kernel/linux.git/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c, branch v6.1.124 Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.1.124 2024-10-22T13:56:46+00:00 drm/amdgpu: prevent BO_HANDLES error from being overwritten 2024-10-22T13:56:46+00:00 Mohammed Anees pvmohammedanees2003@gmail.com 2024-10-09T12:28:31+00:00 urn:sha1:dc79c24e58836e9062f50fb01ae0a3e31fb9bcfc commit c0ec082f10b7a1fd25e8c1e2a686440da913b7a3 upstream. Before this patch, if multiple BO_HANDLES chunks were submitted, the error -EINVAL would be correctly set but could be overwritten by the return value from amdgpu_cs_p1_bo_handles(). This patch ensures that if there are multiple BO_HANDLES, we stop. Fixes: fec5f8e8c6bc ("drm/amdgpu: disallow multiple BO_HANDLES chunks in one submit") Signed-off-by: Mohammed Anees <pvmohammedanees2003@gmail.com> Reviewed-by: Christian König <christian.koenig@amd.com> Signed-off-by: Pierre-Eric Pelloux-Prayer <pierre-eric.pelloux-prayer@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> (cherry picked from commit 40f2cd98828f454bdc5006ad3d94330a5ea164b7) Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> drm/amdgpu: disallow multiple BO_HANDLES chunks in one submit 2024-10-17T13:21:43+00:00 Pierre-Eric Pelloux-Prayer pierre-eric.pelloux-prayer@amd.com 2024-07-02T09:54:30+00:00 urn:sha1:0ed438e52cfe5af54bcf4cc3cc71d9650191fcf5 [ Upstream commit fec5f8e8c6bcf83ed7a392801d7b44c5ecfc1e82 ] Before this commit, only submits with both a BO_HANDLES chunk and a 'bo_list_handle' would be rejected (by amdgpu_cs_parser_bos). But if UMD sent multiple BO_HANDLES, what would happen is: * only the last one would be really used * all the others would leak memory as amdgpu_cs_p1_bo_handles would overwrite the previous p->bo_list value This commit rejects submissions with multiple BO_HANDLES chunks to match the implementation of the parser. Signed-off-by: Pierre-Eric Pelloux-Prayer <pierre-eric.pelloux-prayer@amd.com> Reviewed-by: Christian König <christian.koenig@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> Signed-off-by: Sasha Levin <sashal@kernel.org> drm/amdgpu: correct chunk_ptr to a pointer to chunk. 2023-12-13T17:39:04+00:00 YuanShang YuanShang.Mao@amd.com 2023-10-31T02:32:37+00:00 urn:sha1:9046665befd6e9b9b97df458dc4c41cfe63e21d3 [ Upstream commit 50d51374b498457c4dea26779d32ccfed12ddaff ] The variable "chunk_ptr" should be a pointer pointing to a struct drm_amdgpu_cs_chunk instead of to a pointer of that. Signed-off-by: YuanShang <YuanShang.Mao@amd.com> Reviewed-by: Christian König <christian.koenig@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> Signed-off-by: Sasha Levin <sashal@kernel.org> drm/amdgpu: lower CS errors to debug severity 2023-11-28T17:07:22+00:00 Christian König christian.koenig@amd.com 2023-11-09T09:14:14+00:00 urn:sha1:51ffa1a3792e3570ae2eb84d003c329b3d71da6c commit 17daf01ab4e3e5a5929747aa05cc15eb2bad5438 upstream. Otherwise userspace can spam the logs by using incorrect input values. Signed-off-by: Christian König <christian.koenig@amd.com> Reviewed-by: Alex Deucher <alexander.deucher@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> drm/amdgpu: fix amdgpu_cs_p1_user_fence 2023-09-23T09:11:12+00:00 Christian König christian.koenig@amd.com 2023-08-25T13:28:00+00:00 urn:sha1:4c6bb91581796d34466d85bc06c9393d27f83101 commit 35588314e963938dfdcdb792c9170108399377d6 upstream. The offset is just 32bits here so this can potentially overflow if somebody specifies a large value. Instead reduce the size to calculate the last possible