From c965ef8dc2012946fcc93cea0b48520935294b06 Mon Sep 17 00:00:00 2001 From: Debarshi Dutta Date: Thu, 22 Nov 2018 15:01:36 +0530 Subject: [PATCH] gpu: nvgpu: error handling for invalid ioctl call NVGPU_GPU_IOCTL_GET_EVENT_FD should return -EINVAL when invoked in any chips which donot have NVGPU_SUPPORT_DEVICE_EVENTS enabled. This is resulting in an use-after-free error in UBSAN from syzkaller fuzzing in the nvgpu driver. Also, as an addon remove the flag clk_arb_events_supported as the device events check can be made using the flag NVGPU_SUPPORT_DEVICE_EVENTS. Bug 200463292 Change-Id: I0ed0217704daa9e401b57a268a30b9f798928e4a Signed-off-by: Debarshi Dutta Reviewed-on: https://git-master.nvidia.com/r/1956070 Reviewed-by: svc-mobile-coverity Reviewed-by: svc-misra-checker Reviewed-by: Konsta Holtta GVS: Gerrit_Virtual_Submit Reviewed-by: Alex Waterman Reviewed-by: mobile promotions Tested-by: mobile promotions --- drivers/gpu/nvgpu/gp106/clk_arb_gp106.c | 2 -- drivers/gpu/nvgpu/gp10b/clk_arb_gp10b.c | 2 -- drivers/gpu/nvgpu/include/nvgpu/clk_arb.h | 2 -- drivers/gpu/nvgpu/os/linux/ioctl_clk_arb.c | 3 ++- drivers/gpu/nvgpu/os/linux/ioctl_ctrl.c | 3 +++ 5 files changed, 5 insertions(+), 7 deletions(-) diff --git a/drivers/gpu/nvgpu/gp106/clk_arb_gp106.c b/drivers/gpu/nvgpu/gp106/clk_arb_gp106.c index a4daf0806..141d2a165 100644 --- a/drivers/gpu/nvgpu/gp106/clk_arb_gp106.c +++ b/drivers/gpu/nvgpu/gp106/clk_arb_gp106.c @@ -138,8 +138,6 @@ int gp106_init_clk_arbiter(struct gk20a *g) return -ENOMEM; } - arb->clk_arb_events_supported = true; - err = nvgpu_mutex_init(&arb->pstate_lock); if (err != 0) { goto mutex_fail; diff --git a/drivers/gpu/nvgpu/gp10b/clk_arb_gp10b.c b/drivers/gpu/nvgpu/gp10b/clk_arb_gp10b.c index f42b6a319..5b937cbf0 100644 --- a/drivers/gpu/nvgpu/gp10b/clk_arb_gp10b.c +++ b/drivers/gpu/nvgpu/gp10b/clk_arb_gp10b.c @@ -136,8 +136,6 @@ int gp10b_init_clk_arbiter(struct gk20a *g) return -ENOMEM; } - arb->clk_arb_events_supported = false; - err = nvgpu_mutex_init(&arb->pstate_lock); if (err != 0) { goto mutex_fail; diff --git a/drivers/gpu/nvgpu/include/nvgpu/clk_arb.h b/drivers/gpu/nvgpu/include/nvgpu/clk_arb.h index c34365f7d..ab0ec05c0 100644 --- a/drivers/gpu/nvgpu/include/nvgpu/clk_arb.h +++ b/drivers/gpu/nvgpu/include/nvgpu/clk_arb.h @@ -217,8 +217,6 @@ struct nvgpu_clk_arb { u16 *gpc2clk_f_points; u32 gpc2clk_f_numpoints; - bool clk_arb_events_supported; - nvgpu_atomic64_t alarm_mask; struct nvgpu_clk_notification_queue notification_queue; diff --git a/drivers/gpu/nvgpu/os/linux/ioctl_clk_arb.c b/drivers/gpu/nvgpu/os/linux/ioctl_clk_arb.c index c061eb9e9..51aadce7e 100644 --- a/drivers/gpu/nvgpu/os/linux/ioctl_clk_arb.c +++ b/drivers/gpu/nvgpu/os/linux/ioctl_clk_arb.c @@ -36,6 +36,7 @@ #include #include #include +#include #include "clk/clk.h" #include "pstate/pstate.h" @@ -58,7 +59,7 @@ static int nvgpu_clk_arb_release_completion_dev(struct inode *inode, /* This is done to account for the extra refcount taken in * nvgpu_clk_arb_commit_request_fd without events support in iGPU */ - if (!session->g->clk_arb->clk_arb_events_supported) { + if (!nvgpu_is_enabled(session->g, NVGPU_SUPPORT_DEVICE_EVENTS)) { nvgpu_ref_put(&dev->refcount, nvgpu_clk_arb_free_fd); } diff --git a/drivers/gpu/nvgpu/os/linux/ioctl_ctrl.c b/drivers/gpu/nvgpu/os/linux/ioctl_ctrl.c index eb94eb3a5..42cbfcafc 100644 --- a/drivers/gpu/nvgpu/os/linux/ioctl_ctrl.c +++ b/drivers/gpu/nvgpu/os/linux/ioctl_ctrl.c @@ -1348,6 +1348,9 @@ static int nvgpu_gpu_get_event_fd(struct gk20a *g, nvgpu_log_fn(g, " "); + if (!nvgpu_is_enabled(g, NVGPU_SUPPORT_DEVICE_EVENTS)) + return -EINVAL; + if (!session) return -EINVAL;