On Tue, Sep 24, 2019 at 03:54:47PM +0000, Kasiviswanathan, Harish wrote:
> Hi Tejun,
>
> Can you please review this? You and Roman acked this patch before. It will be great if I can Reviewed-by, so that I can upstream this through Alex Deucher's amd-staging-drm-next and Dave Airlie's drm-next trees
>
> Thanks,
> Harish
Hello, Harish!
If it can help, please, feel free to use
Reviewed-by: Roman Gushchin <guro@xxxxxx>
Thanks!
>
>
> -----Original Message-----
> From: Kasiviswanathan, Harish <Harish.Kasiviswanathan@xxxxxxx>
> Sent: Monday, September 16, 2019 2:06 PM
> To: tj@xxxxxxxxxx; Deucher, Alexander <Alexander.Deucher@xxxxxxx>; airlied@xxxxxxxxxx
> Cc: cgroups@xxxxxxxxxxxxxxx; amd-gfx@xxxxxxxxxxxxxxxxxxxxx; Kasiviswanathan, Harish <Harish.Kasiviswanathan@xxxxxxx>
> Subject: [PATCH v2 3/4] device_cgroup: Export devcgroup_check_permission
>
> For AMD compute (amdkfd) driver.
>
> All AMD compute devices are exported via single device node /dev/kfd. As
> a result devices cannot be controlled individually using device cgroup.
>
> AMD compute devices will rely on its graphics counterpart that exposes
> /dev/dri/renderN node for each device. For each task (based on its
> cgroup), KFD driver will check if /dev/dri/renderN node is accessible
> before exposing it.
>
> Change-Id: I9ae283df550b2c122d67870b0cfa316bfbf3b614
> Acked-by: Felix Kuehling <Felix.Kuehling@xxxxxxx>
> Acked-by: Tejun Heo <tj@xxxxxxxxxx>
> Acked-by: Roman Gushchin <guro@xxxxxx>
> Signed-off-by: Harish Kasiviswanathan <Harish.Kasiviswanathan@xxxxxxx>
> ---
> include/linux/device_cgroup.h | 19 ++++---------------
> security/device_cgroup.c | 15 +++++++++++++--
> 2 files changed, 17 insertions(+), 17 deletions(-)
>
> diff --git a/include/linux/device_cgroup.h b/include/linux/device_cgroup.h
> index 8557efe096dc..fa35b52e0002 100644
> --- a/include/linux/device_cgroup.h
> +++ b/include/linux/device_cgroup.h
> @@ -12,26 +12,15 @@
> #define DEVCG_DEV_ALL 4 /* this represents all devices */
>
> #ifdef CONFIG_CGROUP_DEVICE
> -extern int __devcgroup_check_permission(short type, u32 major, u32 minor,
> - short access);
> +int devcgroup_check_permission(short type, u32 major, u32 minor,
> + short access);
> #else
> -static inline int __devcgroup_check_permission(short type, u32 major, u32 minor,
> - short access)
> +static inline int devcgroup_check_permission(short type, u32 major, u32 minor,
> + short access)
> { return 0; }
> #endif
>
> #if defined(CONFIG_CGROUP_DEVICE) || defined(CONFIG_CGROUP_BPF)
> -static inline int devcgroup_check_permission(short type, u32 major, u32 minor,
> - short access)
> -{
> - int rc = BPF_CGROUP_RUN_PROG_DEVICE_CGROUP(type, major, minor, access);
> -
> - if (rc)
> - return -EPERM;
> -
> - return __devcgroup_check_permission(type, major, minor, access);
> -}
> -
> static inline int devcgroup_inode_permission(struct inode *inode, int mask)
> {
> short type, access = 0;
> diff --git a/security/device_cgroup.c b/security/device_cgroup.c
> index dc28914fa72e..04dd29bf7f06 100644
> --- a/security/device_cgroup.c
> +++ b/security/device_cgroup.c
> @@ -801,8 +801,8 @@ struct cgroup_subsys devices_cgrp_subsys = {
> *
> * returns 0 on success, -EPERM case the operation is not permitted
> */
> -int __devcgroup_check_permission(short type, u32 major, u32 minor,
> - short access)
> +static int __devcgroup_check_permission(short type, u32 major, u32 minor,
> + short access)
> {
> struct dev_cgroup *dev_cgroup;
> bool rc;
> @@ -824,3 +824,14 @@ int __devcgroup_check_permission(short type, u32 major, u32 minor,
>
> return 0;
> }
> +
> +int devcgroup_check_permission(short type, u32 major, u32 minor, short access)
> +{
> + int rc = BPF_CGROUP_RUN_PROG_DEVICE_CGROUP(type, major, minor, access);
> +
> + if (rc)
> + return -EPERM;
> +
> + return __devcgroup_check_permission(type, major, minor, access);
> +}
> +EXPORT_SYMBOL(devcgroup_check_permission);
> --
> 2.17.1
>
