From patchwork Tue Apr 12 15:35:28 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Lee Jones X-Patchwork-Id: 12810894 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 48822C433EF for ; Tue, 12 Apr 2022 15:35:36 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 8411410E08F; Tue, 12 Apr 2022 15:35:35 +0000 (UTC) Received: from mail-wr1-x42b.google.com (mail-wr1-x42b.google.com [IPv6:2a00:1450:4864:20::42b]) by gabe.freedesktop.org (Postfix) with ESMTPS id C254410E08F for ; Tue, 12 Apr 2022 15:35:34 +0000 (UTC) Received: by mail-wr1-x42b.google.com with SMTP id c10so7162249wrb.1 for ; Tue, 12 Apr 2022 08:35:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=R8tCAcef8XwJl9KTqrtg+6fe8UCJe3U1QYYPaYj+qfQ=; b=HsVtVNZKO4dILqYqxSUWjS2SGL/4TmifveOGMHwmuTp68q68G1ZeQvPBGddKz698Pe IdfBA2pwXuk1WZlvIaG3uPp8OvV8fEelWZnIqsWxfPZffviKxisvegjb0RxBIWFfSOlT tmtArcp7kQSq9MNuROSDdRtyVeYmcEExKY2EPeEXIk25RBCvcnVcLBvEm48rfOtcnBlN UImguNaMDCY3xdv2jSSXDkybhjngHUeZMX1XkFeGz6N6ZuL/oU5h1GgwGGOg0mjcD+od KVoIOFb6jAWpxLQNeE19IW6iHnSALxkS5VB5WyAHrCjbtDVj3GtnAW5ILxbE2/JlRPso x3yg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=R8tCAcef8XwJl9KTqrtg+6fe8UCJe3U1QYYPaYj+qfQ=; b=MSxQW9+9vVjHBwecZGCxFihGSpBKap15hYBZi1F3PeWdsgf1NFUQR2EftzYO4NnQM3 +SN+saCOyqnsQybfAF3hwn04Vm1jROddf5oDLJgOBNKTAApCiIyLfv1tSmO2CiZjTkla zH7x830EBkhuoOBMPBX5QLEccfpJ3InFTOfVrU+vgk1p33QSBwjgiM67oUQIAZOm+deC 1dk9gf99XTJTRQHQXOS/DkA8MNZcOyX864Zff5+OQOeYL84MfxNqa6JPyJdiHIsn5Qqc zwrLQJu0sA+Ti72+603Or+Rl4jXINQ6X3CX0Hya7b4wlGOo2/kauluDBza2/OghLNyxO boTg== X-Gm-Message-State: AOAM533bBp+++ATzUtdrkO7G3bhG7XI67YCsVx1P3fadiSl6CK5Pj1Zz g42hvZJ6x3Tol14cXvaJ/pPcIQ== X-Google-Smtp-Source: ABdhPJzUkHNn+3YdLFEMdtBrSdi3OtBRyyIQ73jg0NzUODmGehiltfBY7h/QiG7HYp4qS8+jdX6Qsg== X-Received: by 2002:a5d:48c8:0:b0:207:afc8:13fa with SMTP id p8-20020a5d48c8000000b00207afc813famr2526733wrs.487.1649777733295; Tue, 12 Apr 2022 08:35:33 -0700 (PDT) Received: from joneslee-l.cable.virginm.net (cpc155339-bagu17-2-0-cust87.1-3.cable.virginm.net. [86.27.177.88]) by smtp.gmail.com with ESMTPSA id p3-20020adfaa03000000b00207a1db96cfsm8463621wrd.71.2022.04.12.08.35.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Apr 2022 08:35:32 -0700 (PDT) From: Lee Jones To: lee.jones@linaro.org Subject: [PATCH 4.19 1/2] drm/amdgpu: Check if fd really is an amdgpu fd. Date: Tue, 12 Apr 2022 16:35:28 +0100 Message-Id: <20220412153529.1173412-1-lee.jones@linaro.org> X-Mailer: git-send-email 2.35.1.1178.g4f1659d476-goog MIME-Version: 1.0 X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: dri-devel@lists.freedesktop.org, David Airlie , Felix Kuehling , stable@vger.kernel.org, amd-gfx@lists.freedesktop.org, Alex Deucher , =?utf-8?q?Christian_K=C3=B6nig?= Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" From: Bas Nieuwenhuizen [ Upstream commit 021830d24ba55a578f602979274965344c8e6284 ] Otherwise we interpret the file private data as drm & amdgpu data while it might not be, possibly allowing one to get memory corruption. Cc: Felix Kuehling Cc: Alex Deucher Cc: "Christian König" Cc: David Airlie Cc: Daniel Vetter Cc: amd-gfx@lists.freedesktop.org Cc: dri-devel@lists.freedesktop.org Signed-off-by: Bas Nieuwenhuizen Reviewed-by: Christian König Signed-off-by: Alex Deucher Signed-off-by: Lee Jones --- drivers/gpu/drm/amd/amdgpu/amdgpu.h | 2 ++ drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 16 ++++++++++++++++ drivers/gpu/drm/amd/amdgpu/amdgpu_sched.c | 10 +++++++--- 3 files changed, 25 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu.h b/drivers/gpu/drm/amd/amdgpu/amdgpu.h index 447c4c7a36d68..acbd33fcb73d3 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu.h +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu.h @@ -955,6 +955,8 @@ struct amdgpu_gfx { DECLARE_BITMAP (pipe_reserve_bitmap, AMDGPU_MAX_COMPUTE_QUEUES); }; +int amdgpu_file_to_fpriv(struct file *filp, struct amdgpu_fpriv **fpriv); + int amdgpu_ib_get(struct amdgpu_device *adev, struct amdgpu_vm *vm, unsigned size, struct amdgpu_ib *ib); void amdgpu_ib_free(struct amdgpu_device *adev, struct amdgpu_ib *ib, diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c index 63b1e325b45c5..b3b22a87b232b 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c @@ -1132,6 +1132,22 @@ static const struct file_operations amdgpu_driver_kms_fops = { #endif }; +int amdgpu_file_to_fpriv(struct file *filp, struct amdgpu_fpriv **fpriv) +{ + struct drm_file *file; + + if (!filp) + return -EINVAL; + + if (filp->f_op != &amdgpu_driver_kms_fops) { + return -EINVAL; + } + + file = filp->private_data; + *fpriv = file->driver_priv; + return 0; +} + static bool amdgpu_get_crtc_scanout_position(struct drm_device *dev, unsigned int pipe, bool in_vblank_irq, int *vpos, int *hpos, diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_sched.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_sched.c index 1cafe8d83a4db..0b70410488b66 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_sched.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_sched.c @@ -54,16 +54,20 @@ static int amdgpu_sched_process_priority_override(struct amdgpu_device *adev, enum drm_sched_priority priority) { struct file *filp = fget(fd); - struct drm_file *file; struct amdgpu_fpriv *fpriv; struct amdgpu_ctx *ctx; uint32_t id; + int r; if (!filp) return -EINVAL; - file = filp->private_data; - fpriv = file->driver_priv; + r = amdgpu_file_to_fpriv(filp, &fpriv); + if (r) { + fput(filp); + return r; + } + idr_for_each_entry(&fpriv->ctx_mgr.ctx_handles, ctx, id) amdgpu_ctx_priority_override(ctx, priority); From patchwork Tue Apr 12 15:35:29 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Lee Jones X-Patchwork-Id: 12810895 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 607EBC433FE for ; Tue, 12 Apr 2022 15:35:39 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 3119010E13C; Tue, 12 Apr 2022 15:35:38 +0000 (UTC) Received: from mail-wr1-x436.google.com (mail-wr1-x436.google.com [IPv6:2a00:1450:4864:20::436]) by gabe.freedesktop.org (Postfix) with ESMTPS id F2AB610E542 for ; Tue, 12 Apr 2022 15:35:35 +0000 (UTC) Received: by mail-wr1-x436.google.com with SMTP id g18so12013320wrb.10 for ; Tue, 12 Apr 2022 08:35:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=VwOMhba2UBHTBdEcSB8ubF3LHDfdwxShkl2jYJGZwac=; b=eOj/bw3wwAIvAAhbgxLLgJ4/I/SsQUTJzUpBZOu+lHI3PxiIDDh2QD0J+zLXJCjmkl