offset. The error handling path incorrectly drops the reference to the user fence BO resulting in potential reference count underflow. Signed-off-by: Christian König <christian.koenig@amd.com> Reviewed-by: Alex Deucher <alexander.deucher@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> drm/amdgpu: Fix potential fence use-after-free v2 2023-08-23T15:52:25+00:00 shanzhulig shanzhulig@gmail.com 2023-06-28T01:10:47+00:00 urn:sha1:dd0b3b367c3839e439f36af908b39c98929a5e54 [ Upstream commit 2e54154b9f27262efd0cb4f903cc7d5ad1fe9628 ] fence Decrements the reference count before exiting. Avoid Race Vulnerabilities for fence use-after-free. v2 (chk): actually fix the use after free and not just move it. Signed-off-by: shanzhulig <shanzhulig@gmail.com> Signed-off-by: Christian König <christian.koenig@amd.com> Reviewed-by: Alex Deucher <alexander.deucher@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> Signed-off-by: Sasha Levin <sashal@kernel.org> drm/amdgpu: Fix integer overflow in amdgpu_cs_pass1 2023-08-23T15:52:19+00:00 hackyzh002 hackyzh002@gmail.com 2023-04-19T12:22:33+00:00 urn:sha1:9f55d300541cb5b435984d269087810581580b00 [ Upstream commit 87c2213e85bd81e4a9a4d0880c256568794ae388 ] The type of size is unsigned int, if size is 0x40000000, there will be an integer overflow, size will be zero after size *= sizeof(uint32_t), will cause uninitialized memory to be referenced later. Reviewed-by: Christian König <christian.koenig@amd.com> Signed-off-by: hackyzh002 <hackyzh002@gmail.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> Signed-off-by: Sasha Levin <sashal@kernel.org> drm/amdgpu: fix possible UAF in amdgpu_cs_pass1() 2023-08-16T16:27:22+00:00 Alex Deucher alexander.deucher@amd.com 2023-07-28T15:14:05+00:00 urn:sha1:9a2393af1f35d1975204fc00035c64a1c792b278 commit 90e065677e0362a777b9db97ea21d43a39211399 upstream. Since the gang_size check is outside of chunk parsing loop, we need to reset i before we free the chunk data. Suggested by Ye Zhang (@VAR10CK) of Baidu Security. Reviewed-by: Guchun Chen <guchun.chen@amd.com> Reviewed-by: Christian König <christian.koenig@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> drm/amdgpu: fix number of fence calculations 2023-07-19T14:22:03+00:00 Christian König christian.koenig@amd.com 2023-06-20T11:18:13+00:00 urn:sha1:0d4e60e23c7d6a54f80e1b8ceec9a8c3df736dad [ Upstream commit 570b295248b00c3cf4cf59e397de5cb2361e10c2 ] Since adding gang submit we need to take the gang size into account while reserving fences. Signed-off-by: Christian König <christian.koenig@amd.com> Fixes: 4624459c84d7 ("drm/amdgpu: add gang submit frontend v6") Reviewed-by: Alex Deucher <alexander.deucher@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> Signed-off-by: Sasha Levin <sashal@kernel.org> drm/amdgpu: fix userptr HMM range handling v2 2022-11-21T21:40:30+00:00 Christian König christian.koenig@amd.com 2022-11-10T11:31:41+00:00 urn:sha1:4458da0bb09d4435956b4377685e8836935e9b9d The basic problem here is that it's not allowed to page fault while holding the reservation lock. So it can happen that multiple processes try to validate an userptr at the same time. Work around that by putting the HMM range object into the mutex protected bo list for now. v2: make sure range is set to NULL in case of an error Signed-off-by: Christian König <christian.koenig@amd.com> Reviewed-by: Alex Deucher <alexander.deucher@amd.com> Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com> CC: stable@vger.kernel.org Signed-off-by: Alex Deucher <alexander.deucher@amd.com>