From: Greg Kroah-Hartman Date: Wed, 20 Sep 2023 11:09:30 +0000 (+0200) Subject: 6.5-stable patches X-Git-Tag: v5.10.196~8 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=72a003f4086e2acd78bd0f34c55842f7c2d2b058;p=thirdparty%2Fkernel%2Fstable-queue.git 6.5-stable patches added patches: drm-amdgpu-fix-amdgpu_cs_p1_user_fence.patch --- diff --git a/queue-6.5/drm-amdgpu-fix-amdgpu_cs_p1_user_fence.patch b/queue-6.5/drm-amdgpu-fix-amdgpu_cs_p1_user_fence.patch new file mode 100644 index 00000000000..c01cf2593c9 --- /dev/null +++ b/queue-6.5/drm-amdgpu-fix-amdgpu_cs_p1_user_fence.patch @@ -0,0 +1,67 @@ +From 35588314e963938dfdcdb792c9170108399377d6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20K=C3=B6nig?= +Date: Fri, 25 Aug 2023 15:28:00 +0200 +Subject: drm/amdgpu: fix amdgpu_cs_p1_user_fence +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Christian König + +commit 35588314e963938dfdcdb792c9170108399377d6 upstream. + +The offset is just 32bits here so this can potentially overflow if +somebody specifies a large value. Instead reduce the size to calculate +the last possible offset. + +The error handling path incorrectly drops the reference to the user +fence BO resulting in potential reference count underflow. + +Signed-off-by: Christian König +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 20 +++++--------------- + 1 file changed, 5 insertions(+), 15 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c +@@ -127,7 +127,6 @@ static int amdgpu_cs_p1_user_fence(struc + struct drm_gem_object *gobj; + struct amdgpu_bo *bo; + unsigned long size; +- int r; + + gobj = drm_gem_object_lookup(p->filp, data->handle); + if (gobj == NULL) +@@ -139,23 +138,14 @@ static int amdgpu_cs_p1_user_fence(struc + drm_gem_object_put(gobj); + + size = amdgpu_bo_size(bo); +- if (size != PAGE_SIZE || (data->offset + 8) > size) { +- r = -EINVAL; +- goto error_unref; +- } +- +- if (amdgpu_ttm_tt_get_usermm(bo->tbo.ttm)) { +- r = -EINVAL; +- goto error_unref; +- } ++ if (size != PAGE_SIZE || data->offset > (size - 8)) ++ return -EINVAL; + +- *offset = data->offset; ++ if (amdgpu_ttm_tt_get_usermm(bo->tbo.ttm)) ++ return -EINVAL; + ++ *offset = data->offset; + return 0; +- +-error_unref: +- amdgpu_bo_unref(&bo); +- return r; + } + + static int amdgpu_cs_p1_bo_handles(struct amdgpu_cs_parser *p, diff --git a/queue-6.5/series b/queue-6.5/series index 37f94708062..c1a25e3f089 100644 --- a/queue-6.5/series +++ b/queue-6.5/series @@ -208,3 +208,4 @@ drm-amd-display-fix-the-white-screen-issue-when-64gb-dram.patch drm-amd-display-add-dpia-link-encoder-assignment-fix.patch drm-amd-display-fix-2nd-dpia-encoder-assignment.patch revert-memcg-drop-kmem.limit_in_bytes.patch +drm-amdgpu-fix-amdgpu_cs_p1_user_fence.patch