) shall be included in all copies or substantial portions of the
 * Software.
 *
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
 * VA LINUX SYSTEMS AND/OR ITS SUPPLIERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
 * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
 * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
 * OTHER DEALINGS IN THE SOFTWARE.
 */

#include <linux/slab.h>

#include <drm/drm_auth.h>
#include <drm/drm_drv.h>
#include <drm/drm_file.h>
#include <drm/drm_lease.h>
#include <drm/drm_print.h>

#include "drm_internal.h"

/**
 * DOC: master and authentication
 *
 * &struct drm_master is used to track groups of clients with open
 * primary device nodes. For every &struct drm_file which has had at
 * least once successfully became the device master (either through the
 * SET_MASTER IOCTL, or implicitly through opening the primary device node when
 * no one else is the current master that time) there exists one &drm_master.
 * This is noted in &drm_file.is_master. All other clients have just a pointer
 * to the &drm_master they are associated with.
 *
 * In addition only one &drm_master can be the current master for a &drm_device.
 * It can be switched through the DROP_MASTER and SET_MASTER IOCTL, or
 * implicitly through closing/opening the primary device node. See also
 * drm_is_current_master().
 *
 * Clients can authenticate against the current master (if it matches their own)
 * using the GETMAGIC and AUTHMAGIC IOCTLs. Together with exchanging masters,
 * this allows controlled access to the device for an entire group of mutually
 * trusted clients.
 */

static bool drm_is_current_master_locked(struct drm_file *fpriv)
{
	lockdep_assert_once(lockdep_is_held(&fpriv->master_lookup_lock) ||
			    lockdep_is_held(&fpriv->minor->dev->master_mutex));

	return fpriv->is_master && drm_lease_owner(fpriv->master) == fpriv->minor->dev->master;
}

/**
 * drm_is_current_master - checks whether @priv is the current master
 * @fpriv: DRM file private
 *
 * Checks whether @fpriv is current master on its device. This decides whether a
 * client is allowed to run DRM_MASTER IOCTLs.
 *
 * Most of the modern IOCTL which require DRM_MASTER are for kernel modesetting
 * - the current master is assumed to own the non-shareable display hardware.
 */
bool drm_is_current_master(struct drm_file *fpriv)
{
	bool ret;

	spin_lock(&fpriv->master_lookup_lock);
	ret = drm_is_current_master_locked(fpriv);
	spin_unlock(&fpriv->master_lookup_lock);

	return ret;
}
EXPORT_SYMBOL(drm_is_current_master);

int drm_getmagic(struct drm_device *dev, void *data, struct drm_file *file_priv)
{
	struct drm_auth *auth = data;
	int ret = 0;

	mutex_lock(&dev->master_mutex);
	if (!file_priv->magic) {
		ret = idr_alloc(&file_priv->master->magic_map, file_priv,
				1, 0, GFP_KERNEL);
		if (ret >= 0)
			file_priv->magic = ret;
	}
	auth->magic = file_priv->magic;
	mutex_unlock(&dev->master_mutex);

	drm_dbg_core(dev, "%u\n", auth->magic);

	return ret < 0 ? ret : 0;
}

int drm_authmagic(struct drm_device *dev, void *data,
		  struct drm_file *file_priv)
{
	struct drm_auth *auth = data;
	struct drm_file *file;

	drm_dbg_core(dev, "%u\n", auth->magic);

	mutex_lock(&dev->master_mutex);
	file = idr_find(&file_priv->master->magic_map, auth->magic);
	if (file) {
		file->authenticated = 1;
		idr_replace(&file_priv->master->magic_map, NULL, auth->magic);
	}
	mutex_unlock(&dev->master_mutex);

	return file ? 0 : -EINVAL;
}

struct drm_master *drm_master_create(struct drm_device *dev)
{
	struct drm_master *master;

	master = kzalloc(sizeof(*master), GFP_KERNEL);
	if (!master)
		return NULL;

	kref_init(&master->refcount);
	idr_init_base(&master->magic_map, 1);
	master->dev = dev;

