On Fri, May 17, 2019 at 04:15:06PM +0000, Kasiviswanathan, Harish wrote: > For AMD compute (amdkfd) driver. > > All AMD compute devices are exported via single device node /dev/kfd. As > a result devices cannot be controlled individually using device cgroup. > > AMD compute devices will rely on its graphics counterpart that exposes > /dev/dri/renderN node for each device. For each task (based on its > cgroup), KFD driver will check if /dev/dri/renderN node is accessible > before exposing it. > > Change-Id: I1b9705b2c30622a27655f4f878980fa138dbf373 > Signed-off-by: Harish Kasiviswanathan <[email protected]> > --- > include/linux/device_cgroup.h | 19 ++++--------------- > security/device_cgroup.c | 15 +++++++++++++-- > 2 files changed, 17 insertions(+), 17 deletions(-) > > diff --git a/include/linux/device_cgroup.h b/include/linux/device_cgroup.h > index 8557efe096dc..bd19897bd582 100644 > --- a/include/linux/device_cgroup.h > +++ b/include/linux/device_cgroup.h > @@ -12,26 +12,15 @@ > #define DEVCG_DEV_ALL 4 /* this represents all devices */ > > #ifdef CONFIG_CGROUP_DEVICE > -extern int __devcgroup_check_permission(short type, u32 major, u32 minor, > - short access); > +extern int devcgroup_check_permission(short type, u32 major, u32 minor, > + short access); > #else > -static inline int __devcgroup_check_permission(short type, u32 major, u32 > minor, > - short access) > +static inline int devcgroup_check_permission(short type, u32 major, u32 > minor, > + short access) > { return 0; } > #endif > > #if defined(CONFIG_CGROUP_DEVICE) || defined(CONFIG_CGROUP_BPF) > -static inline int devcgroup_check_permission(short type, u32 major, u32 > minor, > - short access) > -{ > - int rc = BPF_CGROUP_RUN_PROG_DEVICE_CGROUP(type, major, minor, access); > - > - if (rc) > - return -EPERM; > - > - return __devcgroup_check_permission(type, major, minor, access); > -} > - > static inline int devcgroup_inode_permission(struct inode *inode, int mask) > { > short type, access = 0; > diff --git a/security/device_cgroup.c b/security/device_cgroup.c > index cd97929fac66..3c57e05bf73b 100644 > --- a/security/device_cgroup.c > +++ b/security/device_cgroup.c > @@ -801,8 +801,8 @@ struct cgroup_subsys devices_cgrp_subsys = { > * > * returns 0 on success, -EPERM case the operation is not permitted > */ > -int __devcgroup_check_permission(short type, u32 major, u32 minor, > - short access) > +static int __devcgroup_check_permission(short type, u32 major, u32 minor, > + short access) > { > struct dev_cgroup *dev_cgroup; > bool rc; > @@ -824,3 +824,14 @@ int __devcgroup_check_permission(short type, u32 major, > u32 minor, > > return 0; > } > + > +int devcgroup_check_permission(short type, u32 major, u32 minor, short > access) > +{ > + int rc = BPF_CGROUP_RUN_PROG_DEVICE_CGROUP(type, major, minor, access); > + > + if (rc) > + return -EPERM; > + > + return __devcgroup_check_permission(type, major, minor, access); > +} > +EXPORT_SYMBOL(devcgroup_check_permission);
Perfect, now looks good to me! Please, feel free to use my acks for patches 3 and 4: Acked-by: Roman Gushchin <[email protected]> Thanks! _______________________________________________ amd-gfx mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/amd-gfx
