kernel/linux.git/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c, branch v6.1.53

drm/amdgpu: Fix potential fence use-after-free v2

2023-08-23T15:52:25+00:00

[ Upstream commit 2e54154b9f27262efd0cb4f903cc7d5ad1fe9628 ] fence Decrements the reference count before exiting. Avoid Race Vulnerabilities for fence use-after-free. v2 (chk): actually fix the use after free and not just move it. Signed-off-by: shanzhulig Signed-off-by: Christian König Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin

drm/amdgpu: Fix integer overflow in amdgpu_cs_pass1

2023-08-23T15:52:19+00:00

[ Upstream commit 87c2213e85bd81e4a9a4d0880c256568794ae388 ] The type of size is unsigned int, if size is 0x40000000, there will be an integer overflow, size will be zero after size *= sizeof(uint32_t), will cause uninitialized memory to be referenced later. Reviewed-by: Christian König Signed-off-by: hackyzh002 Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin

drm/amdgpu: fix possible UAF in amdgpu_cs_pass1()

2023-08-16T16:27:22+00:00

commit 90e065677e0362a777b9db97ea21d43a39211399 upstream. Since the gang_size check is outside of chunk parsing loop, we need to reset i before we free the chunk data. Suggested by Ye Zhang (@VAR10CK) of Baidu Security. Reviewed-by: Guchun Chen Reviewed-by: Christian König Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman

drm/amdgpu: fix number of fence calculations

2023-07-19T14:22:03+00:00

[ Upstream commit 570b295248b00c3cf4cf59e397de5cb2361e10c2 ] Since adding gang submit we need to take the gang size into account while reserving fences. Signed-off-by: Christian König Fixes: 4624459c84d7 ("drm/amdgpu: add gang submit frontend v6") Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin

drm/amdgpu: fix userptr HMM range handling v2

2022-11-21T21:40:30+00:00

The basic problem here is that it's not allowed to page fault while holding the reservation lock. So it can happen that multiple processes try to validate an userptr at the same time. Work around that by putting the HMM range object into the mutex protected bo list for now. v2: make sure range is set to NULL in case of an error Signed-off-by: Christian König Reviewed-by: Alex Deucher Reviewed-by: Felix Kuehling CC: stable@vger.kernel.org Signed-off-by: Alex Deucher

Merge tag 'amd-drm-fixes-6.1-2022-11-16' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes

2022-11-18T01:09:04+00:00

amd-drm-fixes-6.1-2022-11-16: amdgpu: - Fix a possible memory leak in ganng submit error path - DP tunneling fixes - DCN 3.1 page flip fix - DCN 3.2.x fixes - DCN 3.1.4 fixes - Don't expose degamma on hardware that doesn't support it - BACO fixes for SMU 11.x - BACO fixes for SMU 13.x - Virtual display fix for devices with no display hardware amdkfd: - Memory limit regression fix Signed-off-by: Dave Airlie From: Alex Deucher Link: https://patchwork.freedesktop.org/patch/msgid/20221117040416.6100-1-alexander.deucher@amd.com

Merge tag 'drm-misc-fixes-2022-11-17' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes

2022-11-17T21:08:57+00:00

drm-misc-fixes for v6.1-rc6: - Fix error handling in vc4_atomic_commit_tail() - Set bpc for logictechno panels. - Fix potential memory leak in drm_dev_init() - Fix potential null-ptr-deref in drm_vblank_destroy_worker() - Set lima's clkname corrrectly when regulator is missing. - Small amdgpu fix to gang submission. - Revert hiding unregistered connectors from userspace, as it breaks on DP-MST. - Add workaround for DP++ dual mode adaptors that don't support i2c subaddressing. Signed-off-by: Dave Airlie From: Maarten Lankhorst Link: https://patchwork.freedesktop.org/patch/msgid/c7d02936-c550-199b-6cb7-cbf6cf104e4a@linux.intel.com

drm/amdgpu: Fix memory leak in amdgpu_cs_pass1

2022-11-15T18:03:59+00:00

When p->gang_size equals 0, amdgpu_cs_pass1() will return directly without freeing chunk_array, which will cause a memory leak issue, this patch fixes it. Fixes: 4624459c84d7 ("drm/amdgpu: add gang submit frontend v6") Reviewed-by: Luben Tuikov Signed-off-by: Dong Chenchen Signed-off-by: Alex Deucher

drm/amdgpu: use the last IB as gang leader v2

2022-11-15T14:27:18+00:00

It turned out that not the last IB specified is the gang leader, but instead the last job allocated. This is a bit unfortunate and not very intuitive for the CS interface, so try to fix this. Signed-off-by: Christian König Link: https://patchwork.freedesktop.org/patch/msgid/20221115094206.6181-1-christian.koenig@amd.com Tested-by: Timur Kristóf Acked-by: Timur Kristóf Reviewed-by: Alex Deucher Fixes: 4624459c84d7 ("drm/amdgpu: add gang submit frontend v6")

drm/amdgpu: Unlock bo_list_mutex after error handling

2022-11-09T23:05:16+00:00

Get below kernel WARNING backtrace when pressing ctrl-C to kill kfdtest application. If amdgpu_cs_parser_bos returns error after taking bo_list_mutex, as caller amdgpu_cs_ioctl will not unlock bo_list_mutex, this generates the kernel WARNING. Add unlock bo_list_mutex after amdgpu_cs_parser_bos error handling to cleanup bo_list userptr bo. WARNING: kfdtest/2930 still has locks held! 1 lock held by kfdtest/2930: (&list->bo_list_mutex){+.+.}-{3:3}, at: amdgpu_cs_ioctl+0xce5/0x1f10 [amdgpu] stack backtrace: dump_stack_lvl+0x44/0x57 get_signal+0x79f/0xd00 arch_do_signal_or_restart+0x36/0x7b0 exit_to_user_mode_prepare+0xfd/0x1b0 syscall_exit_to_user_mode+0x19/0x40 do_syscall_64+0x40/0x80 Signed-off-by: Philip Yang Reviewed-by: Christian König Signed-off-by: Alex Deucher