From 8fa5e7c58ac08fdb2432a4791595278d69827fb0 Mon Sep 17 00:00:00 2001 From: Terje Bergstrom Date: Tue, 8 Nov 2016 14:29:14 -0800 Subject: gpu: nvgpu: Remove IOCTL FREE_OBJ_CTX We have never used the IOCTL FREE_OBJ_CTX. Using it leads to context being only partially available, and can lead to use-after-free. Bug 1834225 Change-Id: I9d2b632ab79760f8186d02e0f35861b3a6aae649 Signed-off-by: Terje Bergstrom Reviewed-on: http://git-master/r/1250004 Reviewed-by: mobile promotions Tested-by: mobile promotions --- drivers/gpu/nvgpu/gk20a/channel_gk20a.c | 12 ------------ drivers/gpu/nvgpu/gk20a/channel_gk20a.h | 1 - drivers/gpu/nvgpu/gk20a/gk20a.h | 2 -- drivers/gpu/nvgpu/gk20a/gr_gk20a.c | 23 ----------------------- drivers/gpu/nvgpu/gm20b/gr_gm20b.c | 1 - drivers/gpu/nvgpu/vgpu/gr_vgpu.c | 22 ---------------------- 6 files changed, 61 deletions(-) (limited to 'drivers') diff --git a/drivers/gpu/nvgpu/gk20a/channel_gk20a.c b/drivers/gpu/nvgpu/gk20a/channel_gk20a.c index 53ed606d..43a6df0e 100644 --- a/drivers/gpu/nvgpu/gk20a/channel_gk20a.c +++ b/drivers/gpu/nvgpu/gk20a/channel_gk20a.c @@ -3467,18 +3467,6 @@ long gk20a_channel_ioctl(struct file *filp, (struct nvgpu_alloc_obj_ctx_args *)buf); gk20a_idle(dev); break; - case NVGPU_IOCTL_CHANNEL_FREE_OBJ_CTX: - err = gk20a_busy(dev); - if (err) { - dev_err(dev, - "%s: failed to host gk20a for ioctl cmd: 0x%x", - __func__, cmd); - break; - } - err = ch->g->ops.gr.free_obj_ctx(ch, - (struct nvgpu_free_obj_ctx_args *)buf); - gk20a_idle(dev); - break; case NVGPU_IOCTL_CHANNEL_ALLOC_GPFIFO_EX: { struct nvgpu_alloc_gpfifo_ex_args *alloc_gpfifo_ex_args = diff --git a/drivers/gpu/nvgpu/gk20a/channel_gk20a.h b/drivers/gpu/nvgpu/gk20a/channel_gk20a.h index f17128f0..832e03e9 100644 --- a/drivers/gpu/nvgpu/gk20a/channel_gk20a.h +++ b/drivers/gpu/nvgpu/gk20a/channel_gk20a.h @@ -155,7 +155,6 @@ struct channel_gk20a { u64 userd_iova; u64 userd_gpu_va; - s32 num_objects; u32 obj_class; /* we support only one obj per channel */ struct priv_cmd_queue priv_cmd_q; diff --git a/drivers/gpu/nvgpu/gk20a/gk20a.h b/drivers/gpu/nvgpu/gk20a/gk20a.h index 7699cd53..07752d66 100644 --- a/drivers/gpu/nvgpu/gk20a/gk20a.h +++ b/drivers/gpu/nvgpu/gk20a/gk20a.h @@ -196,8 +196,6 @@ struct gpu_ops { void (*free_channel_ctx)(struct channel_gk20a *c); int (*alloc_obj_ctx)(struct channel_gk20a *c, struct nvgpu_alloc_obj_ctx_args *args); - int (*free_obj_ctx)(struct channel_gk20a *c, - struct nvgpu_free_obj_ctx_args *args); int (*bind_ctxsw_zcull)(struct gk20a *g, struct gr_gk20a *gr, struct channel_gk20a *c, u64 zcull_va, u32 mode); diff --git a/drivers/gpu/nvgpu/gk20a/gr_gk20a.c b/drivers/gpu/nvgpu/gk20a/gr_gk20a.c index 0e8c1884..e6103479 100644 --- a/drivers/gpu/nvgpu/gk20a/gr_gk20a.c +++ b/drivers/gpu/nvgpu/gk20a/gr_gk20a.c @@ -2957,7 +2957,6 @@ void gk20a_free_channel_ctx(struct channel_gk20a *c) memset(&c->ch_ctx, 0, sizeof(struct channel_ctx_gk20a)); - c->num_objects = 0; c->first_init = false; } @@ -3169,8 +3168,6 @@ int gk20a_alloc_obj_ctx(struct