[AMD Official Use Only - General]
One minor comment inline.
-----Original Message-----
From: amd-gfx <amd-gfx-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf Of Sreekant Somasekharan
Sent: Friday, April 28, 2023 3:12 PM
To: amd-gfx@xxxxxxxxxxxxxxxxxxxxx
Cc: Somasekharan, Sreekant <Sreekant.Somasekharan@xxxxxxx>
Subject: [PATCH v2] drm/amdkfd: Expose proc sysfs folder contents after permission check
Access to proc sysfs folder/subfolder contents are permitted only
if kfd_devcgroup_check_permission() function returns success. This
will restrict users from accessing sysfs files for a process running
on a device to which users has no access.
Signed-off-by: Sreekant Somasekharan <sreekant.somasekharan@xxxxxxx>
---
drivers/gpu/drm/amd/amdkfd/kfd_process.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_process.c b/drivers/gpu/drm/amd/amdkfd/kfd_process.c
index 95cc63d9f578..8ff505d29bb4 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_process.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_process.c
@@ -275,6 +275,8 @@ static int kfd_get_cu_occupancy(struct attribute *attr, char *buffer)
pdd = container_of(attr, struct kfd_process_device, attr_cu_occupancy);
dev = pdd->dev;
+ if (dev && kfd_devcgroup_check_permission(dev))
+ return -EPERM;
if (dev->kfd2kgd->get_cu_occupancy == NULL)
return -EINVAL;
@@ -308,10 +310,14 @@ static ssize_t kfd_procfs_show(struct kobject *kobj, struct attribute *attr,
} else if (strncmp(attr->name, "vram_", 5) == 0) {
struct kfd_process_device *pdd = container_of(attr, struct kfd_process_device,
attr_vram);
+ if (pdd->dev && kfd_devcgroup_check_permission(pdd->dev))
+ return -EPERM;
return snprintf(buffer, PAGE_SIZE, "%llu\n", READ_ONCE(pdd->vram_usage));
} else if (strncmp(attr->name, "sdma_", 5) == 0) {
struct kfd_process_device *pdd = container_of(attr, struct kfd_process_device,
attr_sdma);
+ if (pdd->dev && kfd_devcgroup_check_permission(pdd->dev))
+ return -EPERM;
[HK]: Move the if condition below the following struct declaration otherwise the following compiler will spew the following warning
warning: ISO C90 forbids mixed declarations and code [-Wdeclaration-after-statement]
struct kfd_sdma_activity_handler_workarea sdma_activity_work_handler;
INIT_WORK(&sdma_activity_work_handler.sdma_activity_work,
@@ -379,6 +385,8 @@ static ssize_t kfd_procfs_queue_show(struct kobject *kobj,
struct attribute *attr, char *buffer)
{
struct queue *q = container_of(kobj, struct queue, kobj);
+ if (q->device && kfd_devcgroup_check_permission(q->device))
+ return -EPERM;
if (!strcmp(attr->name, "size"))
return snprintf(buffer, PAGE_SIZE, "%llu",
@@ -402,6 +410,8 @@ static ssize_t kfd_procfs_stats_show(struct kobject *kobj,
attr_evict);
uint64_t evict_jiffies;
+ if (pdd->dev && kfd_devcgroup_check_permission(pdd->dev))
+ return -EPERM;
evict_jiffies = atomic64_read(&pdd->evict_duration_counter);
return snprintf(buffer,
@@ -427,16 +437,22 @@ static ssize_t kfd_sysfs_counters_show(struct kobject *kobj,
if (!strcmp(attr->name, "faults")) {
pdd = container_of(attr, struct kfd_process_device,
attr_faults);
+ if (pdd->dev && kfd_devcgroup_check_permission(pdd->dev))
+ return -EPERM;
return sysfs_emit(buf, "%llu\n", READ_ONCE(pdd->faults));
}
if (!strcmp(attr->name, "page_in")) {
pdd = container_of(attr, struct kfd_process_device,
attr_page_in);
+ if (pdd->dev && kfd_devcgroup_check_permission(pdd->dev))
+ return -EPERM;
return sysfs_emit(buf, "%llu\n", READ_ONCE(pdd->page_in));
}
if (!strcmp(attr->name, "page_out")) {
pdd = container_of(attr, struct kfd_process_device,
attr_page_out);
+ if (pdd->dev && kfd_devcgroup_check_permission(pdd->dev))
+ return -EPERM;
return sysfs_emit(buf, "%llu\n", READ_ONCE(pdd->page_out));
}
return 0;
--
2.25.1
