Loading drivers/gpu/msm/adreno_a5xx_preempt.c +3 −2 Original line number Diff line number Diff line /* Copyright (c) 2014-2017, The Linux Foundation. All rights reserved. /* Copyright (c) 2014-2017,2021, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and Loading Loading @@ -407,7 +407,8 @@ unsigned int a5xx_preemption_pre_ibsubmit( /* Enable CP_CONTEXT_SWITCH_YIELD packets in the IB2s */ *cmds++ = cp_type7_packet(CP_YIELD_ENABLE, 1); *cmds++ = 2; *cmds++ = ((preempt_style == KGSL_CONTEXT_PREEMPT_STYLE_RINGBUFFER) ? 0 : 2); return (unsigned int) (cmds - cmds_orig); } Loading drivers/gpu/msm/kgsl.c +10 −3 Original line number Diff line number Diff line Loading @@ -265,8 +265,9 @@ kgsl_mem_entry_create(void) /* put this ref in the caller functions after init */ kref_get(&entry->refcount); } atomic_set(&entry->map_count, 0); } return entry; } #ifdef CONFIG_DMA_SHARED_BUFFER Loading Loading @@ -2200,6 +2201,8 @@ static int kgsl_setup_anon_useraddr(struct kgsl_pagetable *pagetable, { /* Map an anonymous memory chunk */ int ret; if (size == 0 || offset != 0 || !IS_ALIGNED(size, PAGE_SIZE)) return -EINVAL; Loading @@ -2209,7 +2212,6 @@ static int kgsl_setup_anon_useraddr(struct kgsl_pagetable *pagetable, entry->memdesc.flags |= KGSL_MEMFLAGS_USERMEM_ADDR; if (kgsl_memdesc_use_cpu_map(&entry->memdesc)) { int ret; /* Register the address in the database */ ret = kgsl_mmu_set_svm_region(pagetable, Loading @@ -2221,7 +2223,12 @@ static int kgsl_setup_anon_useraddr(struct kgsl_pagetable *pagetable, entry->memdesc.gpuaddr = (uint64_t) hostptr; } return memdesc_sg_virt(&entry->memdesc, hostptr); ret = memdesc_sg_virt(&entry->memdesc, hostptr); if (ret && kgsl_memdesc_use_cpu_map(&entry->memdesc)) kgsl_mmu_put_gpuaddr(&entry->memdesc); return ret; } static int match_file(const void *p, struct file *file, unsigned int fd) Loading drivers/gpu/msm/kgsl_mmu.c +2 −1 Original line number Diff line number Diff line Loading @@ -432,7 +432,8 @@ void kgsl_mmu_put_gpuaddr(struct kgsl_memdesc *memdesc) if (memdesc->size == 0 || memdesc->gpuaddr == 0) return; if (!kgsl_memdesc_is_global(memdesc)) if (!kgsl_memdesc_is_global(memdesc) && (KGSL_MEMDESC_MAPPED & memdesc->priv)) unmap_fail = kgsl_mmu_unmap(pagetable, memdesc); /* Loading drivers/md/dm-verity-target.c +10 −1 Original line number Diff line number Diff line Loading @@ -63,6 +63,14 @@ struct dm_verity_prefetch_work { struct buffer_aux { int hash_verified; }; /* * While system shutdown, skip verity work for I/O error. */ static inline bool verity_is_system_shutting_down(void) { return system_state == SYSTEM_HALT || system_state == SYSTEM_POWER_OFF || system_state == SYSTEM_RESTART; } /* * Initialize struct buffer_aux for a freshly created buffer. Loading Loading @@ -509,7 +517,8 @@ static void verity_end_io(struct bio *bio) { struct dm_verity_io *io = bio->bi_private; if (bio->bi_error && !verity_fec_is_enabled(io->v)) { if (bio->bi_error && (!verity_fec_is_enabled(io->v) || verity_is_system_shutting_down())) { verity_finish_io(io, bio->bi_error); return; } Loading drivers/misc/qseecom.c +49 −80 Original line number Diff line number Diff line /* * QTI Secure Execution Environment Communicator (QSEECOM) driver * * Copyright (c) 2012-2019, The Linux Foundation. All rights reserved. * Copyright (c) 2012-2021, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and Loading Loading @@ -3542,53 +3542,60 @@ static int qseecom_send_cmd(struct qseecom_dev_handle *data, void __user *argp) int __boundary_checks_offset(struct qseecom_send_modfd_cmd_req *req, struct qseecom_send_modfd_listener_resp *lstnr_resp, struct qseecom_dev_handle *data, int i) { struct qseecom_dev_handle *data, int i, size_t size) { char *curr_field = NULL; char *temp_field = NULL; int j = 0; if ((data->type != QSEECOM_LISTENER_SERVICE) && (req->ifd_data[i].fd > 0)) { if ((req->cmd_req_len < sizeof(uint32_t)) || if ((req->cmd_req_len < size) || (req->ifd_data[i].cmd_buf_offset > req->cmd_req_len - sizeof(uint32_t))) { req->cmd_req_len - size)) { pr_err("Invalid offset (req len) 0x%x\n", req->ifd_data[i].cmd_buf_offset); return -EINVAL; } } else if ((data->type == QSEECOM_LISTENER_SERVICE) && (lstnr_resp->ifd_data[i].fd > 0)) { if ((lstnr_resp->resp_len < sizeof(uint32_t)) || (lstnr_resp->ifd_data[i].cmd_buf_offset > lstnr_resp->resp_len - sizeof(uint32_t))) { pr_err("Invalid offset (lstnr resp len) 0x%x\n", lstnr_resp->ifd_data[i].cmd_buf_offset); return -EINVAL; } } return 0; } static int __boundary_checks_offset_64(struct qseecom_send_modfd_cmd_req *req, struct qseecom_send_modfd_listener_resp *lstnr_resp, struct qseecom_dev_handle *data, int i) { if ((data->type != QSEECOM_LISTENER_SERVICE) && (req->ifd_data[i].fd > 0)) { if ((req->cmd_req_len < sizeof(uint64_t)) || (req->ifd_data[i].cmd_buf_offset > req->cmd_req_len - sizeof(uint64_t))) { pr_err("Invalid offset (req len) 0x%x\n", curr_field = (char *) (req->cmd_req_buf + req->ifd_data[i].cmd_buf_offset); for (j = 0; j < MAX_ION_FD; j++) { if ((req->ifd_data[j].fd > 0) && i != j) { temp_field = (char *) (req->cmd_req_buf + req->ifd_data[j].cmd_buf_offset); if (temp_field >= curr_field && temp_field < (curr_field + size)) { pr_err("Invalid field offset 0x%x\n", req->ifd_data[i].cmd_buf_offset); return -EINVAL; } } } } else if ((data->type == QSEECOM_LISTENER_SERVICE) && (lstnr_resp->ifd_data[i].fd > 0)) { if ((lstnr_resp->resp_len < sizeof(uint64_t)) || if ((lstnr_resp->resp_len < size) || (lstnr_resp->ifd_data[i].cmd_buf_offset > lstnr_resp->resp_len - sizeof(uint64_t))) { lstnr_resp->resp_len - size)) { pr_err("Invalid offset (lstnr resp len) 0x%x\n", lstnr_resp->ifd_data[i].cmd_buf_offset); return -EINVAL; } curr_field = (char *) (lstnr_resp->resp_buf_ptr + lstnr_resp->ifd_data[i].cmd_buf_offset); for (j = 0; j < MAX_ION_FD; j++) { if ((lstnr_resp->ifd_data[j].fd > 0) && i != j) { temp_field = (char *) lstnr_resp->resp_buf_ptr + lstnr_resp->ifd_data[j].cmd_buf_offset; if (temp_field >= curr_field && temp_field < (curr_field + size)) { pr_err("Invalid lstnr field offset 0x%x\n", lstnr_resp->ifd_data[i].cmd_buf_offset); return -EINVAL; } } } } return 0; } Loading Loading @@ -3671,8 +3678,10 @@ static int __qseecom_update_cmd_buf(void *msg, bool cleanup, if (sg_ptr->nents == 1) { uint32_t *update; if (__boundary_checks_offset(req, lstnr_resp, data, i)) if (__boundary_checks_offset(req, lstnr_resp, data, i, sizeof(uint32_t))) goto err; if ((data->type == QSEECOM_CLIENT_APP && (data->client.app_arch == ELFCLASS32 || data->client.app_arch == ELFCLASS64)) || Loading Loading @@ -3703,30 +3712,10 @@ static int __qseecom_update_cmd_buf(void *msg, bool cleanup, struct qseecom_sg_entry *update; int j = 0; if ((data->type != QSEECOM_LISTENER_SERVICE) && (req->ifd_data[i].fd > 0)) { if ((req->cmd_req_len < SG_ENTRY_SZ * sg_ptr->nents) || (req->ifd_data[i].cmd_buf_offset > (req->cmd_req_len - SG_ENTRY_SZ * sg_ptr->nents))) { pr_err("Invalid offset = 0x%x\n", req->ifd_data[i].cmd_buf_offset); if (__boundary_checks_offset(req, lstnr_resp, data, i, (SG_ENTRY_SZ * sg_ptr->nents))) goto err; } } else if ((data->type == QSEECOM_LISTENER_SERVICE) && (lstnr_resp->ifd_data[i].fd > 0)) { if ((lstnr_resp->resp_len < SG_ENTRY_SZ * sg_ptr->nents) || (lstnr_resp->ifd_data[i].cmd_buf_offset > (lstnr_resp->resp_len - SG_ENTRY_SZ * sg_ptr->nents))) { goto err; } } if ((data->type == QSEECOM_CLIENT_APP && (data->client.app_arch == ELFCLASS32 || data->client.app_arch == ELFCLASS64)) || Loading Loading @@ -3952,9 +3941,10 @@ static int __qseecom_update_cmd_buf_64(void *msg, bool cleanup, if (sg_ptr->nents == 1) { uint64_t *update_64bit; if (__boundary_checks_offset_64(req, lstnr_resp, data, i)) if (__boundary_checks_offset(req, lstnr_resp, data, i, sizeof(uint64_t))) goto err; /* 64bit app uses 64bit address */ update_64bit = (uint64_t *) field; *update_64bit = cleanup ? 0 : Loading @@ -3964,30 +3954,9 @@ static int __qseecom_update_cmd_buf_64(void *msg, bool cleanup, struct qseecom_sg_entry_64bit *update_64bit; int j = 0; if ((data->type != QSEECOM_LISTENER_SERVICE) && (req->ifd_data[i].fd > 0)) { if ((req->cmd_req_len < SG_ENTRY_SZ_64BIT * sg_ptr->nents) || (req->ifd_data[i].cmd_buf_offset > (req->cmd_req_len - SG_ENTRY_SZ_64BIT * sg_ptr->nents))) { pr_err("Invalid offset = 0x%x\n", req->ifd_data[i].cmd_buf_offset); goto err; } } else if ((data->type == QSEECOM_LISTENER_SERVICE) && (lstnr_resp->ifd_data[i].fd > 0)) { if ((lstnr_resp->resp_len < SG_ENTRY_SZ_64BIT * sg_ptr->nents) || (lstnr_resp->ifd_data[i].cmd_buf_offset > (lstnr_resp->resp_len - SG_ENTRY_SZ_64BIT * sg_ptr->nents))) { if (__boundary_checks_offset(req, lstnr_resp, data, i, (SG_ENTRY_SZ_64BIT * sg_ptr->nents))) goto err; } } /* 64bit app uses 64bit address */ update_64bit = (struct qseecom_sg_entry_64bit *)field; for (j = 0; j < sg_ptr->nents; j++) { Loading Loading
