gpu: nvgpu: fix out-of-bound access on gr->gpc_tpc_count

Fix slab-out-of-bounds issue reported by KASAN [ 29.922710] BUG: KASAN: slab-out-of-bounds in gr_gk20a_init_fs_state+0x1bc/0x898 at addr ffffffc1a0988c04 ... [ 29.961820] INFO: Allocated in gr_gk20a_init_gr_config+0x380/0x1b20 age=374 cpu=5 pid=1 ... Out-of-bound access from [ 30.241943] [<ffffffc0007d2674>] gr_gk20a_init_fs_state+0x1bc/0x898 [ 30.248205] [<ffffffc000839a2c>] gr_gm20b_init_fs_state+0x4c/0x5c8 [ 30.254381] [<ffffffc000871670>] gr_gp10b_init_fs_state+0x160/0x3a8 [ 30.260643] [<ffffffc0007d70ec>] gk20a_init_gr_setup_hw+0x974/0x1530 [ 30.266991] [<ffffffc0007eac6c>] gk20a_init_gr_support+0x14c/0xeb0 [ 30.273164] [<ffffffc00079d9c8>] gk20a_pm_finalize_poweron+0x738/0xd10 [ 30.279684] [<ffffffc00079dfd0>] gk20a_pm_runtime_resume+0x30/0x58 Fix this by using a separate API gr_gk20a_get_tpc_count() which returns tpc count for a gpc and returns 0 if gpc index is greater than available gpcs Bug 200257557 Change-Id: I78856ca93c0381cb4bcef7a56a5210fa269cf3ac Signed-off-by: Deepak Nibade <dnibade@nvidia.com> Reviewed-on: http://git-master/r/1277692 GVS: Gerrit_Virtual_Submit Reviewed-by: Sami Kiminki <skiminki@nvidia.com> Reviewed-by: Konsta Holtta <kholtta@nvidia.com> Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>
author: Deepak Nibade <dnibade@nvidia.com> 2016-12-28 08:45:25 -0500
committer: mobile promotions <svcmobile_promotions@nvidia.com> 2017-01-02 04:48:04 -0500
commit: 162c04ddcef7a5f345ffdd97dd4de9fbc6d201a7 (patch)
tree: 33a883bfc2b2e40f3ab61e14fc072f9c980eca8d /drivers/gpu/nvgpu/gk20a/gr_gk20a.c
parent: afe77b34454746d3017076e55e166a5f83c7f0f6 (diff)
1 files changed, 27 insertions, 17 deletions
diff --git a/drivers/gpu/nvgpu/gk20a/gr_gk20a.c b/drivers/gpu/nvgpu/gk20a/gr_gk20a.c
index bf279e9a..ceb3cb18 100644
--- a/drivers/gpu/nvgpu/gk20a/gr_gk20a.c
+++ b/drivers/gpu/nvgpu/gk20a/gr_gk20a.c
@@ -1344,6 +1344,18 @@ static void gr_gk20a_program_sm_id_numbering(struct gk20a *g,
                        gr_gpc0_tpc0_pe_cfg_smid_value_f(sm_id));
 }
+/*
+ * Return number of TPCs in a GPC
+ * Return 0 if GPC index is invalid i.e. GPC is disabled
+ */
+static u32 gr_gk20a_get_tpc_count(struct gr_gk20a *gr, u32 gpc_index)
+{
+        if (gpc_index >= gr->gpc_count)
+                return 0;
+        return gr->gpc_tpc_count[gpc_index];
+}
 int gr_gk20a_init_fs_state(struct gk20a *g)
 {
        struct gr_gk20a *gr = &g->gr;
@@ -1351,6 +1363,7 @@ int gr_gk20a_init_fs_state(struct gk20a *g)
        u32 sm_id = 0, gpc_id = 0;
        u32 tpc_per_gpc;
        u32 fuse_tpc_mask;
+        u32 reg_index;
        gk20a_dbg_fn("");
@@ -1367,25 +1380,22 @@ int gr_gk20a_init_fs_state(struct gk20a *g)
