diff options
Diffstat (limited to 'meta-amd-bsp/recipes-kernel/linux/linux-yocto-4.19.8/3968-device_cgroup-Export-devcgroup_check_permission.patch')
-rw-r--r-- | meta-amd-bsp/recipes-kernel/linux/linux-yocto-4.19.8/3968-device_cgroup-Export-devcgroup_check_permission.patch | 93 |
1 files changed, 93 insertions, 0 deletions
diff --git a/meta-amd-bsp/recipes-kernel/linux/linux-yocto-4.19.8/3968-device_cgroup-Export-devcgroup_check_permission.patch b/meta-amd-bsp/recipes-kernel/linux/linux-yocto-4.19.8/3968-device_cgroup-Export-devcgroup_check_permission.patch new file mode 100644 index 00000000..a9bf6768 --- /dev/null +++ b/meta-amd-bsp/recipes-kernel/linux/linux-yocto-4.19.8/3968-device_cgroup-Export-devcgroup_check_permission.patch @@ -0,0 +1,93 @@ +From cc0651f68dbb5196c0e8bdd4a154850319455e89 Mon Sep 17 00:00:00 2001 +From: Harish Kasiviswanathan <Harish.Kasiviswanathan@amd.com> +Date: Thu, 16 May 2019 11:37:16 -0400 +Subject: [PATCH 3968/4256] device_cgroup: Export devcgroup_check_permission + +For AMD compute (amdkfd) driver. + +All AMD compute devices are exported via single device node /dev/kfd. As +a result devices cannot be controlled individually using device cgroup. + +AMD compute devices will rely on its graphics counterpart that exposes +/dev/dri/renderN node for each device. For each task (based on its +cgroup), KFD driver will check if /dev/dri/renderN node is accessible +before exposing it. + +Signed-off-by: Harish Kasiviswanathan <Harish.Kasiviswanathan@amd.com> +Acked-by: Tejun Heo <tj@kernel.org> +Acked-by: Felix Kuehling <Felix.Kuehling@amd.com> +Reviewed-by:: Roman Gushchin <guro@fb.com> +--- + include/linux/device_cgroup.h | 19 ++++--------------- + security/device_cgroup.c | 16 +++++++++++++--- + 2 files changed, 17 insertions(+), 18 deletions(-) + +diff --git a/include/linux/device_cgroup.h b/include/linux/device_cgroup.h +index 8557efe096dc..fa35b52e0002 100644 +--- a/include/linux/device_cgroup.h ++++ b/include/linux/device_cgroup.h +@@ -12,26 +12,15 @@ + #define DEVCG_DEV_ALL 4 /* this represents all devices */ + + #ifdef CONFIG_CGROUP_DEVICE +-extern int __devcgroup_check_permission(short type, u32 major, u32 minor, +- short access); ++int devcgroup_check_permission(short type, u32 major, u32 minor, ++ short access); + #else +-static inline int __devcgroup_check_permission(short type, u32 major, u32 minor, +- short access) ++static inline int devcgroup_check_permission(short type, u32 major, u32 minor, ++ short access) + { return 0; } + #endif + + #if defined(CONFIG_CGROUP_DEVICE) || defined(CONFIG_CGROUP_BPF) +-static inline int devcgroup_check_permission(short type, u32 major, u32 minor, +- short access) +-{ +- int rc = BPF_CGROUP_RUN_PROG_DEVICE_CGROUP(type, major, minor, access); +- +- if (rc) +- return -EPERM; +- +- return __devcgroup_check_permission(type, major, minor, access); +-} +- + static inline int devcgroup_inode_permission(struct inode *inode, int mask) + { + short type, access = 0; +diff --git a/security/device_cgroup.c b/security/device_cgroup.c +index e3a9ad5db5a0..3c57e05bf73b 100644 +--- a/security/device_cgroup.c ++++ b/security/device_cgroup.c +@@ -801,8 +801,8 @@ struct cgroup_subsys devices_cgrp_subsys = { + * + * returns 0 on success, -EPERM case the operation is not permitted + */ +-int __devcgroup_check_permission(short type, u32 major, u32 minor, +- short access) ++static int __devcgroup_check_permission(short type, u32 major, u32 minor, ++ short access) + { + struct dev_cgroup *dev_cgroup; + bool rc; +@@ -824,4 +824,14 @@ int __devcgroup_check_permission(short type, u32 major, u32 minor, + + return 0; + } +-EXPORT_SYMBOL(__devcgroup_check_permission); ++ ++int devcgroup_check_permission(short type, u32 major, u32 minor, short access) ++{ ++ int rc = BPF_CGROUP_RUN_PROG_DEVICE_CGROUP(type, major, minor, access); ++ ++ if (rc) ++ return -EPERM; ++ ++ return __devcgroup_check_permission(type, major, minor, access); ++} ++EXPORT_SYMBOL(devcgroup_check_permission); +-- +2.17.1 + |