From: Greg Kroah-Hartman Date: Wed, 20 Sep 2023 11:08:56 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v5.10.196~11 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=aaf568b8f65e9c497fbc46ce43d73a331c8aee8d;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: drm-amdgpu-fix-amdgpu_cs_p1_user_fence.patch --- diff --git a/queue-5.10/drm-amdgpu-fix-amdgpu_cs_p1_user_fence.patch b/queue-5.10/drm-amdgpu-fix-amdgpu_cs_p1_user_fence.patch new file mode 100644 index 00000000000..b69035fa2f9 --- /dev/null +++ b/queue-5.10/drm-amdgpu-fix-amdgpu_cs_p1_user_fence.patch @@ -0,0 +1,67 @@ +From 35588314e963938dfdcdb792c9170108399377d6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20K=C3=B6nig?= +Date: Fri, 25 Aug 2023 15:28:00 +0200 +Subject: drm/amdgpu: fix amdgpu_cs_p1_user_fence +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Christian König + +commit 35588314e963938dfdcdb792c9170108399377d6 upstream. + +The offset is just 32bits here so this can potentially overflow if +somebody specifies a large value. Instead reduce the size to calculate +the last possible offset. + +The error handling path incorrectly drops the reference to the user +fence BO resulting in potential reference count underflow. + +Signed-off-by: Christian König +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 20 +++++--------------- + 1 file changed, 5 insertions(+), 15 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c +@@ -45,7 +45,6 @@ static int amdgpu_cs_user_fence_chunk(st + struct drm_gem_object *gobj; + struct amdgpu_bo *bo; + unsigned long size; +- int r; + + gobj = drm_gem_object_lookup(p->filp, data->handle); + if (gobj == NULL) +@@ -60,23 +59,14 @@ static int amdgpu_cs_user_fence_chunk(st + drm_gem_object_put(gobj); + + size = amdgpu_bo_size(bo); +- if (size != PAGE_SIZE || (data->offset + 8) > size) { +- r = -EINVAL; +- goto error_unref; +- } +- +- if (amdgpu_ttm_tt_get_usermm(bo->tbo.ttm)) { +- r = -EINVAL; +- goto error_unref; +- } ++ if (size != PAGE_SIZE || data->offset > (size - 8)) ++ return -EINVAL; + +- *offset = data->offset; ++ if (amdgpu_ttm_tt_get_usermm(bo->tbo.ttm)) ++ return -EINVAL; + ++ *offset = data->offset; + return 0; +- +-error_unref: +- amdgpu_bo_unref(&bo); +- return r; + } + + static int amdgpu_cs_bo_handles_chunk(struct amdgpu_cs_parser *p, diff --git a/queue-5.10/series b/queue-5.10/series index 0e51666e821..5ca6505f931 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -67,6 +67,7 @@ attr-block-mode-changes-of-symlinks.patch ovl-fix-incorrect-fdput-on-aio-completion.patch btrfs-fix-lockdep-splat-and-potential-deadlock-after-failure-running-delayed-items.patch btrfs-release-path-before-inode-lookup-during-the-ino-lookup-ioctl.patch +drm-amdgpu-fix-amdgpu_cs_p1_user_fence.patch tracing-have-current_trace-inc-the-trace-array-ref-count.patch tracing-have-option-files-inc-the-trace-array-ref-count.patch nfsd-fix-change_info-in-nfsv4-rename-replies.patch