gpu: nvgpu: Remove IOCTL FREE_OBJ_CTX

We have never used the IOCTL FREE_OBJ_CTX. Using it leads to context being only partially available, and can lead to use-after-free. Bug 1834225 Change-Id: I9d2b632ab79760f8186d02e0f35861b3a6aae649 Signed-off-by: Terje Bergstrom <tbergstrom@nvidia.com> Reviewed-on: http://git-master/r/1250004 Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com> Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>
2025-12-24 02:22:34 +03:00 · 2016-11-08 14:29:14 -08:00
parent e580e68f23
commit 8fa5e7c58a
7 changed files with 0 additions and 67 deletions
--- a/drivers/gpu/nvgpu/gk20a/channel_gk20a.c
+++ b/drivers/gpu/nvgpu/gk20a/channel_gk20a.c
@@ -3467,18 +3467,6 @@ long gk20a_channel_ioctl(struct file *filp,
 				(struct nvgpu_alloc_obj_ctx_args *)buf);
 		gk20a_idle(dev);
 		break;
 	case NVGPU_IOCTL_CHANNEL_FREE_OBJ_CTX:
 		err = gk20a_busy(dev);
 		if (err) {
 			dev_err(dev,
 				"%s: failed to host gk20a for ioctl cmd: 0x%x",
 				__func__, cmd);
 			break;
 		}
 		err = ch->g->ops.gr.free_obj_ctx(ch,
 				(struct nvgpu_free_obj_ctx_args *)buf);
 		gk20a_idle(dev);
 		break;
 	case NVGPU_IOCTL_CHANNEL_ALLOC_GPFIFO_EX:
 	{
 		struct nvgpu_alloc_gpfifo_ex_args *alloc_gpfifo_ex_args =
--- a/drivers/gpu/nvgpu/gk20a/channel_gk20a.h
+++ b/drivers/gpu/nvgpu/gk20a/channel_gk20a.h
@@ -155,7 +155,6 @@ struct channel_gk20a {
 	u64 userd_iova;
 	u64 userd_gpu_va;
 	s32 num_objects;
 	u32 obj_class;	/* we support only one obj per channel */
 	struct priv_cmd_queue priv_cmd_q;
--- a/drivers/gpu/nvgpu/gk20a/gk20a.h
+++ b/drivers/gpu/nvgpu/gk20a/gk20a.h
@@ -196,8 +196,6 @@ struct gpu_ops {
 		void (*free_channel_ctx)(struct channel_gk20a *c);
 		int (*alloc_obj_ctx)(struct channel_gk20a  *c,
 				struct nvgpu_alloc_obj_ctx_args *args);
 		int (*free_obj_ctx)(struct channel_gk20a  *c,
 				struct nvgpu_free_obj_ctx_args *args);
 		int (*bind_ctxsw_zcull)(struct gk20a *g, struct gr_gk20a *gr,
 				struct channel_gk20a *c, u64 zcull_va,
 				u32 mode);
--- a/drivers/gpu/nvgpu/gk20a/gr_gk20a.c
+++ b/drivers/gpu/nvgpu/gk20a/gr_gk20a.c
@@ -2957,7 +2957,6 @@ void gk20a_free_channel_ctx(struct channel_gk20a *c)
 	memset(&c->ch_ctx, 0, sizeof(struct channel_ctx_gk20a));
 	c->num_objects = 0;
 	c->first_init = false;
 }
@@ -3169,8 +3168,6 @@ int gk20a_alloc_obj_ctx(struct channel_gk20a  *c,
 		c->first_init = true;
 	}
 	c->num_objects++;
 	gk20a_dbg_fn("done");
 	return 0;
 out:
@@ -3182,25 +3179,6 @@ out:
 	return err;
 }
 int gk20a_free_obj_ctx(struct channel_gk20a  *c,
 		       struct nvgpu_free_obj_ctx_args *args)
 {
 	gk20a_dbg_fn("");
 	if (c->num_objects == 0)
 		return 0;
 	c->num_objects--;
 	if (c->num_objects == 0) {
 		c->first_init = false;
 		gk20a_disable_channel(c);
 		gr_gk20a_free_channel_patch_ctx(c);
 	}
 	return 0;
 }
 int gk20a_comptag_allocator_init(struct gk20a_comptag_allocator *allocator,
 		unsigned long size)
 {
@@ -9082,7 +9060,6 @@ void gk20a_init_gr_ops(struct gpu_ops *gops)
 	gops->gr.get_gpc_tpc_mask = gr_gk20a_get_gpc_tpc_mask;
