5.10-stable patches

added patches:
	drm-amdgpu-fix-amdgpu_cs_p1_user_fence.patch

diff --git a/queue-5.10/drm-amdgpu-fix-amdgpu_cs_p1_user_fence.patch b/queue-5.10/drm-amdgpu-fix-amdgpu_cs_p1_user_fence.patch
new file mode 100644 (file)
index 0000000..b69035f
--- /dev/null
+++ b/queue-5.10/drm-amdgpu-fix-amdgpu_cs_p1_user_fence.patch
@@ -0,0 +1,67 @@
+From 35588314e963938dfdcdb792c9170108399377d6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20K=C3=B6nig?= <christian.koenig@amd.com>
+Date: Fri, 25 Aug 2023 15:28:00 +0200
+Subject: drm/amdgpu: fix amdgpu_cs_p1_user_fence
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Christian König <christian.koenig@amd.com>
+
+commit 35588314e963938dfdcdb792c9170108399377d6 upstream.
+
+The offset is just 32bits here so this can potentially overflow if
+somebody specifies a large value. Instead reduce the size to calculate
+the last possible offset.
+
+The error handling path incorrectly drops the reference to the user
+fence BO resulting in potential reference count underflow.
+
+Signed-off-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c |   20 +++++---------------
+ 1 file changed, 5 insertions(+), 15 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
+@@ -45,7 +45,6 @@ static int amdgpu_cs_user_fence_chunk(st
+       struct drm_gem_object *gobj;
+       struct amdgpu_bo *bo;
+       unsigned long size;
+-      int r;
+ 
+       gobj = drm_gem_object_lookup(p->filp, data->handle);
+       if (gobj == NULL)
+@@ -60,23 +59,14 @@ static int amdgpu_cs_user_fence_chunk(st
+       drm_gem_object_put(gobj);
+ 
+       size = amdgpu_bo_size(bo);
+-      if (size != PAGE_SIZE || (data->offset + 8) > size) {
+-              r = -EINVAL;
+-              goto error_unref;
+-      }
+-
+-      if (amdgpu_ttm_tt_get_usermm(bo->tbo.ttm)) {
+-              r = -EINVAL;
+-              goto error_unref;
+-      }
++      if (size != PAGE_SIZE || data->offset > (size - 8))
++              return -EINVAL;
+ 
+-      *offset = data->offset;
++      if (amdgpu_ttm_tt_get_usermm(bo->tbo.ttm))
++              return -EINVAL;
+ 
++      *offset = data->offset;
+       return 0;
+-
+-error_unref:
+-      amdgpu_bo_unref(&bo);
+-      return r;
+ }
+ 
+ static int amdgpu_cs_bo_handles_chunk(struct amdgpu_cs_parser *p,

diff --git a/queue-5.10/series b/queue-5.10/series
index 0e51666e82147428a0291856c919436cda618075..5ca6505f931fd354ab342f88e29cc3999238c7c8 100644 (file)
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -67,6 +67,7 @@ attr-block-mode-changes-of-symlinks.patch
 ovl-fix-incorrect-fdput-on-aio-completion.patch
 btrfs-fix-lockdep-splat-and-potential-deadlock-after-failure-running-delayed-items.patch
 btrfs-release-path-before-inode-lookup-during-the-ino-lookup-ioctl.patch
+drm-amdgpu-fix-amdgpu_cs_p1_user_fence.patch
 tracing-have-current_trace-inc-the-trace-array-ref-count.patch
 tracing-have-option-files-inc-the-trace-array-ref-count.patch
 nfsd-fix-change_info-in-nfsv4-rename-replies.patch