	/* initialize the tree of output resource lessees */
	INIT_LIST_HEAD(&master->lessees);
	INIT_LIST_HEAD(&master->lessee_list);
	idr_init(&master->leases);
	idr_init_base(&master->lessee_idr, 1);

	return master;
}

static void drm_set_master(struct drm_device *dev, struct drm_file *fpriv,
			   bool new_master)
{
	dev->master = drm_master_get(fpriv->master);
	if (dev->driver->master_set)
		dev->driver->master_set(dev, fpriv, new_master);

	fpriv->was_master = true;
}

static int drm_new_set_master(struct drm_device *dev, struct drm_file *fpriv)
{
	struct drm_master *old_master;
	struct drm_master *new_master;

	lockdep_assert_held_once(&dev->master_mutex);

	WARN_ON(fpriv->is_master);
	old_master = fpriv->master;
	new_master = drm_master_create(dev);
	if (!new_master)
		return -ENOMEM;
	spin_lock(&fpriv->master_lookup_lock);
	fpriv->master = new_master;
	spin_unlock(&fpriv->master_lookup_lock);

	fpriv->is_master = 1;
	fpriv->authenticated = 1;

	drm_set_master(dev, fpriv, true);

	if (old_master)
		drm_master_put(&old_master);

	return 0;
}

/*
 * In the olden days the SET/DROP_MASTER ioctls used to return EACCES when
 * CAP_SYS_ADMIN was not set. This was used to prevent rogue applications
 * from becoming master and/or failing to release it.
 *
 * At the same time, the first client (for a given VT) is _always_ master.
 * Thus in order for the ioctls to succeed, one had to _explicitly_ run the
 * application as root or flip the setuid bit.
 *
 * If the CAP_SYS_ADMIN was missing, no other client could become master...
 * EVER :-( Leading to a) the graphics session dying badly or b) a completely
 * locked session.
 *
 *
 * As some point systemd-logind was introduced to orchestrate and delegate
 * master as applicable. It does so by opening the fd and passing it to users
 * while in itself logind a) does the set/drop master per users' request and
 * b)  * implicitly drops master on VT switch.
 *
 * Even though logind looks like the future, there are a few issues:
 *  - some platforms don't have equivalent (Android, CrOS, some BSDs) so
 * root is required _solely_ for SET/DROP MASTER.
 *  - applications may not be updated to use it,
 *  - any client which fails to drop master* can DoS the application using
 * logind, to a varying degree.
 *
 * * Either due missing CAP_SYS_ADMIN or simply not calling DROP_MASTER.
 *
 *
 * Here we implement the next best thing:
 *  - ensure the logind style of fd passing works unchanged, and
 *  - allow a client to drop/set master, iff it is/was master at a given point
 * in time.
 *
 * Note: DROP_MASTER cannot be free for all, as an arbitrator user could:
 *  - DoS/crash the arbitrator - details would be implementation specific
 *  - open the node, become master implicitly and cause issues
 *
 * As a result this fixes the following when using root-less build w/o logind
 * - startx
 * - weston
 * - various compositors based on wlroots
 */
static int
drm_master_check_perm(struct drm_device *dev, struct drm_file *file_priv)
{
	if (file_priv->was_master &&
	    rcu_access_pointer(file_priv->pid) == task_tgid(current))
		return 0;

	if (!capable(CAP_SYS_ADMIN))
		return -EACCES;

	return 0;
}

int drm_setmaster_ioctl(struct drm_device *dev, void *data,
			struct drm_file *file_priv)
{
	int ret;

	mutex_lock(&dev->master_mutex);

	ret = drm_master_check_perm(dev, file_priv);
	if (ret)
		goto out_unlock;

	if (drm_is_current_master_locked(file_priv))
		goto out_unlock;

	if (dev->master) {
		ret = -EBUSY;
		goto out_unlock;
	}

	if (!file_priv->master) {
		ret = -EINVAL;
		goto out_unlock;
	}

	if (!file_priv->is_master) {
		ret = drm_new_set_master(dev, file_priv);
		goto out_unlock;
	}

	if (file_priv->master->lessor != NULL) {
		drm_dbg_lease(dev,
			      "Attempt to set lessee %d as master\n",
			      file_priv->master->lessee_id);
		ret = -EINVAL;
		goto out_unlock;
	}

	drm_set_master(dev, file_priv, false);
out_unlock:
	mutex_unlock(&dev->master_mutex);
	return ret;
}

static void drm_drop_master(struct drm_device *dev,
			    struct drm_file *fpriv)
{
	if (dev->driver->master_drop)
		dev->driver->master_drop(dev, fpriv);
	drm_master_put(&dev->master);
}

