From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9431B28E00 for ; Wed, 20 Sep 2023 11:53:48 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1CB17C433CA; Wed, 20 Sep 2023 11:53:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1695210828; bh=jxgmEp6BU3OYaCFRUsFSN8xsvK4r56XRZxUUkP3oJfU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=17Eguzf/sbJf27SCgwlJtbaj+q2BP4ERkrSjMxdymWF0kV2qGWMTC3FwDUKKda3vD t4vof5+lsiHjWog0GkyeVWoAR2y6IH4codSOVfgll3WFjW2zv8QrKYr8QnNpnMzS6b 8dGpmUWzRE7n50A4UQ8xrVWDqIl9lS1hitVuUvQg= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, =?UTF-8?q?Christian=20K=C3=B6nig?= , Alex Deucher Subject: [PATCH 6.5 211/211] drm/amdgpu: fix amdgpu_cs_p1_user_fence Date: Wed, 20 Sep 2023 13:30:55 +0200 Message-ID: <20230920112852.403014023@linuxfoundation.org> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20230920112845.859868994@linuxfoundation.org> References: <20230920112845.859868994@linuxfoundation.org> User-Agent: quilt/0.67 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 6.5-stable review patch. If anyone has any objections, please let me know. ------------------ From: Christian König commit 35588314e963938dfdcdb792c9170108399377d6 upstream. The offset is just 32bits here so this can potentially overflow if somebody specifies a large value. Instead reduce the size to calculate the last possible offset. The error handling path incorrectly drops the reference to the user fence BO resulting in potential reference count underflow. Signed-off-by: Christian König Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman --- drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 20 +++++--------------- 1 file changed, 5 insertions(+), 15 deletions(-) --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c @@ -127,7 +127,6 @@ static int amdgpu_cs_p1_user_fence(struc struct drm_gem_object *gobj; struct amdgpu_bo *bo; unsigned long size; - int r; gobj = drm_gem_object_lookup(p->filp, data->handle); if (gobj == NULL) @@ -139,23 +138,14 @@ static int amdgpu_cs_p1_user_fence(struc drm_gem_object_put(gobj); size = amdgpu_bo_size(bo); - if (size != PAGE_SIZE || (data->offset + 8) > size) { - r = -EINVAL; - goto error_unref; - } - - if (amdgpu_ttm_tt_get_usermm(bo->tbo.ttm)) { - r = -EINVAL; - goto error_unref; - } + if (size != PAGE_SIZE || data->offset > (size - 8)) + return -EINVAL; - *offset = data->offset; + if (amdgpu_ttm_tt_get_usermm(bo->tbo.ttm)) + return -EINVAL; + *offset = data->offset; return 0; - -error_unref: - amdgpu_bo_unref(&bo); - return r; } static int amdgpu_cs_p1_bo_handles(struct amdgpu_cs_parser *p,