From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4B5C4C46CA1 for ; Sat, 16 Sep 2023 12:30:08 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236593AbjIPM3k (ORCPT ); Sat, 16 Sep 2023 08:29:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59666 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239240AbjIPM3c (ORCPT ); Sat, 16 Sep 2023 08:29:32 -0400 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 37EF4CF0 for ; Sat, 16 Sep 2023 05:29:27 -0700 (PDT) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 65E6CC433C8; Sat, 16 Sep 2023 12:29:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1694867366; bh=3lKtxfKHP/xmZ8pwjkZtyNPxZG0au7CCRXS0nPBjl8g=; h=Subject:To:Cc:From:Date:From; b=tmDO05Ewiym6J7MUcaQBotSdmmIN3nfrLgwzcawEY+hImXMUlPysXqDuhN0ErBkf2 vbHr6vEbsEhGznRFgsRJ0KsSy/yLCT3cBP5Oa7WMO4S1CNGldwx3v4PyHZEgYm3k1x GOzYshq07NbgTEY1mPU1BX8aIN2E1lMPDYdLimBU= Subject: FAILED: patch "[PATCH] drm/amdgpu: fix amdgpu_cs_p1_user_fence" failed to apply to 6.1-stable tree To: christian.koenig@amd.com, alexander.deucher@amd.com Cc: From: Date: Sat, 16 Sep 2023 14:29:15 +0200 Message-ID: <2023091615-moodiness-twelve-b779@gregkh> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to . To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 35588314e963938dfdcdb792c9170108399377d6 # git commit -s git send-email --to '' --in-reply-to '2023091615-moodiness-twelve-b779@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: 35588314e963 ("drm/amdgpu: fix amdgpu_cs_p1_user_fence") ca6c1e210aa7 ("drm/amdgpu: use the new drm_exec object for CS v3") 8abc1eb2987a ("drm/amdkfd: switch over to using drm_exec v3") f2cd6b26922e ("drm/amdkfd: fix stack size in svm_range_validate_and_map") 3af470cbcc9f ("drm/amdkfd: Fix an issue at userptr buffer validation process.") c103a23f2f29 ("drm/amd: Convert amdgpu to use suballocation helper.") aebd8f0c6f82 ("Merge v6.2-rc6 into drm-next") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 35588314e963938dfdcdb792c9170108399377d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20K=C3=B6nig?= Date: Fri, 25 Aug 2023 15:28:00 +0200 Subject: [PATCH] drm/amdgpu: fix amdgpu_cs_p1_user_fence MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The offset is just 32bits here so this can potentially overflow if somebody specifies a large value. Instead reduce the size to calculate the last possible offset. The error handling path incorrectly drops the reference to the user fence BO resulting in potential reference count underflow. Signed-off-by: Christian König Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c index 49dd9aa8da70..efdb1c48f431 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c @@ -127,7 +127,6 @@ static int amdgpu_cs_p1_user_fence(struct amdgpu_cs_parser *p, { struct drm_gem_object *gobj; unsigned long size; - int r; gobj = drm_gem_object_lookup(p->filp, data->handle); if (gobj == NULL) @@ -137,23 +136,14 @@ static int amdgpu_cs_p1_user_fence(struct amdgpu_cs_parser *p, drm_gem_object_put(gobj); size = amdgpu_bo_size(p->uf_bo); - if (size != PAGE_SIZE || (data->offset + 8) > size) { - r = -EINVAL; - goto error_unref; - } + if (size != PAGE_SIZE || data->offset > (size - 8)) + return -EINVAL; - if (amdgpu_ttm_tt_get_usermm(p->uf_bo->tbo.ttm)) { - r = -EINVAL; - goto error_unref; - } + if (amdgpu_ttm_tt_get_usermm(p->uf_bo->tbo.ttm)) + return -EINVAL; *offset = data->offset; - return 0; - -error_unref: - amdgpu_bo_unref(&p->uf_bo); - return r; } static int amdgpu_cs_p1_bo_handles(struct amdgpu_cs_parser *p,