int drm_dropmaster_ioctl(struct drm_device *dev, void *data,
			 struct drm_file *file_priv)
{
	int ret;

	mutex_lock(&dev->master_mutex);

	ret = drm_master_check_perm(dev, file_priv);
	if (ret)
		goto out_unlock;

	if (!drm_is_current_master_locked(file_priv)) {
		ret = -EINVAL;
		goto out_unlock;
	}

	if (!dev->master) {
		ret = -EINVAL;
		goto out_unlock;
	}

	if (file_priv->master->lessor != NULL) {
		drm_dbg_lease(dev,
			      "Attempt to drop lessee %d as master\n",
			      file_priv->master->lessee_id);
		ret = -EINVAL;
		goto out_unlock;
	}

	drm_drop_master(dev, file_priv);
out_unlock:
	mutex_unlock(&dev->master_mutex);
	return ret;
}

int drm_master_open(struct drm_file *file_priv)
{
	struct drm_device *dev = file_priv->minor->dev;
	int ret = 0;

	/* if there is no current master make this fd it, but do not create
	 * any master object for render clients
	 */
	mutex_lock(&dev->master_mutex);
	if (!dev->master) {
		ret = drm_new_set_master(dev, file_priv);
	} else {
		spin_lock(&file_priv->master_lookup_lock);
		file_priv->master = drm_master_get(dev->master);
		spin_unlock(&file_priv->master_lookup_lock);
	}
	mutex_unlock(&dev->master_mutex);

	return ret;
}

void drm_master_release(struct drm_file *file_priv)
{
	struct drm_device *dev = file_priv->minor->dev;
	struct drm_master *master;

	mutex_lock(&dev->master_mutex);
	master = file_priv->master;
	if (file_priv->magic)
		idr_remove(&file_priv->master->magic_map, file_priv->magic);

	if (!drm_is_current_master_locked(file_priv))
		goto out;

	if (dev->master == file_priv->master)
		drm_drop_master(dev, file_priv);
out:
	if (drm_core_check_feature(dev, DRIVER_MODESET) && file_priv->is_master) {
		/* Revoke any leases held by this or lessees, but only if
		 * this is the "real" master
		 */
		drm_lease_revoke(master);
	}

	/* drop the master reference held by the file priv */
	if (file_priv->master)
		drm_master_put(&file_priv->master);
	mutex_unlock(&dev->master_mutex);
}

/**
 * drm_master_get - reference a master pointer
 * @master: &struct drm_master
 *
 * Increments the reference count of @master and returns a pointer to @master.
 */
struct drm_master *drm_master_get(struct drm_master *master)
{
	kref_get(&master->refcount);
	return master;
}
EXPORT_SYMBOL(drm_master_get);

/**
 * drm_file_get_master - reference &drm_file.master of @file_priv
 * @file_priv: DRM file private
 *
 * Increments the reference count of @file_priv's &drm_file.master and returns
 * the &drm_file.master. If @file_priv has no &drm_file.master, returns NULL.
 *
 * Master pointers returned from this function should be unreferenced using
 * drm_master_put().
 */
struct drm_master *drm_file_get_master(struct drm_file *file_priv)
{
	struct drm_master *master = NULL;

	spin_lock(&file_priv->master_lookup_lock);
	if (!file_priv->master)
		goto unlock;
	master = drm_master_get(file_priv->master);

unlock:
	spin_unlock(&file_priv->master_lookup_lock);
	return master;
}
EXPORT_SYMBOL(drm_file_get_master);

static void drm_master_destroy(struct kref *kref)
{
	struct drm_master *master = container_of(kref, struct drm_master, refcount);
	struct drm_device *dev = master->dev;

	if (drm_core_check_feature(dev, DRIVER_MODESET))
		drm_lease_destroy(master);

	idr_destroy(&master->magic_map);
	idr_destroy(&master->leases);
	idr_destroy(&master->lessee_idr);

	kfree(master->unique);
	kfree(master);
}

/**
 * drm_master_put - unreference and clear a master pointer
 * @master: pointer to a pointer of &struct drm_master
 *
 * This decrements the &drm_master behind @master and sets it to NULL.
 */
void drm_master_put(struct drm_master **master)
{
	kref_put(&(*master)->refcount, drm_master_destroy);
	*master = NULL;
}
EXPORT_SYMBOL(drm_master_put);

