1 files changed, 93 insertions, 0 deletions

diff --git a/meta-amd-bsp/recipes-kernel/linux/linux-yocto-4.19.8/3968-device_cgroup-Export-devcgroup_check_permission.patch b/meta-amd-bsp/recipes-kernel/linux/linux-yocto-4.19.8/3968-device_cgroup-Export-devcgroup_check_permission.patch
new file mode 100644
index 00000000..a9bf6768
--- /dev/null
+++ b/meta-amd-bsp/recipes-kernel/linux/linux-yocto-4.19.8/3968-device_cgroup-Export-devcgroup_check_permission.patch
@@ -0,0 +1,93 @@
+From cc0651f68dbb5196c0e8bdd4a154850319455e89 Mon Sep 17 00:00:00 2001
+From: Harish Kasiviswanathan <Harish.Kasiviswanathan@amd.com>
+Date: Thu, 16 May 2019 11:37:16 -0400
+Subject: [PATCH 3968/4256] device_cgroup: Export devcgroup_check_permission
+
+For AMD compute (amdkfd) driver.
+
+All AMD compute devices are exported via single device node /dev/kfd. As
+a result devices cannot be controlled individually using device cgroup.
+
+AMD compute devices will rely on its graphics counterpart that exposes
+/dev/dri/renderN node for each device. For each task (based on its
+cgroup), KFD driver will check if /dev/dri/renderN node is accessible
+before exposing it.
+
+Signed-off-by: Harish Kasiviswanathan <Harish.Kasiviswanathan@amd.com>
+Acked-by: Tejun Heo <tj@kernel.org>
+Acked-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Reviewed-by:: Roman Gushchin <guro@fb.com>
+---
+ include/linux/device_cgroup.h | 19 ++++---------------
+ security/device_cgroup.c      | 16 +++++++++++++---
+ 2 files changed, 17 insertions(+), 18 deletions(-)
+
+diff --git a/include/linux/device_cgroup.h b/include/linux/device_cgroup.h
+index 8557efe096dc..fa35b52e0002 100644
+--- a/include/linux/device_cgroup.h
++++ b/include/linux/device_cgroup.h
+@@ -12,26 +12,15 @@
+ #define DEVCG_DEV_ALL   4  /* this represents all devices */
+ 
+ #ifdef CONFIG_CGROUP_DEVICE
+-extern int __devcgroup_check_permission(short type, u32 major, u32 minor,
+-					short access);
++int devcgroup_check_permission(short type, u32 major, u32 minor,
++			       short access);
+ #else
+-static inline int __devcgroup_check_permission(short type, u32 major, u32 minor,
+-					       short access)
++static inline int devcgroup_check_permission(short type, u32 major, u32 minor,
++					     short access)
+ { return 0; }
+ #endif
+ 
+ #if defined(CONFIG_CGROUP_DEVICE) || defined(CONFIG_CGROUP_BPF)
+-static inline int devcgroup_check_permission(short type, u32 major, u32 minor,
+-					     short access)
+-{
+-	int rc = BPF_CGROUP_RUN_PROG_DEVICE_CGROUP(type, major, minor, access);
+-
+-	if (rc)
+-		return -EPERM;
+-
+-	return __devcgroup_check_permission(type, major, minor, access);
+-}
+-
+ static inline int devcgroup_inode_permission(struct inode *inode, int mask)
+ {
+ 	short type, access = 0;
+diff --git a/security/device_cgroup.c b/security/device_cgroup.c
+index e3a9ad5db5a0..3c57e05bf73b 100644
+--- a/security/device_cgroup.c
++++ b/security/device_cgroup.c
+@@ -801,8 +801,8 @@ struct cgroup_subsys devices_cgrp_subsys = {
+  *
+  * returns 0 on success, -EPERM case the operation is not permitted
+  */
+-int __devcgroup_check_permission(short type, u32 major, u32 minor,
+-				 short access)
++static int __devcgroup_check_permission(short type, u32 major, u32 minor,
++					short access)
+ {
+ 	struct dev_cgroup *dev_cgroup;
+ 	bool rc;
+@@ -824,4 +824,14 @@ int __devcgroup_check_permission(short type, u32 major, u32 minor,
+ 
+ 	return 0;
+ }
+-EXPORT_SYMBOL(__devcgroup_check_permission);
++
++int devcgroup_check_permission(short type, u32 major, u32 minor, short access)
++{
++	int rc = BPF_CGROUP_RUN_PROG_DEVICE_CGROUP(type, major, minor, access);
++
++	if (rc)
++		return -EPERM;
++
++	return __devcgroup_check_permission(type, major, minor, access);
++}
++EXPORT_SYMBOL(devcgroup_check_permission);
+-- 
+2.17.1
+