 	gops->gr.free_channel_ctx = gk20a_free_channel_ctx;
 	gops->gr.alloc_obj_ctx = gk20a_alloc_obj_ctx;
 	gops->gr.free_obj_ctx = gk20a_free_obj_ctx;
 	gops->gr.bind_ctxsw_zcull = gr_gk20a_bind_ctxsw_zcull;
 	gops->gr.get_zcull_info = gr_gk20a_get_zcull_info;
 	gops->gr.is_tpc_addr = gr_gk20a_is_tpc_addr;
--- a/drivers/gpu/nvgpu/gm20b/gr_gm20b.c
+++ b/drivers/gpu/nvgpu/gm20b/gr_gm20b.c
@@ -1534,7 +1534,6 @@ void gm20b_init_gr(struct gpu_ops *gops)
 	gops->gr.get_gpc_tpc_mask = gr_gm20b_get_gpc_tpc_mask;
 	gops->gr.free_channel_ctx = gk20a_free_channel_ctx;
 	gops->gr.alloc_obj_ctx = gk20a_alloc_obj_ctx;
 	gops->gr.free_obj_ctx = gk20a_free_obj_ctx;
 	gops->gr.bind_ctxsw_zcull = gr_gk20a_bind_ctxsw_zcull;
 	gops->gr.get_zcull_info = gr_gk20a_get_zcull_info;
 	gops->gr.is_tpc_addr = gr_gm20b_is_tpc_addr;
--- a/drivers/gpu/nvgpu/vgpu/gr_vgpu.c
+++ b/drivers/gpu/nvgpu/vgpu/gr_vgpu.c
@@ -421,7 +421,6 @@ static void vgpu_gr_free_channel_ctx(struct channel_gk20a *c)
 	memset(&c->ch_ctx, 0, sizeof(struct channel_ctx_gk20a));
 	c->num_objects = 0;
 	c->first_init = false;
 }
@@ -586,8 +585,6 @@ static int vgpu_gr_alloc_obj_ctx(struct channel_gk20a  *c,
 		c->first_init = true;
 	}
 	c->num_objects++;
 	gk20a_dbg_fn("done");
 	return 0;
 out:
@@ -599,24 +596,6 @@ out:
 	return err;
 }
 static int vgpu_gr_free_obj_ctx(struct channel_gk20a  *c,
 				struct nvgpu_free_obj_ctx_args *args)
 {
 	gk20a_dbg_fn("");
 	if (c->num_objects == 0)
 		return 0;
 	c->num_objects--;
 	if (c->num_objects == 0) {
 		c->first_init = false;
 		gk20a_disable_channel(c);
 	}
 	return 0;
 }
 static int vgpu_gr_init_gr_config(struct gk20a *g, struct gr_gk20a *gr)
 {
 	struct vgpu_priv_data *priv = vgpu_get_priv_data(g);
@@ -1073,7 +1052,6 @@ void vgpu_init_gr_ops(struct gpu_ops *gops)
 	gops->gr.detect_sm_arch = vgpu_gr_detect_sm_arch;
 	gops->gr.free_channel_ctx = vgpu_gr_free_channel_ctx;
 	gops->gr.alloc_obj_ctx = vgpu_gr_alloc_obj_ctx;
 	gops->gr.free_obj_ctx = vgpu_gr_free_obj_ctx;
 	gops->gr.alloc_gr_ctx = vgpu_gr_alloc_gr_ctx;
 	gops->gr.free_gr_ctx = vgpu_gr_free_gr_ctx;
 	gops->gr.bind_ctxsw_zcull = vgpu_gr_bind_ctxsw_zcull;
--- a/include/uapi/linux/nvgpu.h
+++ b/include/uapi/linux/nvgpu.h
@@ -973,10 +973,6 @@ struct nvgpu_alloc_obj_ctx_args {
 	__u64 obj_id;    /* output, used to free later       */
 };
 struct nvgpu_free_obj_ctx_args {
 	__u64 obj_id; /* obj ctx to free */
 };
 struct nvgpu_alloc_gpfifo_args {
 	__u32 num_entries;
 #define NVGPU_ALLOC_GPFIFO_FLAGS_VPR_ENABLED	(1 << 0) /* set owner channel of this gpfifo as a vpr channel */
@@ -1216,8 +1212,6 @@ struct nvgpu_preemption_mode_args {
 	_IOWR(NVGPU_IOCTL_MAGIC, 107, struct nvgpu_submit_gpfifo_args)
 #define NVGPU_IOCTL_CHANNEL_ALLOC_OBJ_CTX	\
 	_IOWR(NVGPU_IOCTL_MAGIC, 108, struct nvgpu_alloc_obj_ctx_args)
 #define NVGPU_IOCTL_CHANNEL_FREE_OBJ_CTX	\
 	_IOR(NVGPU_IOCTL_MAGIC,  109, struct nvgpu_free_obj_ctx_args)
 #define NVGPU_IOCTL_CHANNEL_ZCULL_BIND		\
 	_IOWR(NVGPU_IOCTL_MAGIC, 110, struct nvgpu_zcull_bind_args)
 #define NVGPU_IOCTL_CHANNEL_SET_ERROR_NOTIFIER  \