/* Used by drm_client and drm_fb_helper */
bool drm_master_internal_acquire(struct drm_device *dev)
{
	mutex_lock(&dev->master_mutex);
	if (dev->master) {
		mutex_unlock(&dev->master_mutex);
		return false;
	}

	return true;
}
EXPORT_SYMBOL(drm_master_internal_acquire);

/* Used by drm_client and drm_fb_helper */
void drm_master_internal_release(struct drm_device *dev)
{
	mutex_unlock(&dev->master_mutex);
}
EXPORT_SYMBOL(drm_master_internal_release);
Commit	Line	Data
1da177e4 LT	1	/*
	2	* Created: Tue Feb 2 08:37:54 1999 by faith@valinux.com
	3	*
	4	* Copyright 1999 Precision Insight, Inc., Cedar Park, Texas.
	5	* Copyright 2000 VA Linux Systems, Inc., Sunnyvale, California.
	6	* All Rights Reserved.
	7	*
32e7b94a DH	8	* Author Rickard E. (Rik) Faith <faith@valinux.com>
	9	* Author Gareth Hughes <gareth@valinux.com>
	10	*
1da177e4 LT	11	* Permission is hereby granted, free of charge, to any person obtaining a
	12	* copy of this software and associated documentation files (the "Software"),
	13	* to deal in the Software without restriction, including without limitation
	14	* the rights to use, copy, modify, merge, publish, distribute, sublicense,
	15	* and/or sell copies of the Software, and to permit persons to whom the
	16	* Software is furnished to do so, subject to the following conditions:
	17	*
	18	* The above copyright notice and this permission notice (including the next
	19	* paragraph) shall be included in all copies or substantial portions of the
	20	* Software.
	21	*
	22	* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
	23	* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
	24	* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
	25	* VA LINUX SYSTEMS AND/OR ITS SUPPLIERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
	26	* OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
	27	* ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
	28	* OTHER DEALINGS IN THE SOFTWARE.
	29	*/
	30
0500c04e SR	31	#include <linux/slab.h>
	32
	33	#include <drm/drm_auth.h>
	34	#include <drm/drm_drv.h>
	35	#include <drm/drm_file.h>
	36	#include <drm/drm_lease.h>
	37	#include <drm/drm_print.h>
	38
67d0ec4e	39	#include "drm_internal.h"
1da177e4	40
1da177e4	41	/**
3b96a0b1	42	* DOC: master and authentication
1da177e4	43	*
ea0dd85a	44	* &struct drm_master is used to track groups of clients with open
2722ac1c	45	* primary device nodes. For every &struct drm_file which has had at
3b96a0b1 DV	46	* least once successfully became the device master (either through the
	47	* SET_MASTER IOCTL, or implicitly through opening the primary device node when
	48	* no one else is the current master that time) there exists one &drm_master.
ef40cbf9 DV	49	* This is noted in &drm_file.is_master. All other clients have just a pointer
ef40cbf9 DV	50	* to the &drm_master they are associated with.
1da177e4	51	*
3b96a0b1 DV	52	* In addition only one &drm_master can be the current master for a &drm_device.
3b96a0b1 DV	53	* It can be switched through the DROP_MASTER and SET_MASTER IOCTL, or
0ae865ef	54	* implicitly through closing/opening the primary device node. See also
3b96a0b1 DV	55	* drm_is_current_master().
	56	*
	57	* Clients can authenticate against the current master (if it matches their own)
	58	* using the GETMAGIC and AUTHMAGIC IOCTLs. Together with exchanging masters,
	59	* this allows controlled access to the device for an entire group of mutually
	60	* trusted clients.