drivers/gpu/msm/adreno_a5xx_preempt.c +3 −2 Original line number Diff line number Diff line /* Copyright (c) 2014-2017, The Linux Foundation. All rights reserved. /* Copyright (c) 2014-2017,2021, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and Loading Loading @@ -407,7 +407,8 @@ unsigned int a5xx_preemption_pre_ibsubmit( /* Enable CP_CONTEXT_SWITCH_YIELD packets in the IB2s */ *cmds++ = cp_type7_packet(CP_YIELD_ENABLE, 1); *cmds++ = 2; *cmds++ = ((preempt_style == KGSL_CONTEXT_PREEMPT_STYLE_RINGBUFFER) ? 0 : 2); return (unsigned int) (cmds - cmds_orig); } Loading
drivers/gpu/msm/kgsl.c +10 −3 Original line number Diff line number Diff line Loading @@ -265,8 +265,9 @@ kgsl_mem_entry_create(void) /* put this ref in the caller functions after init */ kref_get(&entry->refcount); } atomic_set(&entry->map_count, 0); } return entry; } #ifdef CONFIG_DMA_SHARED_BUFFER Loading Loading @@ -2200,6 +2201,8 @@ static int kgsl_setup_anon_useraddr(struct kgsl_pagetable *pagetable, { /* Map an anonymous memory chunk */ int ret; if (size == 0 || offset != 0 || !IS_ALIGNED(size, PAGE_SIZE)) return -EINVAL; Loading @@ -2209,7 +2212,6 @@ static int kgsl_setup_anon_useraddr(struct kgsl_pagetable *pagetable, entry->memdesc.flags |= KGSL_MEMFLAGS_USERMEM_ADDR; if (kgsl_memdesc_use_cpu_map(&entry->memdesc)) { int ret; /* Register the address in the database */ ret = kgsl_mmu_set_svm_region(pagetable, Loading @@ -2221,7 +2223,12 @@ static int kgsl_setup_anon_useraddr(struct kgsl_pagetable *pagetable, entry->memdesc.gpuaddr = (uint64_t) hostptr; } return memdesc_sg_virt(&entry->memdesc, hostptr); ret = memdesc_sg_virt(&entry->memdesc, hostptr); if (ret && kgsl_memdesc_use_cpu_map(&entry->memdesc)) kgsl_mmu_put_gpuaddr(&entry->memdesc); return ret; } static int match_file(const void *p, struct file *file, unsigned int fd) Loading
drivers/gpu/msm/kgsl_mmu.c +2 −1 Original line number Diff line number Diff line Loading @@ -432,7 +432,8 @@ void kgsl_mmu_put_gpuaddr(struct kgsl_memdesc *memdesc) if (memdesc->size == 0 || memdesc->gpuaddr == 0) return; if (!kgsl_memdesc_is_global(memdesc)) if (!kgsl_memdesc_is_global(memdesc) && (KGSL_MEMDESC_MAPPED & memdesc->priv)) unmap_fail = kgsl_mmu_unmap(pagetable, memdesc); /* Loading
drivers/md/dm-verity-target.c +10 −1 Original line number Diff line number Diff line Loading @@ -63,6 +63,14 @@ struct dm_verity_prefetch_work { struct buffer_aux { int hash_verified; }; /* * While system shutdown, skip verity work for I/O error. */ static inline bool verity_is_system_shutting_down(void) { return system_state == SYSTEM_HALT || system_state == SYSTEM_POWER_OFF || system_state == SYSTEM_RESTART; } /* * Initialize struct buffer_aux for a freshly created buffer. Loading Loading @@ -509,7 +517,8 @@ static void verity_end_io(struct bio *bio) { struct dm_verity_io *io = bio->bi_private; if (bio->bi_error && !verity_fec_is_enabled(io->v)) { if (bio->bi_error && (!verity_fec_is_enabled(io->v) || verity_is_system_shutting_down())) { verity_finish_io(io, bio->bi_error); return; } Loading
