Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f08fb393 authored by Bas Nieuwenhuizen's avatar Bas Nieuwenhuizen Committed by Greg Kroah-Hartman
Browse files

drm/amdgpu: Check if fd really is an amdgpu fd. 



commit 021830d24ba55a578f602979274965344c8e6284 upstream.

Otherwise we interpret the file private data as drm & amdgpu data
while it might not be, possibly allowing one to get memory corruption.

Signed-off-by: default avatarBas Nieuwenhuizen <bas@basnieuwenhuizen.nl>
Reviewed-by: default avatarChristian König <christian.koenig@amd.com>
Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
Signed-off-by: default avatarLee Jones <lee.jones@linaro.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 00cdc297

drivers/gpu/drm/amd/amdgpu/amdgpu.h

+2 −0
Original line number Diff line number Diff line
@@ -955,6 +955,8 @@ struct amdgpu_gfx { 
	DECLARE_BITMAP			(pipe_reserve_bitmap, AMDGPU_MAX_COMPUTE_QUEUES);

};



int amdgpu_file_to_fpriv(struct file *filp, struct amdgpu_fpriv **fpriv);



int amdgpu_ib_get(struct amdgpu_device *adev, struct amdgpu_vm *vm,

		  unsigned size, struct amdgpu_ib *ib);

void amdgpu_ib_free(struct amdgpu_device *adev, struct amdgpu_ib *ib,

drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c

+16 −0
Original line number Diff line number Diff line
@@ -1132,6 +1132,22 @@ static const struct file_operations amdgpu_driver_kms_fops = { 
#endif

};



int amdgpu_file_to_fpriv(struct file *filp, struct amdgpu_fpriv **fpriv)

{

        struct drm_file *file;



	if (!filp)

		return -EINVAL;



	if (filp->f_op != &amdgpu_driver_kms_fops) {

		return -EINVAL;

	}



	file = filp->private_data;

	*fpriv = file->driver_priv;

	return 0;

}



static bool

amdgpu_get_crtc_scanout_position(struct drm_device *dev, unsigned int pipe,

				 bool in_vblank_irq, int *vpos, int *hpos,

drivers/gpu/drm/amd/amdgpu/amdgpu_sched.c

+7 −3
Original line number Diff line number Diff line
@@ -54,16 +54,20 @@ static int amdgpu_sched_process_priority_override(struct amdgpu_device *adev, 
						  enum drm_sched_priority priority)

{

	struct file *filp = fget(fd);

	struct drm_file *file;

	struct amdgpu_fpriv *fpriv;

	struct amdgpu_ctx *ctx;

	uint32_t id;

	int r;



	if (!filp)

		return -EINVAL;



	file = filp->private_data;

	fpriv = file->driver_priv;

	r = amdgpu_file_to_fpriv(filp, &fpriv);

	if (r) {

		fput(filp);

		return r;

	}



	idr_for_each_entry(&fpriv->ctx_mgr.ctx_handles, ctx, id)

		amdgpu_ctx_priority_override(ctx, priority);