1da177e4	61	*/
3b96a0b1	62
1f7ef07c DCZX	63	static bool drm_is_current_master_locked(struct drm_file *fpriv)
1f7ef07c DCZX	64	{
649839d7 DCZX	65	lockdep_assert_once(lockdep_is_held(&fpriv->master_lookup_lock) \|\|
	66	lockdep_is_held(&fpriv->minor->dev->master_mutex));
	67
1f7ef07c DCZX	68	return fpriv->is_master && drm_lease_owner(fpriv->master) == fpriv->minor->dev->master;
	69	}
	70
	71	/**
	72	* drm_is_current_master - checks whether @priv is the current master
	73	* @fpriv: DRM file private
	74	*
	75	* Checks whether @fpriv is current master on its device. This decides whether a
	76	* client is allowed to run DRM_MASTER IOCTLs.
	77	*
	78	* Most of the modern IOCTL which require DRM_MASTER are for kernel modesetting
	79	* - the current master is assumed to own the non-shareable display hardware.
	80	*/
	81	bool drm_is_current_master(struct drm_file *fpriv)
	82	{
	83	bool ret;
	84
28be2405	85	spin_lock(&fpriv->master_lookup_lock);
1f7ef07c	86	ret = drm_is_current_master_locked(fpriv);
28be2405	87	spin_unlock(&fpriv->master_lookup_lock);
1f7ef07c DCZX	88
	89	return ret;
	90	}
	91	EXPORT_SYMBOL(drm_is_current_master);
	92
c153f45f	93	int drm_getmagic(struct drm_device dev, void data, struct drm_file *file_priv)
1da177e4	94	{
c153f45f	95	struct drm_auth *auth = data;
32e7b94a	96	int ret = 0;
1da177e4	97
d2b34ee6	98	mutex_lock(&dev->master_mutex);
32e7b94a DH	99	if (!file_priv->magic) {
	100	ret = idr_alloc(&file_priv->master->magic_map, file_priv,
	101	1, 0, GFP_KERNEL);
	102	if (ret >= 0)
	103	file_priv->magic = ret;
1da177e4	104	}
32e7b94a	105	auth->magic = file_priv->magic;
d2b34ee6	106	mutex_unlock(&dev->master_mutex);
1da177e4	107
6e22dc35	108	drm_dbg_core(dev, "%u\n", auth->magic);
c153f45f	109
32e7b94a	110	return ret < 0 ? ret : 0;
1da177e4 LT	111	}
1da177e4 LT	112
c153f45f EA	113	int drm_authmagic(struct drm_device dev, void data,
c153f45f EA	114	struct drm_file *file_priv)
1da177e4	115	{
c153f45f	116	struct drm_auth *auth = data;
84b1fd10	117	struct drm_file *file;
1da177e4	118
6e22dc35	119	drm_dbg_core(dev, "%u\n", auth->magic);
32e7b94a	120
d2b34ee6	121	mutex_lock(&dev->master_mutex);
32e7b94a DH	122	file = idr_find(&file_priv->master->magic_map, auth->magic);
32e7b94a DH	123	if (file) {
1da177e4	124	file->authenticated = 1;
32e7b94a	125	idr_replace(&file_priv->master->magic_map, NULL, auth->magic);
1da177e4	126	}
d2b34ee6	127	mutex_unlock(&dev->master_mutex);
32e7b94a DH	128
32e7b94a DH	129	return file ? 0 : -EINVAL;
1da177e4	130	}
6548f4e7	131
2ed077e4	132	struct drm_master drm_master_create(struct drm_device dev)
6548f4e7 DV	133	{
	134	struct drm_master *master;
	135
	136	master = kzalloc(sizeof(*master), GFP_KERNEL);
	137	if (!master)
	138	return NULL;
	139
	140	kref_init(&master->refcount);
a49afeb4	141	idr_init_base(&master->magic_map, 1);
6548f4e7 DV	142	master->dev = dev;
6548f4e7 DV	143
2ed077e4	144	/* initialize the tree of output resource lessees */
2ed077e4 KP	145	INIT_LIST_HEAD(&master->lessees);
	146	INIT_LIST_HEAD(&master->lessee_list);
	147	idr_init(&master->leases);
3a6acb7d	148	idr_init_base(&master->lessee_idr, 1);
2ed077e4	149
6548f4e7 DV	150	return master;
	151	}
	152
907f5320 EV	153	static void drm_set_master(struct drm_device dev, struct drm_file fpriv,
907f5320 EV	154	bool new_master)
d6ed682e	155	{
d6ed682e	156	dev->master = drm_master_get(fpriv->master);
907f5320 EV	157	if (dev->driver->master_set)