                        g->ops.gr.program_active_tpc_counts(g, gpc_index);
        }
-        for (tpc_index = 0, gpc_id = 0;
+        for (reg_index = 0, gpc_id = 0;
-             tpc_index < gr_pd_num_tpc_per_gpc__size_1_v();
+             reg_index < gr_pd_num_tpc_per_gpc__size_1_v();
-             tpc_index++, gpc_id += 8) {
+             reg_index++, gpc_id += 8) {
-                if (gpc_id >= gr->gpc_count)
-                        continue;
                tpc_per_gpc =
-                        gr_pd_num_tpc_per_gpc_count0_f(gr->gpc_tpc_count[gpc_id + 0]) |
+                        gr_pd_num_tpc_per_gpc_count0_f(gr_gk20a_get_tpc_count(gr, gpc_id + 0)) |
-                        gr_pd_num_tpc_per_gpc_count1_f(gr->gpc_tpc_count[gpc_id + 1]) |
+                        gr_pd_num_tpc_per_gpc_count1_f(gr_gk20a_get_tpc_count(gr, gpc_id + 1)) |
-                        gr_pd_num_tpc_per_gpc_count2_f(gr->gpc_tpc_count[gpc_id + 2]) |
+                        gr_pd_num_tpc_per_gpc_count2_f(gr_gk20a_get_tpc_count(gr, gpc_id + 2)) |
-                        gr_pd_num_tpc_per_gpc_count3_f(gr->gpc_tpc_count[gpc_id + 3]) |
+                        gr_pd_num_tpc_per_gpc_count3_f(gr_gk20a_get_tpc_count(gr, gpc_id + 3)) |
-                        gr_pd_num_tpc_per_gpc_count4_f(gr->gpc_tpc_count[gpc_id + 4]) |
+                        gr_pd_num_tpc_per_gpc_count4_f(gr_gk20a_get_tpc_count(gr, gpc_id + 4)) |
-                        gr_pd_num_tpc_per_gpc_count5_f(gr->gpc_tpc_count[gpc_id + 5]) |
+                        gr_pd_num_tpc_per_gpc_count5_f(gr_gk20a_get_tpc_count(gr, gpc_id + 5)) |
-                        gr_pd_num_tpc_per_gpc_count6_f(gr->gpc_tpc_count[gpc_id + 6]) |
+                        gr_pd_num_tpc_per_gpc_count6_f(gr_gk20a_get_tpc_count(gr, gpc_id + 6)) |
-                        gr_pd_num_tpc_per_gpc_count7_f(gr->gpc_tpc_count[gpc_id + 7]);
+                        gr_pd_num_tpc_per_gpc_count7_f(gr_gk20a_get_tpc_count(gr, gpc_id + 7));
-                gk20a_writel(g, gr_pd_num_tpc_per_gpc_r(tpc_index), tpc_per_gpc);
+                gk20a_writel(g, gr_pd_num_tpc_per_gpc_r(reg_index), tpc_per_gpc);
-                gk20a_writel(g, gr_ds_num_tpc_per_gpc_r(tpc_index), tpc_per_gpc);
+                gk20a_writel(g, gr_ds_num_tpc_per_gpc_r(reg_index), tpc_per_gpc);
        }
        /* gr__setup_pd_mapping stubbed for gk20a */
author	Deepak Nibade <dnibade@nvidia.com>	2016-12-28 08:45:25 -0500
committer	mobile promotions <svcmobile_promotions@nvidia.com>	2017-01-02 04:48:04 -0500
commit	162c04ddcef7a5f345ffdd97dd4de9fbc6d201a7 (patch)
tree	33a883bfc2b2e40f3ab61e14fc072f9c980eca8d /drivers/gpu/nvgpu/gk20a/gr_gk20a.c
parent	afe77b34454746d3017076e55e166a5f83c7f0f6 (diff)