channel_gk20a *c, c->first_init = true; } - c->num_objects++; - gk20a_dbg_fn("done"); return 0; out: @@ -3182,25 +3179,6 @@ out: return err; } -int gk20a_free_obj_ctx(struct channel_gk20a *c, - struct nvgpu_free_obj_ctx_args *args) -{ - gk20a_dbg_fn(""); - - if (c->num_objects == 0) - return 0; - - c->num_objects--; - - if (c->num_objects == 0) { - c->first_init = false; - gk20a_disable_channel(c); - gr_gk20a_free_channel_patch_ctx(c); - } - - return 0; -} - int gk20a_comptag_allocator_init(struct gk20a_comptag_allocator *allocator, unsigned long size) { @@ -9082,7 +9060,6 @@ void gk20a_init_gr_ops(struct gpu_ops *gops) gops->gr.get_gpc_tpc_mask = gr_gk20a_get_gpc_tpc_mask; gops->gr.free_channel_ctx = gk20a_free_channel_ctx; gops->gr.alloc_obj_ctx = gk20a_alloc_obj_ctx; - gops->gr.free_obj_ctx = gk20a_free_obj_ctx; gops->gr.bind_ctxsw_zcull = gr_gk20a_bind_ctxsw_zcull; gops->gr.get_zcull_info = gr_gk20a_get_zcull_info; gops->gr.is_tpc_addr = gr_gk20a_is_tpc_addr; diff --git a/drivers/gpu/nvgpu/gm20b/gr_gm20b.c b/drivers/gpu/nvgpu/gm20b/gr_gm20b.c index 37b9737b..56812fa6 100644 --- a/drivers/gpu/nvgpu/gm20b/gr_gm20b.c +++ b/drivers/gpu/nvgpu/gm20b/gr_gm20b.c @@ -1534,7 +1534,6 @@ void gm20b_init_gr(struct gpu_ops *gops) gops->gr.get_gpc_tpc_mask = gr_gm20b_get_gpc_tpc_mask; gops->gr.free_channel_ctx = gk20a_free_channel_ctx; gops->gr.alloc_obj_ctx = gk20a_alloc_obj_ctx; - gops->gr.free_obj_ctx = gk20a_free_obj_ctx; gops->gr.bind_ctxsw_zcull = gr_gk20a_bind_ctxsw_zcull; gops->gr.get_zcull_info = gr_gk20a_get_zcull_info; gops->gr.is_tpc_addr = gr_gm20b_is_tpc_addr; diff --git a/drivers/gpu/nvgpu/vgpu/gr_vgpu.c b/drivers/gpu/nvgpu/vgpu/gr_vgpu.c index 89223091..01f5e1a5 100644 --- a/drivers/gpu/nvgpu/vgpu/gr_vgpu.c +++ b/drivers/gpu/nvgpu/vgpu/gr_vgpu.c @@ -421,7 +421,6 @@ static void vgpu_gr_free_channel_ctx(struct channel_gk20a *c) memset(&c->ch_ctx, 0, sizeof(struct channel_ctx_gk20a)); - c->num_objects = 0; c->first_init = false; } @@ -586,8 +585,6 @@ static int vgpu_gr_alloc_obj_ctx(struct channel_gk20a *c, c->first_init = true; } - c->num_objects++; - gk20a_dbg_fn("done"); return 0; out: @@ -599,24 +596,6 @@ out: return err; } -static int vgpu_gr_free_obj_ctx(struct channel_gk20a *c, - struct nvgpu_free_obj_ctx_args *args) -{ - gk20a_dbg_fn(""); - - if (c->num_objects == 0) - return 0; - - c->num_objects--; - - if (c->num_objects == 0) { - c->first_init = false; - gk20a_disable_channel(c); - } - - return 0; -} - static int vgpu_gr_init_gr_config(struct gk20a *g, struct gr_gk20a *gr) { struct vgpu_priv_data *priv = vgpu_get_priv_data(g); @@ -1073,7 +1052,6 @@ void vgpu_init_gr_ops(struct gpu_ops *gops) gops->gr.detect_sm_arch = vgpu_gr_detect_sm_arch; gops->gr.free_channel_ctx = vgpu_gr_free_channel_ctx; gops->gr.alloc_obj_ctx = vgpu_gr_alloc_obj_ctx; - gops->gr.free_obj_ctx = vgpu_gr_free_obj_ctx; gops->gr.alloc_gr_ctx = vgpu_gr_alloc_gr_ctx; gops->gr.free_gr_ctx = vgpu_gr_free_gr_ctx; gops->gr.bind_ctxsw_zcull = vgpu_gr_bind_ctxsw_zcull; -- cgit v1.2.2