gpu: nvgpu: error handling for invalid ioctl call

NVGPU_GPU_IOCTL_GET_EVENT_FD should return -EINVAL when invoked in any chips which donot have NVGPU_SUPPORT_DEVICE_EVENTS enabled. This is resulting in an use-after-free error in UBSAN from syzkaller fuzzing in the nvgpu driver. Also, as an addon remove the flag clk_arb_events_supported as the device events check can be made using the flag NVGPU_SUPPORT_DEVICE_EVENTS. Bug 200463292 Change-Id: I0ed0217704daa9e401b57a268a30b9f798928e4a Signed-off-by: Debarshi Dutta <ddutta@nvidia.com> Reviewed-on: https://git-master.nvidia.com/r/1956070 Reviewed-by: svc-mobile-coverity <svc-mobile-coverity@nvidia.com> Reviewed-by: svc-misra-checker <svc-misra-checker@nvidia.com> Reviewed-by: Konsta Holtta <kholtta@nvidia.com> GVS: Gerrit_Virtual_Submit Reviewed-by: Alex Waterman <alexw@nvidia.com> Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com> Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>
2025-12-23 09:57:08 +03:00 · 2018-11-22 15:01:36 +05:30
parent e19cea7ab3
commit c965ef8dc2
5 changed files with 5 additions and 7 deletions
--- a/drivers/gpu/nvgpu/gp106/clk_arb_gp106.c
+++ b/drivers/gpu/nvgpu/gp106/clk_arb_gp106.c
@@ -138,8 +138,6 @@ int gp106_init_clk_arbiter(struct gk20a *g)
 		return -ENOMEM;
 	}

-	arb->clk_arb_events_supported = true;
-
 	err = nvgpu_mutex_init(&arb->pstate_lock);
 	if (err != 0) {
 		goto mutex_fail;
--- a/drivers/gpu/nvgpu/gp10b/clk_arb_gp10b.c
+++ b/drivers/gpu/nvgpu/gp10b/clk_arb_gp10b.c
@@ -136,8 +136,6 @@ int gp10b_init_clk_arbiter(struct gk20a *g)
 		return -ENOMEM;
 	}

-	arb->clk_arb_events_supported = false;
-
 	err = nvgpu_mutex_init(&arb->pstate_lock);
 	if (err != 0) {
 		goto mutex_fail;
--- a/drivers/gpu/nvgpu/include/nvgpu/clk_arb.h
+++ b/drivers/gpu/nvgpu/include/nvgpu/clk_arb.h
@@ -217,8 +217,6 @@ struct nvgpu_clk_arb {
 	u16 *gpc2clk_f_points;
 	u32 gpc2clk_f_numpoints;

-	bool clk_arb_events_supported;
-
 	nvgpu_atomic64_t alarm_mask;
 	struct nvgpu_clk_notification_queue notification_queue;

--- a/drivers/gpu/nvgpu/os/linux/ioctl_clk_arb.c
+++ b/drivers/gpu/nvgpu/os/linux/ioctl_clk_arb.c
@@ -36,6 +36,7 @@
 #include <nvgpu/list.h>
 #include <nvgpu/clk_arb.h>
 #include <nvgpu/gk20a.h>
+#include <nvgpu/enabled.h>

 #include "clk/clk.h"
 #include "pstate/pstate.h"
@@ -58,7 +59,7 @@ static int nvgpu_clk_arb_release_completion_dev(struct inode *inode,
 	/* This is done to account for the extra refcount taken in
 	 * nvgpu_clk_arb_commit_request_fd without events support in iGPU
 	 */
-	if (!session->g->clk_arb->clk_arb_events_supported) {
+	if (!nvgpu_is_enabled(session->g, NVGPU_SUPPORT_DEVICE_EVENTS)) {
 		nvgpu_ref_put(&dev->refcount, nvgpu_clk_arb_free_fd);
 	}

--- a/drivers/gpu/nvgpu/os/linux/ioctl_ctrl.c
+++ b/drivers/gpu/nvgpu/os/linux/ioctl_ctrl.c
@@ -1348,6 +1348,9 @@ static int nvgpu_gpu_get_event_fd(struct gk20a *g,

 	nvgpu_log_fn(g, " ");

+	if (!nvgpu_is_enabled(g, NVGPU_SUPPORT_DEVICE_EVENTS))
+		return -EINVAL;
+
 	if (!session)
 		return -EINVAL;