6.5-stable patches

added patches:
	drm-amdgpu-fix-amdgpu_cs_p1_user_fence.patch

diff --git a/queue-6.5/drm-amdgpu-fix-amdgpu_cs_p1_user_fence.patch b/queue-6.5/drm-amdgpu-fix-amdgpu_cs_p1_user_fence.patch
new file mode 100644 (file)
index 0000000..c01cf25
--- /dev/null
+++ b/queue-6.5/drm-amdgpu-fix-amdgpu_cs_p1_user_fence.patch
@@ -0,0 +1,67 @@
+From 35588314e963938dfdcdb792c9170108399377d6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20K=C3=B6nig?= <christian.koenig@amd.com>
+Date: Fri, 25 Aug 2023 15:28:00 +0200
+Subject: drm/amdgpu: fix amdgpu_cs_p1_user_fence
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Christian König <christian.koenig@amd.com>
+
+commit 35588314e963938dfdcdb792c9170108399377d6 upstream.
+
+The offset is just 32bits here so this can potentially overflow if
+somebody specifies a large value. Instead reduce the size to calculate
+the last possible offset.
+
+The error handling path incorrectly drops the reference to the user
+fence BO resulting in potential reference count underflow.
+
+Signed-off-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c |   20 +++++---------------
+ 1 file changed, 5 insertions(+), 15 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
+@@ -127,7 +127,6 @@ static int amdgpu_cs_p1_user_fence(struc
+       struct drm_gem_object *gobj;
+       struct amdgpu_bo *bo;
+       unsigned long size;
+-      int r;
+ 
+       gobj = drm_gem_object_lookup(p->filp, data->handle);
+       if (gobj == NULL)
+@@ -139,23 +138,14 @@ static int amdgpu_cs_p1_user_fence(struc
+       drm_gem_object_put(gobj);
+ 
+       size = amdgpu_bo_size(bo);
+-      if (size != PAGE_SIZE || (data->offset + 8) > size) {
+-              r = -EINVAL;
+-              goto error_unref;
+-      }
+-
+-      if (amdgpu_ttm_tt_get_usermm(bo->tbo.ttm)) {
+-              r = -EINVAL;
+-              goto error_unref;
+-      }
++      if (size != PAGE_SIZE || data->offset > (size - 8))
++              return -EINVAL;
+ 
+-      *offset = data->offset;
++      if (amdgpu_ttm_tt_get_usermm(bo->tbo.ttm))
++              return -EINVAL;
+ 
++      *offset = data->offset;
+       return 0;
+-
+-error_unref:
+-      amdgpu_bo_unref(&bo);
+-      return r;
+ }
+ 
+ static int amdgpu_cs_p1_bo_handles(struct amdgpu_cs_parser *p,

diff --git a/queue-6.5/series b/queue-6.5/series
index 37f94708062bf4c209a8d1537e707c63abb970fd..c1a25e3f08935a6e46eb4ca3b0253cfbf9d4810f 100644 (file)
--- a/queue-6.5/series
+++ b/queue-6.5/series
@@ -208,3 +208,4 @@ drm-amd-display-fix-the-white-screen-issue-when-64gb-dram.patch
 drm-amd-display-add-dpia-link-encoder-assignment-fix.patch
 drm-amd-display-fix-2nd-dpia-encoder-assignment.patch
 revert-memcg-drop-kmem.limit_in_bytes.patch
+drm-amdgpu-fix-amdgpu_cs_p1_user_fence.patch