drm/amdgpu: Check if fd really is an amdgpu fd.

commit 021830d24ba55a578f602979274965344c8e6284 upstream.

Otherwise we interpret the file private data as drm & amdgpu data
while it might not be, possibly allowing one to get memory corruption.

Signed-off-by: Bas Nieuwenhuizen <bas@basnieuwenhuizen.nl>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu.h b/drivers/gpu/drm/amd/amdgpu/amdgpu.h
index 447c4c7a36d686b0e2fb93722611066f8e93db4e..acbd33fcb73d357f682aabf11d77af77068cd3a7 100644 (file)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu.h
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu.h
@@ -955,6 +955,8 @@ struct amdgpu_gfx {
        DECLARE_BITMAP                  (pipe_reserve_bitmap, AMDGPU_MAX_COMPUTE_QUEUES);
 };
 
+int amdgpu_file_to_fpriv(struct file *filp, struct amdgpu_fpriv **fpriv);
+
 int amdgpu_ib_get(struct amdgpu_device *adev, struct amdgpu_vm *vm,
                  unsigned size, struct amdgpu_ib *ib);
 void amdgpu_ib_free(struct amdgpu_device *adev, struct amdgpu_ib *ib,

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
index 63b1e325b45c57444c8a42ccb631131b9ac6094a..b3b22a87b232bc9987c9a3fa33667f7f260cf142 100644 (file)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
@@ -1132,6 +1132,22 @@ static const struct file_operations amdgpu_driver_kms_fops = {
 #endif
 };
 
+int amdgpu_file_to_fpriv(struct file *filp, struct amdgpu_fpriv **fpriv)
+{
+        struct drm_file *file;
+
+       if (!filp)
+               return -EINVAL;
+
+       if (filp->f_op != &amdgpu_driver_kms_fops) {
+               return -EINVAL;
+       }
+
+       file = filp->private_data;
+       *fpriv = file->driver_priv;
+       return 0;
+}
+
 static bool
 amdgpu_get_crtc_scanout_position(struct drm_device *dev, unsigned int pipe,
                                 bool in_vblank_irq, int *vpos, int *hpos,

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_sched.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_sched.c
index 1cafe8d83a4dbaa60915801a7849a81613ef69c0..0b70410488b66cb270da578c7b1f82916f1bb23f 100644 (file)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_sched.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_sched.c
@@ -54,16 +54,20 @@ static int amdgpu_sched_process_priority_override(struct amdgpu_device *adev,
                                                  enum drm_sched_priority priority)
 {
        struct file *filp = fget(fd);
-       struct drm_file *file;
        struct amdgpu_fpriv *fpriv;
        struct amdgpu_ctx *ctx;
        uint32_t id;
+       int r;
 
        if (!filp)
                return -EINVAL;
 
-       file = filp->private_data;
-       fpriv = file->driver_priv;
+       r = amdgpu_file_to_fpriv(filp, &fpriv);
+       if (r) {
+               fput(filp);
+               return r;
+       }
+
        idr_for_each_entry(&fpriv->ctx_mgr.ctx_handles, ctx, id)
                amdgpu_ctx_priority_override(ctx, priority);