From 15739c52e928aad1101deef962df3e39b3df779c Mon Sep 17 00:00:00 2001
From: Tejal Kudav <tkudav@nvidia.com>
Date: Sun, 13 Mar 2022 17:50:00 +0000
Subject: [PATCH] gpu: nvgpu: Fix NULL ptr deref during quiesce

g->fifo.runlists[] has size of g->fifo.max_runlists. During quiesce,
U32_MAX bitmask is passed to g->ops.runlist.write_state() HAL to
disable all the runlist. The Ga10b HAL implementation of
g->ops.runlist.write_state() references into runlists[] structure
for all the bits set in input runlist mask. For mask=U32_MAX,
there is NULL pointer dereference when runlist_id exceeds
g->fifo.max_runlists.
Add runlist_id boundary check before dereferencing the runlists[]
structure.

Update Gk20a HAL too with similar guard to make sure incorrect mask
doesn't get written to the register.

JIRA NVGPU-8102

Change-Id: Ic613aa38361b8b23d953c76d6924aba6bf6d5ea9
Signed-off-by: Tejal Kudav <tkudav@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/c/linux-nvgpu/+/2680847
Reviewed-by: Konsta Holtta <kholtta@nvidia.com>
Reviewed-by: svcacv <svcacv@nvidia.com>
Reviewed-by: svc-mobile-coverity <svc-mobile-coverity@nvidia.com>
Reviewed-by: svc-mobile-misra <svc-mobile-misra@nvidia.com>
Reviewed-by: Vaibhav Kachore <vkachore@nvidia.com>
Reviewed-by: svc-mobile-cert <svc-mobile-cert@nvidia.com>
GVS: Gerrit_Virtual_Submit
---
 drivers/gpu/nvgpu/hal/fifo/runlist_fifo_ga10b_fusa.c | 2 +-
 drivers/gpu/nvgpu/hal/fifo/runlist_fifo_gk20a_fusa.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/nvgpu/hal/fifo/runlist_fifo_ga10b_fusa.c b/drivers/gpu/nvgpu/hal/fifo/runlist_fifo_ga10b_fusa.c
index 610646df8..b535e5d50 100644
--- a/drivers/gpu/nvgpu/hal/fifo/runlist_fifo_ga10b_fusa.c
+++ b/drivers/gpu/nvgpu/hal/fifo/runlist_fifo_ga10b_fusa.c
@@ -122,7 +122,7 @@ void ga10b_runlist_write_state(struct gk20a *g, u32 runlists_mask,
 		reg_val = runlist_sched_disable_runlist_enabled_v();
 	}
 
-	while (runlists_mask != 0U) {
+	while (runlists_mask != 0U && (runlist_id < g->fifo.max_runlists)) {
 		if ((runlists_mask & BIT32(runlist_id)) != 0U) {
 			runlist = g->fifo.runlists[runlist_id];
 			nvgpu_runlist_writel(g, runlist,
diff --git a/drivers/gpu/nvgpu/hal/fifo/runlist_fifo_gk20a_fusa.c b/drivers/gpu/nvgpu/hal/fifo/runlist_fifo_gk20a_fusa.c
index f0942a7ff..a92ce6fbb 100644
--- a/drivers/gpu/nvgpu/hal/fifo/runlist_fifo_gk20a_fusa.c
+++ b/drivers/gpu/nvgpu/hal/fifo/runlist_fifo_gk20a_fusa.c
@@ -96,7 +96,7 @@ void gk20a_runlist_write_state(struct gk20a *g, u32 runlists_mask,
 	u32 reg_mask = 0U;
 	u32 i = 0U;
 
-	while (runlists_mask != 0U) {
+	while (runlists_mask != 0U && (i < g->fifo.max_runlists)) {
 		if ((runlists_mask & BIT32(i)) != 0U) {
 			reg_mask |= fifo_sched_disable_runlist_m(i);
 		}