907f5320 EV	158	dev->driver->master_set(dev, fpriv, new_master);
d6ed682e	159
907f5320	160	fpriv->was_master = true;
d6ed682e DV	161	}
d6ed682e DV	162
2cbae7e6	163	static int drm_new_set_master(struct drm_device dev, struct drm_file fpriv)
6548f4e7 DV	164	{
6548f4e7 DV	165	struct drm_master *old_master;
0b0860a3	166	struct drm_master *new_master;
6548f4e7 DV	167
	168	lockdep_assert_held_once(&dev->master_mutex);
	169
23a336b3	170	WARN_ON(fpriv->is_master);
6548f4e7	171	old_master = fpriv->master;
0b0860a3 DCZX	172	new_master = drm_master_create(dev);
0b0860a3 DCZX	173	if (!new_master)
d6ed682e	174	return -ENOMEM;
0b0860a3 DCZX	175	spin_lock(&fpriv->master_lookup_lock);
	176	fpriv->master = new_master;
	177	spin_unlock(&fpriv->master_lookup_lock);
6548f4e7	178
0aae5920	179	fpriv->is_master = 1;
6548f4e7	180	fpriv->authenticated = 1;
d6ed682e	181
907f5320	182	drm_set_master(dev, fpriv, true);
d6ed682e	183
6548f4e7 DV	184	if (old_master)
	185	drm_master_put(&old_master);
	186
	187	return 0;
6548f4e7 DV	188	}
6548f4e7 DV	189
45bc3d26 EV	190	/*
	191	* In the olden days the SET/DROP_MASTER ioctls used to return EACCES when
	192	* CAP_SYS_ADMIN was not set. This was used to prevent rogue applications
	193	* from becoming master and/or failing to release it.
	194	*
	195	* At the same time, the first client (for a given VT) is _always_ master.
	196	* Thus in order for the ioctls to succeed, one had to _explicitly_ run the
	197	* application as root or flip the setuid bit.
	198	*
	199	* If the CAP_SYS_ADMIN was missing, no other client could become master...
	200	* EVER :-( Leading to a) the graphics session dying badly or b) a completely
	201	* locked session.
	202	*
	203	*
	204	* As some point systemd-logind was introduced to orchestrate and delegate
	205	* master as applicable. It does so by opening the fd and passing it to users
	206	* while in itself logind a) does the set/drop master per users' request and
	207	* b) * implicitly drops master on VT switch.
	208	*
	209	* Even though logind looks like the future, there are a few issues:
	210	* - some platforms don't have equivalent (Android, CrOS, some BSDs) so
	211	* root is required _solely_ for SET/DROP MASTER.
	212	* - applications may not be updated to use it,
	213	* - any client which fails to drop master* can DoS the application using
	214	* logind, to a varying degree.
	215	*
	216	* * Either due missing CAP_SYS_ADMIN or simply not calling DROP_MASTER.
	217	*
	218	*
	219	* Here we implement the next best thing:
	220	* - ensure the logind style of fd passing works unchanged, and
	221	* - allow a client to drop/set master, iff it is/was master at a given point
	222	* in time.
	223	*
	224	* Note: DROP_MASTER cannot be free for all, as an arbitrator user could:
	225	* - DoS/crash the arbitrator - details would be implementation specific
	226	* - open the node, become master implicitly and cause issues
	227	*
	228	* As a result this fixes the following when using root-less build w/o logind
	229	* - startx
	230	* - weston
	231	* - various compositors based on wlroots
	232	*/
	233	static int
	234	drm_master_check_perm(struct drm_device dev, struct drm_file file_priv)
	235	{
1c7a387f	236	if (file_priv->was_master &&
5a6c9a05	237	rcu_access_pointer(file_priv->pid) == task_tgid(current))
45bc3d26 EV	238	return 0;
	239
	240	if (!capable(CAP_SYS_ADMIN))
	241	return -EACCES;
	242
	243	return 0;
	244	}
	245
6548f4e7 DV	246	int drm_setmaster_ioctl(struct drm_device dev, void data,
