Commit 6f5005f0 authored Aug 25, 2023 by Christian König Committed by sanglipeng Mar 07, 2024

drm/amdgpu: fix amdgpu_cs_p1_user_fence

stable inclusion
from stable-v5.10.197
commit 7a8f285cb58e4e5d7ad0e5cb0c670ec26575130d
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I96Q8P

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=7a8f285cb58e4e5d7ad0e5cb0c670ec26575130d



--------------------------------

commit 35588314 upstream.

The offset is just 32bits here so this can potentially overflow if
somebody specifies a large value. Instead reduce the size to calculate
the last possible offset.

The error handling path incorrectly drops the reference to the user
fence BO resulting in potential reference count underflow.

Signed-off-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: sanglipeng <sanglipeng1@jd.com>

parent 6c129292

drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c

+4 −14

Original line number	Diff line number	Diff line
		@@ -45,7 +45,6 @@ static int amdgpu_cs_user_fence_chunk(struct amdgpu_cs_parser *p,
		struct drm_gem_object *gobj;
		struct amdgpu_bo *bo;
		unsigned long size;
		int r;

		gobj = drm_gem_object_lookup(p->filp, data->handle);
		if (gobj == NULL)
		@@ -60,23 +59,14 @@ static int amdgpu_cs_user_fence_chunk(struct amdgpu_cs_parser *p,
		drm_gem_object_put(gobj);

		size = amdgpu_bo_size(bo);
		if (size != PAGE_SIZE \|\| (data->offset + 8) > size) {
		r = -EINVAL;
		goto error_unref;
		}
		if (size != PAGE_SIZE \|\| data->offset > (size - 8))
		return -EINVAL;

		if (amdgpu_ttm_tt_get_usermm(bo->tbo.ttm)) {
		r = -EINVAL;
		goto error_unref;
		}
		if (amdgpu_ttm_tt_get_usermm(bo->tbo.ttm))
		return -EINVAL;

		*offset = data->offset;

		return 0;

		error_unref:
		amdgpu_bo_unref(&bo);
		return r;
		}

		static int amdgpu_cs_bo_handles_chunk(struct amdgpu_cs_parser *p,