drivers/misc/qseecom.c +49 −80 Original line number Diff line number Diff line /* * QTI Secure Execution Environment Communicator (QSEECOM) driver * * Copyright (c) 2012-2019, The Linux Foundation. All rights reserved. * Copyright (c) 2012-2021, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and Loading Loading @@ -3542,53 +3542,60 @@ static int qseecom_send_cmd(struct qseecom_dev_handle *data, void __user *argp) int __boundary_checks_offset(struct qseecom_send_modfd_cmd_req *req, struct qseecom_send_modfd_listener_resp *lstnr_resp, struct qseecom_dev_handle *data, int i) { struct qseecom_dev_handle *data, int i, size_t size) { char *curr_field = NULL; char *temp_field = NULL; int j = 0; if ((data->type != QSEECOM_LISTENER_SERVICE) && (req->ifd_data[i].fd > 0)) { if ((req->cmd_req_len < sizeof(uint32_t)) || if ((req->cmd_req_len < size) || (req->ifd_data[i].cmd_buf_offset > req->cmd_req_len - sizeof(uint32_t))) { req->cmd_req_len - size)) { pr_err("Invalid offset (req len) 0x%x\n", req->ifd_data[i].cmd_buf_offset); return -EINVAL; } } else if ((data->type == QSEECOM_LISTENER_SERVICE) && (lstnr_resp->ifd_data[i].fd > 0)) { if ((lstnr_resp->resp_len < sizeof(uint32_t)) || (lstnr_resp->ifd_data[i].cmd_buf_offset > lstnr_resp->resp_len - sizeof(uint32_t))) { pr_err("Invalid offset (lstnr resp len) 0x%x\n", lstnr_resp->ifd_data[i].cmd_buf_offset); return -EINVAL; } } return 0; } static int __boundary_checks_offset_64(struct qseecom_send_modfd_cmd_req *req, struct qseecom_send_modfd_listener_resp *lstnr_resp, struct qseecom_dev_handle *data, int i) { if ((data->type != QSEECOM_LISTENER_SERVICE) && (req->ifd_data[i].fd > 0)) { if ((req->cmd_req_len < sizeof(uint64_t)) || (req->ifd_data[i].cmd_buf_offset > req->cmd_req_len - sizeof(uint64_t))) { pr_err("Invalid offset (req len) 0x%x\n", curr_field = (char *) (req->cmd_req_buf + req->ifd_data[i].cmd_buf_offset); for (j = 0; j < MAX_ION_FD; j++) { if ((req->ifd_data[j].fd > 0) && i != j) { temp_field = (char *) (req->cmd_req_buf + req->ifd_data[j].cmd_buf_offset); if (temp_field >= curr_field && temp_field < (curr_field + size)) { pr_err("Invalid field offset 0x%x\n", req->ifd_data[i].cmd_buf_offset); return -EINVAL; } } } } else if ((data->type == QSEECOM_LISTENER_SERVICE) && (lstnr_resp->ifd_data[i].fd > 0)) { if ((lstnr_resp->resp_len < sizeof(uint64_t)) || if ((lstnr_resp->resp_len < size) || (lstnr_resp->ifd_data[i].cmd_buf_offset > lstnr_resp->resp_len - sizeof(uint64_t))) { lstnr_resp->resp_len - size)) { pr_err("Invalid offset (lstnr resp len) 0x%x\n", lstnr_resp->ifd_data[i].cmd_buf_offset); return -EINVAL; } curr_field = (char *) (lstnr_resp->resp_buf_ptr + lstnr_resp->ifd_data[i].cmd_buf_offset); for (j = 0; j < MAX_ION_FD; j++) { if ((lstnr_resp->ifd_data[j].fd > 0) && i != j) { temp_field = (char *) lstnr_resp->resp_buf_ptr + lstnr_resp->ifd_data[j].cmd_buf_offset; if (temp_field >= curr_field && temp_field < (curr_field + size)) { pr_err("Invalid lstnr field offset 0x%x\n", lstnr_resp->ifd_data[i].cmd_buf_offset); return -EINVAL; } } } } return 0; } Loading Loading @@ -3671,8 +3678,10 @@ static int __qseecom_update_cmd_buf(void *msg, bool cleanup, if (sg_ptr->nents == 1) { uint32_t *update; if (__boundary_checks_offset(req, lstnr_resp, data, i)) if (__boundary_checks_offset(req, lstnr_resp, data, i, sizeof(uint32_t))) goto err; if ((data->type == QSEECOM_CLIENT_APP && (data->client.app_arch == ELFCLASS32 || data->client.app_arch == ELFCLASS64)) || Loading Loading @@ -3703,30 +3712,10 @@ static int __qseecom_update_cmd_buf(void *msg, bool cleanup, struct qseecom_sg_entry *update; int j = 0; if ((data->type != QSEECOM_LISTENER_SERVICE) && (req->ifd_data[i].fd > 0)) { if ((req->cmd_req_len < SG_ENTRY_SZ * sg_ptr->nents) || (req->ifd_data[i].cmd_buf_offset > (req->cmd_req_len - SG_ENTRY_SZ * sg_ptr->nents))) { pr_err("Invalid offset = 0x%x\n", req->ifd_data[i].cmd_buf_offset); if (__boundary_checks_offset(req, lstnr_resp, data, i, (SG_ENTRY_SZ * sg_ptr->nents))) goto err; } } else if ((data->type == QSEECOM_LISTENER_SERVICE) && (lstnr_resp->ifd_data[i].fd > 0)) { if ((lstnr_resp->resp_len < SG_ENTRY_SZ * sg_ptr->nents) || (lstnr_resp->ifd_data[i].cmd_buf_offset > (lstnr_resp->resp_len - SG_ENTRY_SZ * sg_ptr->nents))) { goto err; } } if ((data->type == QSEECOM_CLIENT_APP && (data->client.app_arch == ELFCLASS32 || data->client.app_arch == ELFCLASS64)) || Loading Loading @@ -3952,9 +3941,10 @@ static int __qseecom_update_cmd_buf_64(void *msg, bool cleanup, if (sg_ptr->nents == 1) { uint64_t *update_64bit; if (__boundary_checks_offset_64(req, lstnr_resp, data, i)) if (__boundary_checks_offset(req, lstnr_resp, data, i, sizeof(uint64_t))) goto err; /* 64bit app uses 64bit address */ update_64bit = (uint64_t *) field; *update_64bit = cleanup ? 0 : Loading @@ -3964,30 +3954,9 @@ static int __qseecom_update_cmd_buf_64(void *msg, bool cleanup, struct qseecom_sg_entry_64bit *update_64bit; int j = 0; if ((data->type != QSEECOM_LISTENER_SERVICE) && (req->ifd_data[i].fd > 0)) { if ((req->cmd_req_len < SG_ENTRY_SZ_64BIT * sg_ptr->nents) || (req->ifd_data[i].cmd_buf_offset > (req->cmd_req_len - SG_ENTRY_SZ_64BIT * sg_ptr->nents))) { pr_err("Invalid offset = 0x%x\n", req->ifd_data[i].cmd_buf_offset); goto err; } } else if ((data->type == QSEECOM_LISTENER_SERVICE) && (lstnr_resp->ifd_data[i].fd > 0)) { if ((lstnr_resp->resp_len < SG_ENTRY_SZ_64BIT * sg_ptr->nents) || (lstnr_resp->ifd_data[i].cmd_buf_offset > (lstnr_resp->resp_len - SG_ENTRY_SZ_64BIT * sg_ptr->nents))) { if (__boundary_checks_offset(req, lstnr_resp, data, i, (SG_ENTRY_SZ_64BIT * sg_ptr->nents))) goto err; } } /* 64bit app uses 64bit address */ update_64bit = (struct qseecom_sg_entry_64bit *)field; for (j = 0; j < sg_ptr->nents; j++) { Loading