	247	struct drm_file *file_priv)
	248	{
264ddd07	249	int ret;
6548f4e7 DV	250
6548f4e7 DV	251	mutex_lock(&dev->master_mutex);
45bc3d26 EV	252
	253	ret = drm_master_check_perm(dev, file_priv);
	254	if (ret)
	255	goto out_unlock;
	256
1f7ef07c	257	if (drm_is_current_master_locked(file_priv))
6548f4e7 DV	258	goto out_unlock;
6548f4e7 DV	259
95c081c1	260	if (dev->master) {
2bf99b22	261	ret = -EBUSY;
6548f4e7 DV	262	goto out_unlock;
	263	}
	264
	265	if (!file_priv->master) {
	266	ret = -EINVAL;
	267	goto out_unlock;
	268	}
	269
0aae5920	270	if (!file_priv->is_master) {
6548f4e7 DV	271	ret = drm_new_set_master(dev, file_priv);
	272	goto out_unlock;
	273	}
	274
2ed077e4	275	if (file_priv->master->lessor != NULL) {
6e22dc35 CS	276	drm_dbg_lease(dev,
	277	"Attempt to set lessee %d as master\n",
	278	file_priv->master->lessee_id);
2ed077e4 KP	279	ret = -EINVAL;
	280	goto out_unlock;
	281	}
	282
907f5320	283	drm_set_master(dev, file_priv, false);
6548f4e7 DV	284	out_unlock:
	285	mutex_unlock(&dev->master_mutex);
	286	return ret;
	287	}
	288
d6ed682e DV	289	static void drm_drop_master(struct drm_device *dev,
	290	struct drm_file *fpriv)
	291	{
	292	if (dev->driver->master_drop)
	293	dev->driver->master_drop(dev, fpriv);
	294	drm_master_put(&dev->master);
d6ed682e DV	295	}
d6ed682e DV	296
6548f4e7 DV	297	int drm_dropmaster_ioctl(struct drm_device dev, void data,
	298	struct drm_file *file_priv)
	299	{
2217d3bc	300	int ret;
6548f4e7 DV	301
6548f4e7 DV	302	mutex_lock(&dev->master_mutex);
45bc3d26 EV	303
	304	ret = drm_master_check_perm(dev, file_priv);
	305	if (ret)
	306	goto out_unlock;
	307
1f7ef07c	308	if (!drm_is_current_master_locked(file_priv)) {
264ddd07	309	ret = -EINVAL;
6548f4e7	310	goto out_unlock;
264ddd07	311	}
6548f4e7	312
264ddd07 EV	313	if (!dev->master) {
264ddd07 EV	314	ret = -EINVAL;
6548f4e7	315	goto out_unlock;
264ddd07	316	}
6548f4e7	317
761e05a7	318	if (file_priv->master->lessor != NULL) {
6e22dc35 CS	319	drm_dbg_lease(dev,
	320	"Attempt to drop lessee %d as master\n",
	321	file_priv->master->lessee_id);
761e05a7 KP	322	ret = -EINVAL;
	323	goto out_unlock;
	324	}
	325
d6ed682e	326	drm_drop_master(dev, file_priv);
6548f4e7 DV	327	out_unlock:
	328	mutex_unlock(&dev->master_mutex);
	329	return ret;
	330	}
	331
2cbae7e6 DV	332	int drm_master_open(struct drm_file *file_priv)
	333	{
	334	struct drm_device *dev = file_priv->minor->dev;
	335	int ret = 0;
	336
	337	/* if there is no current master make this fd it, but do not create
d00e3d9e BMC	338	* any master object for render clients
d00e3d9e BMC	339	*/
2cbae7e6	340	mutex_lock(&dev->master_mutex);
0b0860a3	341	if (!dev->master) {
2cbae7e6	342	ret = drm_new_set_master(dev, file_priv);
0b0860a3 DCZX	343	} else {
0b0860a3 DCZX	344	spin_lock(&file_priv->master_lookup_lock);
95c081c1	345	file_priv->master = drm_master_get(dev->master);
0b0860a3 DCZX	346	spin_unlock(&file_priv->master_lookup_lock);
0b0860a3 DCZX	347	}
2cbae7e6 DV	348	mutex_unlock(&dev->master_mutex);
	349
	350	return ret;
	351	}
	352
14d71ebd DV	353	void drm_master_release(struct drm_file *file_priv)
	354	{
	355	struct drm_device *dev = file_priv->minor->dev;
c336a5ee	356	struct drm_master *master;
14d71ebd	357
d2b34ee6	358	mutex_lock(&dev->master_mutex);
c336a5ee	359	master = file_priv->master;
a77316bf DV	360	if (file_priv->magic)
a77316bf DV	361	idr_remove(&file_priv->master->magic_map, file_priv->magic);
a77316bf	362