ZYVz8u1gr1RshZumc1gkjPhBfi8L8H44zTnz91eV+IKEmbeYoYd1J5Runw81S3Xkp1LT fVb3+gqTsYC0g8fISFaLA6JkzfMfHKgAjVzhslR45IHvlQqFJ1tNe0MfLrAz1WXCmKeL kRPWw7XItDToIH5q/ALTcgDZBB3OcBTOBsWzW8UH/OPkZDCFOHwzRXFCVdhKTF3gtAdD xPRrAhzsmvFg1njgPt0rHrXJhi5qgcpFWiE1YO4I+yEev17rMyhp9DQS+ezm1CdsCGKi BEtg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=VwOMhba2UBHTBdEcSB8ubF3LHDfdwxShkl2jYJGZwac=; b=SySb54etNMkb6yOJSmRj2EMF6lHC4m0X7jkFbVYgzzQiWmvy19waWihsiNQnhRFsln oZYNfldrMYlBSi6AJGN+Z+keOkd1BIbL4eKHXh/raoFDhUJFL/iTTJGo0+v8Bapc2yKg BIsR7apUNk6Zibt4Gqwu/taek/+r1cwgd8YVQrxiGRS39g00mKwR9WcG0yK0/3NN6EAS 50I8z+BiVlUhRMevWrC7SZIHWRurdbpiDPkVsD/4YaNYD43zoIQmvR+K8gTwTa0MYoWD scchJJg5XR0JepkWhui2fOiG9nHEz4yTSsQg6mTPX2Oo4APhzsvORzoF6CHlOP5Ok3lj pqoA== X-Gm-Message-State: AOAM532e+t4B9hV4QDQOo/SDg1UF8PLAS2qRqaIgiqgwJhF5E5w24OMI z2+2JxCzXi5KaI7x6sTDIv5nAg== X-Google-Smtp-Source: ABdhPJzN2nIUAo8GyjwEfVrI6mSlaVgYt6CfZqC6FHc0/mqgZ//dokwgr/pWS9EpJGKuhyNrsXy7rg== X-Received: by 2002:a5d:6dd1:0:b0:207:92c4:eaef with SMTP id d17-20020a5d6dd1000000b0020792c4eaefmr18208780wrz.498.1649777734319; Tue, 12 Apr 2022 08:35:34 -0700 (PDT) Received: from joneslee-l.cable.virginm.net (cpc155339-bagu17-2-0-cust87.1-3.cable.virginm.net. [86.27.177.88]) by smtp.gmail.com with ESMTPSA id p3-20020adfaa03000000b00207a1db96cfsm8463621wrd.71.2022.04.12.08.35.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Apr 2022 08:35:33 -0700 (PDT) From: Lee Jones To: lee.jones@linaro.org Subject: [PATCH 4.19 2/2] drm/amdgpu: Ensure the AMDGPU file descriptor is legitimate Date: Tue, 12 Apr 2022 16:35:29 +0100 Message-Id: <20220412153529.1173412-2-lee.jones@linaro.org> X-Mailer: git-send-email 2.35.1.1178.g4f1659d476-goog In-Reply-To: <20220412153529.1173412-1-lee.jones@linaro.org> References: <20220412153529.1173412-1-lee.jones@linaro.org> MIME-Version: 1.0 X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: dri-devel@lists.freedesktop.org, David Airlie , Felix Kuehling , stable@vger.kernel.org, amd-gfx@lists.freedesktop.org, Alex Deucher , =?utf-8?q?Christian_K=C3=B6nig?= Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" [ Upstream commit b40a6ab2cf9213923bf8e821ce7fa7f6a0a26990 ] This is a partial cherry-pick of the above upstream commit. It ensures the file descriptor passed in by userspace is a valid one. Cc: Felix Kuehling Cc: Alex Deucher Cc: "Christian König" Cc: David Airlie Cc: Daniel Vetter Cc: amd-gfx@lists.freedesktop.org Cc: dri-devel@lists.freedesktop.org Signed-off-by: Lee Jones --- drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c index f92597c292fe5..4488aad64643b 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c @@ -1044,11 +1044,15 @@ int amdgpu_amdkfd_gpuvm_acquire_process_vm(struct kgd_dev *kgd, struct dma_fence **ef) { struct amdgpu_device *adev = get_amdgpu_device(kgd); - struct drm_file *drm_priv = filp->private_data; - struct amdgpu_fpriv *drv_priv = drm_priv->driver_priv; - struct amdgpu_vm *avm = &drv_priv->vm; + struct amdgpu_fpriv *drv_priv; + struct amdgpu_vm *avm; int ret; + ret = amdgpu_file_to_fpriv(filp, &drv_priv); + if (ret) + return ret; + avm = &drv_priv->vm; + /* Already a compute VM? */ if (avm->process_info) return -EINVAL;