Commit 35588314 authored by Christian König's avatar Christian König Committed by Alex Deucher

drm/amdgpu: fix amdgpu_cs_p1_user_fence

The offset is just 32bits here so this can potentially overflow if
somebody specifies a large value. Instead reduce the size to calculate
the last possible offset.

The error handling path incorrectly drops the reference to the user
fence BO resulting in potential reference count underflow.
Signed-off-by: default avatarChristian König <christian.koenig@amd.com>
Reviewed-by: default avatarAlex Deucher <alexander.deucher@amd.com>
Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
parent 46528db3
...@@ -127,7 +127,6 @@ static int amdgpu_cs_p1_user_fence(struct amdgpu_cs_parser *p, ...@@ -127,7 +127,6 @@ static int amdgpu_cs_p1_user_fence(struct amdgpu_cs_parser *p,
{ {
struct drm_gem_object *gobj; struct drm_gem_object *gobj;
unsigned long size; unsigned long size;
int r;
gobj = drm_gem_object_lookup(p->filp, data->handle); gobj = drm_gem_object_lookup(p->filp, data->handle);
if (gobj == NULL) if (gobj == NULL)
...@@ -137,23 +136,14 @@ static int amdgpu_cs_p1_user_fence(struct amdgpu_cs_parser *p, ...@@ -137,23 +136,14 @@ static int amdgpu_cs_p1_user_fence(struct amdgpu_cs_parser *p,
drm_gem_object_put(gobj); drm_gem_object_put(gobj);
size = amdgpu_bo_size(p->uf_bo); size = amdgpu_bo_size(p->uf_bo);
if (size != PAGE_SIZE || (data->offset + 8) > size) { if (size != PAGE_SIZE || data->offset > (size - 8))
r = -EINVAL; return -EINVAL;
goto error_unref;
}
if (amdgpu_ttm_tt_get_usermm(p->uf_bo->tbo.ttm)) { if (amdgpu_ttm_tt_get_usermm(p->uf_bo->tbo.ttm))
r = -EINVAL; return -EINVAL;
goto error_unref;
}
*offset = data->offset; *offset = data->offset;
return 0; return 0;
error_unref:
amdgpu_bo_unref(&p->uf_bo);
return r;
} }
static int amdgpu_cs_p1_bo_handles(struct amdgpu_cs_parser *p, static int amdgpu_cs_p1_bo_handles(struct amdgpu_cs_parser *p,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment