From patchwork Wed Jan 30 01:53:21 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bas Nieuwenhuizen X-Patchwork-Id: 10787551 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E08C091E for ; Wed, 30 Jan 2019 01:54:47 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D2E732C5FD for ; Wed, 30 Jan 2019 01:54:47 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id C787F2D2C5; Wed, 30 Jan 2019 01:54:47 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 7C5F32C5FD for ; Wed, 30 Jan 2019 01:54:47 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 9D40B6E47F; Wed, 30 Jan 2019 01:54:41 +0000 (UTC) X-Original-To: dri-devel@lists.freedesktop.org Delivered-To: dri-devel@lists.freedesktop.org Received: from mail-ed1-x544.google.com (mail-ed1-x544.google.com [IPv6:2a00:1450:4864:20::544]) by gabe.freedesktop.org (Postfix) with ESMTPS id 1DD936E47F for ; Wed, 30 Jan 2019 01:54:40 +0000 (UTC) Received: by mail-ed1-x544.google.com with SMTP id f9so17677660eds.10 for ; Tue, 29 Jan 2019 17:54:40 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=PIw6dgX3wRq1l1eGAhYVCKLJx7A+VIHiKRZHh43QHw4=; b=l/2I+J/8EuUHgj1I7cPmYENVDI1JKfz8akUXJYJx/0z3y/hAFoKJ+gfgkS7Ozk9RIF tUDQ5t52ZKVkC7agSe5zOvJMWBcJml0zdKRYohHbd24TS633N0V0h1amrqi/eq/Bgu3Q whaQw7jp1tyOLPw04VGYdr+lKtCgJWjQteoh3Xm71CpFoXO+cdgSP6psHduFqELX3MRh ERCnkCa7wVuN9l2cFM41O9VEMkhmBxa5vGmmt71kwCszanC4vKuFZOphngPwToufLsxG B5ADTauoZExxSIiXVLcTYOfFbVoCWZFteP2rC4jNUXmZD4WCj7DpMZc0SrrN0LaBxWC7 q2dw== X-Gm-Message-State: AHQUAubWd7ElDOagDT0VCDsUejGwtFREciVwUCziG5B/2mNLYjYPrKyb G4CMGF3gwOz2hatpCcQCtgzV/Q== X-Google-Smtp-Source: AHgI3IaDgMH6bSBU3MAIUleu0s8LsLXKweDgwzWADcXNPn1iR0l9yada9FjlBVGuSknVTXhmeh2Wmg== X-Received: by 2002:a50:d753:: with SMTP id i19mr3652334edj.75.1548813278676; Tue, 29 Jan 2019 17:54:38 -0800 (PST) Received: from localhost.localdomain ([2a02:aa12:a77f:2000:7285:c2ff:fe4e:b21b]) by smtp.gmail.com with ESMTPSA id l18sm117157edq.87.2019.01.29.17.54.38 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 29 Jan 2019 17:54:38 -0800 (PST) From: Bas Nieuwenhuizen To: amd-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org Subject: [PATCH v2 3/4] drm/amdgpu: Check if fd really is an amdgpu fd. Date: Wed, 30 Jan 2019 02:53:21 +0100 Message-Id: <20190130015322.105870-3-bas@basnieuwenhuizen.nl> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190130015322.105870-1-bas@basnieuwenhuizen.nl> References: <20190130015322.105870-1-bas@basnieuwenhuizen.nl> MIME-Version: 1.0 X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" X-Virus-Scanned: ClamAV using ClamSMTP Otherwise we interpret the file private data as drm & amdgpu data while it might not be, possibly allowing one to get memory corruption. Signed-off-by: Bas Nieuwenhuizen --- drivers/gpu/drm/amd/amdgpu/amdgpu.h | 2 ++ drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 16 ++++++++++++++++ drivers/gpu/drm/amd/amdgpu/amdgpu_sched.c | 10 +++++++--- 3 files changed, 25 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu.h b/drivers/gpu/drm/amd/amdgpu/amdgpu.h index d67f8b1dfe80..17290cdb8ed8 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu.h +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu.h @@ -411,6 +411,8 @@ struct amdgpu_fpriv { struct amdgpu_ctx_mgr ctx_mgr; }; +int amdgpu_file_to_fpriv(struct file *filp, struct amdgpu_fpriv **fpriv); + int amdgpu_ib_get(struct amdgpu_device *adev, struct amdgpu_vm *vm, unsigned size, struct amdgpu_ib *ib); void amdgpu_ib_free(struct amdgpu_device *adev, struct amdgpu_ib *ib, diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c index c806f984bcc5..90a520034c89 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c @@ -1176,6 +1176,22 @@ static const struct file_operations amdgpu_driver_kms_fops = { #endif }; +int amdgpu_file_to_fpriv(struct file *filp, struct amdgpu_fpriv **fpriv) +{ + struct drm_file *file; + + if (!filp) + return -EINVAL; + + if (filp->f_op != &amdgpu_driver_kms_fops) { + return -EINVAL; + } + + file = filp->private_data; + *fpriv = file->driver_priv; + return 0; +} + static bool amdgpu_get_crtc_scanout_position(struct drm_device *dev, unsigned int pipe, bool in_vblank_irq, int *vpos, int *hpos, diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_sched.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_sched.c index 1cafe8d83a4d..0b70410488b6 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_sched.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_sched.c @@ -54,16 +54,20 @@ static int amdgpu_sched_process_priority_override(struct amdgpu_device *adev, enum drm_sched_priority priority) { struct file *filp = fget(fd); - struct drm_file *file; struct amdgpu_fpriv *fpriv; struct amdgpu_ctx *ctx; uint32_t id; + int r; if (!filp) return -EINVAL; - file = filp->private_data; - fpriv = file->driver_priv; + r = amdgpu_file_to_fpriv(filp, &fpriv); + if (r) { + fput(filp); + return r; + } + idr_for_each_entry(&fpriv->ctx_mgr.ctx_handles, ctx, id) amdgpu_ctx_priority_override(ctx, priority);