提交 b5f5acbc 编写于 作者: C Christian König 提交者: Alex Deucher

drm/amdgpu: fix user fence handling once more

Same problem as with the VM page tables. The user fence address must be
determined before the job is scheduled, not when the IB is executed.

This fixes a security problem where user fences could be used to overwrite
any part of VRAM.
Signed-off-by: NChristian König <christian.koenig@amd.com>
Reviewed-by: NChunming Zhou <david1.zhou@amd.com>
Signed-off-by: NAlex Deucher <alexander.deucher@amd.com>
上级 56628159
...@@ -1278,8 +1278,7 @@ struct amdgpu_job { ...@@ -1278,8 +1278,7 @@ struct amdgpu_job {
uint32_t oa_base, oa_size; uint32_t oa_base, oa_size;
/* user fence handling */ /* user fence handling */
struct amdgpu_bo *uf_bo; uint64_t uf_addr;
uint32_t uf_offset;
uint64_t uf_sequence; uint64_t uf_sequence;
}; };
......
...@@ -216,11 +216,8 @@ int amdgpu_cs_parser_init(struct amdgpu_cs_parser *p, void *data) ...@@ -216,11 +216,8 @@ int amdgpu_cs_parser_init(struct amdgpu_cs_parser *p, void *data)
if (ret) if (ret)
goto free_all_kdata; goto free_all_kdata;
if (p->uf_entry.robj) { if (p->uf_entry.robj)
p->job->uf_bo = amdgpu_bo_ref(p->uf_entry.robj); p->job->uf_addr = uf_offset;
p->job->uf_offset = uf_offset;
}
kfree(chunk_array); kfree(chunk_array);
return 0; return 0;
...@@ -502,6 +499,9 @@ static int amdgpu_cs_parser_bos(struct amdgpu_cs_parser *p, ...@@ -502,6 +499,9 @@ static int amdgpu_cs_parser_bos(struct amdgpu_cs_parser *p,
} }
} }
if (p->uf_entry.robj)
p->job->uf_addr += amdgpu_bo_gpu_offset(p->uf_entry.robj);
error_validate: error_validate:
if (r) { if (r) {
amdgpu_vm_move_pt_bos_in_lru(p->adev, &fpriv->vm); amdgpu_vm_move_pt_bos_in_lru(p->adev, &fpriv->vm);
...@@ -767,7 +767,7 @@ static int amdgpu_cs_ib_fill(struct amdgpu_device *adev, ...@@ -767,7 +767,7 @@ static int amdgpu_cs_ib_fill(struct amdgpu_device *adev,
} }
/* UVD & VCE fw doesn't support user fences */ /* UVD & VCE fw doesn't support user fences */
if (parser->job->uf_bo && ( if (parser->job->uf_addr && (
parser->job->ring->type == AMDGPU_RING_TYPE_UVD || parser->job->ring->type == AMDGPU_RING_TYPE_UVD ||
parser->job->ring->type == AMDGPU_RING_TYPE_VCE)) parser->job->ring->type == AMDGPU_RING_TYPE_VCE))
return -EINVAL; return -EINVAL;
......
...@@ -203,11 +203,8 @@ int amdgpu_ib_schedule(struct amdgpu_ring *ring, unsigned num_ibs, ...@@ -203,11 +203,8 @@ int amdgpu_ib_schedule(struct amdgpu_ring *ring, unsigned num_ibs,
} }
/* wrap the last IB with fence */ /* wrap the last IB with fence */
if (job && job->uf_bo) { if (job && job->uf_addr) {
uint64_t addr = amdgpu_bo_gpu_offset(job->uf_bo); amdgpu_ring_emit_fence(ring, job->uf_addr, job->uf_sequence,
addr += job->uf_offset;
amdgpu_ring_emit_fence(ring, addr, job->uf_sequence,
AMDGPU_FENCE_FLAG_64BIT); AMDGPU_FENCE_FLAG_64BIT);
} }
......
...@@ -91,7 +91,6 @@ static void amdgpu_job_free_resources(struct amdgpu_job *job) ...@@ -91,7 +91,6 @@ static void amdgpu_job_free_resources(struct amdgpu_job *job)
amdgpu_ib_free(job->adev, &job->ibs[i], f); amdgpu_ib_free(job->adev, &job->ibs[i], f);
fence_put(job->fence); fence_put(job->fence);
amdgpu_bo_unref(&job->uf_bo);
amdgpu_sync_free(&job->sync); amdgpu_sync_free(&job->sync);
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册