1f7ef07c	363	if (!drm_is_current_master_locked(file_priv))
0de4cc99	364	goto out;
14d71ebd	365
d6ed682e DV	366	if (dev->master == file_priv->master)
d6ed682e DV	367	drm_drop_master(dev, file_priv);
0de4cc99	368	out:
2ed077e4 KP	369	if (drm_core_check_feature(dev, DRIVER_MODESET) && file_priv->is_master) {
	370	/* Revoke any leases held by this or lessees, but only if
	371	* this is the "real" master
	372	*/
	373	drm_lease_revoke(master);
	374	}
	375
14d71ebd DV	376	/* drop the master reference held by the file priv */
	377	if (file_priv->master)
	378	drm_master_put(&file_priv->master);
14d71ebd DV	379	mutex_unlock(&dev->master_mutex);
	380	}
	381
3b96a0b1 DV	382	/**
3b96a0b1 DV	383	* drm_master_get - reference a master pointer
ea0dd85a	384	* @master: &struct drm_master
3b96a0b1 DV	385	*
	386	* Increments the reference count of @master and returns a pointer to @master.
	387	*/
6548f4e7 DV	388	struct drm_master drm_master_get(struct drm_master master)
	389	{
	390	kref_get(&master->refcount);
	391	return master;
	392	}
	393	EXPORT_SYMBOL(drm_master_get);
	394
56f0729a DCZX	395	/**
	396	* drm_file_get_master - reference &drm_file.master of @file_priv
	397	* @file_priv: DRM file private
	398	*
	399	* Increments the reference count of @file_priv's &drm_file.master and returns
	400	* the &drm_file.master. If @file_priv has no &drm_file.master, returns NULL.
	401	*
	402	* Master pointers returned from this function should be unreferenced using
	403	* drm_master_put().
	404	*/
	405	struct drm_master drm_file_get_master(struct drm_file file_priv)
	406	{
	407	struct drm_master *master = NULL;
	408
	409	spin_lock(&file_priv->master_lookup_lock);
	410	if (!file_priv->master)
	411	goto unlock;
	412	master = drm_master_get(file_priv->master);
	413
	414	unlock:
	415	spin_unlock(&file_priv->master_lookup_lock);
	416	return master;
	417	}
	418	EXPORT_SYMBOL(drm_file_get_master);
	419
6548f4e7 DV	420	static void drm_master_destroy(struct kref *kref)
	421	{
	422	struct drm_master *master = container_of(kref, struct drm_master, refcount);
	423	struct drm_device *dev = master->dev;
	424
2ed077e4 KP	425	if (drm_core_check_feature(dev, DRIVER_MODESET))
	426	drm_lease_destroy(master);
	427
6548f4e7	428	idr_destroy(&master->magic_map);
2ed077e4 KP	429	idr_destroy(&master->leases);
	430	idr_destroy(&master->lessee_idr);
	431
6548f4e7 DV	432	kfree(master->unique);
	433	kfree(master);
	434	}
	435
3b96a0b1 DV	436	/**
3b96a0b1 DV	437	* drm_master_put - unreference and clear a master pointer
ea0dd85a	438	* @master: pointer to a pointer of &struct drm_master
3b96a0b1 DV	439	*
	440	* This decrements the &drm_master behind @master and sets it to NULL.
	441	*/
6548f4e7 DV	442	void drm_master_put(struct drm_master **master)
	443	{
	444	kref_put(&(*master)->refcount, drm_master_destroy);
	445	*master = NULL;
	446	}
	447	EXPORT_SYMBOL(drm_master_put);
03a9606e NT	448
	449	/* Used by drm_client and drm_fb_helper */
	450	bool drm_master_internal_acquire(struct drm_device *dev)
	451	{
	452	mutex_lock(&dev->master_mutex);
	453	if (dev->master) {
	454	mutex_unlock(&dev->master_mutex);
	455	return false;
	456	}
	457
	458	return true;
	459	}
	460	EXPORT_SYMBOL(drm_master_internal_acquire);
	461
	462	/* Used by drm_client and drm_fb_helper */
	463	void drm_master_internal_release(struct drm_device *dev)
	464	{
	465	mutex_unlock(&dev->master_mutex);
	466	}
	467	EXPORT_SYMBOL(drm_master_internal_release);