From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1A5ACCE79CF for ; Wed, 20 Sep 2023 12:23:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235693AbjITMXv (ORCPT ); Wed, 20 Sep 2023 08:23:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57430 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235696AbjITMXu (ORCPT ); Wed, 20 Sep 2023 08:23:50 -0400 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D162393 for ; Wed, 20 Sep 2023 05:23:44 -0700 (PDT) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 20D06C433C8; Wed, 20 Sep 2023 12:23:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1695212624; bh=ZL56GwxSf2rTT5hZYwmsTDxDe34l9UnVk/RLqTQTJ2s=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=N/+kVAa6Ig4LmH8R7MNZrjffV2Ke7p5yXRpl2fjXj+e+kH/LfjEQw4SqaUIWFZwBf Q0DwDgjPiMx6xkMOsJDdjqWKZ/19WHyIi3ffUqCfAUERbmI9mH4fieZLZlMZWmQtpf JTc0QkYzWzG6xfIxPbqV1iJQLdLWMzHvjtf5per4= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, =?UTF-8?q?Christian=20K=C3=B6nig?= , Alex Deucher Subject: [PATCH 5.10 70/83] drm/amdgpu: fix amdgpu_cs_p1_user_fence Date: Wed, 20 Sep 2023 13:32:00 +0200 Message-ID: <20230920112829.424822530@linuxfoundation.org> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20230920112826.634178162@linuxfoundation.org> References: <20230920112826.634178162@linuxfoundation.org> User-Agent: quilt/0.67 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org 5.10-stable review patch. If anyone has any objections, please let me know. ------------------ From: Christian König commit 35588314e963938dfdcdb792c9170108399377d6 upstream. The offset is just 32bits here so this can potentially overflow if somebody specifies a large value. Instead reduce the size to calculate the last possible offset. The error handling path incorrectly drops the reference to the user fence BO resulting in potential reference count underflow. Signed-off-by: Christian König Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman --- drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 20 +++++--------------- 1 file changed, 5 insertions(+), 15 deletions(-) --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c @@ -45,7 +45,6 @@ static int amdgpu_cs_user_fence_chunk(st struct drm_gem_object *gobj; struct amdgpu_bo *bo; unsigned long size; - int r; gobj = drm_gem_object_lookup(p->filp, data->handle); if (gobj == NULL) @@ -60,23 +59,14 @@ static int amdgpu_cs_user_fence_chunk(st drm_gem_object_put(gobj); size = amdgpu_bo_size(bo); - if (size != PAGE_SIZE || (data->offset + 8) > size) { - r = -EINVAL; - goto error_unref; - } - - if (amdgpu_ttm_tt_get_usermm(bo->tbo.ttm)) { - r = -EINVAL; - goto error_unref; - } + if (size != PAGE_SIZE || data->offset > (size - 8)) + return -EINVAL; - *offset = data->offset; + if (amdgpu_ttm_tt_get_usermm(bo->tbo.ttm)) + return -EINVAL; + *offset = data->offset; return 0; - -error_unref: - amdgpu_bo_unref(&bo); - return r; } static int amdgpu_cs_bo_handles_chunk(struct amdgpu_cs_parser *p,