drm/amdgpu: fix amdgpu_cs_p1_user_fence

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The offset is just 32bits here so this can potentially overflow if
somebody specifies a large value. Instead reduce the size to calculate
the last possible offset.

The error handling path incorrectly drops the reference to the user
fence BO resulting in potential reference count underflow.

Signed-off-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>

authored by

Christian König and committed by

Alex Deucher 2 years ago a5492fe2 90bcb9b5

+4 -14

1 changed file

expand all

drivers

gpu

drm

amd

amdgpu

amdgpu_cs.c

+4 -14

drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c

··· 127 127 { 128 128 struct drm_gem_object *gobj; 129 129 unsigned long size; 130 - int r; 131 130 132 131 gobj = drm_gem_object_lookup(p->filp, data->handle); 133 132 if (gobj == NULL) ··· 136 137 drm_gem_object_put(gobj); 137 138 138 139 size = amdgpu_bo_size(p->uf_bo); 139 - if (size != PAGE_SIZE || (data->offset + 8) > size) { 140 - r = -EINVAL; 141 - goto error_unref; 142 - } 140 + if (size != PAGE_SIZE || data->offset > (size - 8)) 141 + return -EINVAL; 143 142 144 - if (amdgpu_ttm_tt_get_usermm(p->uf_bo->tbo.ttm)) { 145 - r = -EINVAL; 146 - goto error_unref; 147 - } 143 + if (amdgpu_ttm_tt_get_usermm(p->uf_bo->tbo.ttm)) 144 + return -EINVAL; 148 145 149 146 *offset = data->offset; 150 - 151 147 return 0; 152 - 153 - error_unref: 154 - amdgpu_bo_unref(&p->uf_bo); 155 - return r; 156 148 } 157 149 158 150 static int amdgpu_cs_p1_bo_handles(struct amdgpu_cs_parser *p,

Configure Feed

Configure Feed