diff options
| author | Sachin Kumar Tiwari <sky.tiwari@samsung.com> | 2023-04-20 12:00:43 +0530 |
|---|---|---|
| committer | Todd Frederick <tfred@google.com> | 2023-04-20 16:58:46 +0000 |
| commit | 0830bb409768873a1b1c0e7982d48e6a624c7407 (patch) | |
| tree | 1cdb921b372406f6b25acf98e8c23d90f2bb2917 | |
| parent | d9835556288ce8f94c69bb52512b87fdf94a17ba (diff) | |
| download | exynos-0830bb409768873a1b1c0e7982d48e6a624c7407.tar.gz | |
gpu: r29p0: CVE-2023-28147
Bug: 274002431
Bug: 276388704
Change-Id: I7557c77e0ff493269b264295f693441431be431d
Signed-off-by: Sachin Kumar Tiwari <sky.tiwari@samsung.com>
Signed-off-by: Todd Frederick <tfred@google.com>
| -rw-r--r-- | drivers/gpu/arm/t72x/r29p0/mali_kbase_mem.c | 18 |
1 files changed, 13 insertions, 5 deletions
diff --git a/drivers/gpu/arm/t72x/r29p0/mali_kbase_mem.c b/drivers/gpu/arm/t72x/r29p0/mali_kbase_mem.c index 827939e5a19e..f98af64d2fbe 100644 --- a/drivers/gpu/arm/t72x/r29p0/mali_kbase_mem.c +++ b/drivers/gpu/arm/t72x/r29p0/mali_kbase_mem.c @@ -336,7 +336,7 @@ int kbase_remove_va_region(struct kbase_va_region *reg) struct rb_node *rbnext; struct kbase_va_region *next = NULL; struct rb_root *reg_rbtree = NULL; - + struct kbase_va_region *orig_reg = reg; int merged_front = 0; int merged_back = 0; int err = 0; @@ -397,6 +397,12 @@ int kbase_remove_va_region(struct kbase_va_region *reg) rb_replace_node(&(reg->rblink), &(free_reg->rblink), reg_rbtree); } + /* This operation is always safe because the function never frees + * the region. If the region has been merged to both front and back, + * then it's the previous region that is supposed to be freed. + */ + orig_reg->start_pfn = 0; + out: return err; } @@ -1346,7 +1352,8 @@ int kbase_gpu_mmap(struct kbase_context *kctx, struct kbase_va_region *reg, u64 reg->flags & gwt_mask, kctx->as_nr); if (err) - goto bad_insert; + goto bad_aliased_insert; + /* Note: mapping count is tracked at alias * creation time */ @@ -1358,7 +1365,7 @@ int kbase_gpu_mmap(struct kbase_context *kctx, struct kbase_va_region *reg, u64 (reg->flags & mask & gwt_mask) | attr); if (err) - goto bad_insert; + goto bad_aliased_insert; } } } else { @@ -1369,6 +1376,7 @@ int kbase_gpu_mmap(struct kbase_context *kctx, struct kbase_va_region *reg, u64 kbase_reg_current_backed_size(reg), reg->flags & gwt_mask, kctx->as_nr); + if (err) goto bad_insert; kbase_mem_phy_alloc_gpu_mapped(reg->gpu_alloc); @@ -1376,7 +1384,7 @@ int kbase_gpu_mmap(struct kbase_context *kctx, struct kbase_va_region *reg, u64 return err; -bad_insert: +bad_aliased_insert: if (reg->gpu_alloc->type == KBASE_MEM_TYPE_ALIAS) { u64 stride; @@ -1391,7 +1399,7 @@ bad_insert: kctx->as_nr); } } - +bad_insert: kbase_remove_va_region(reg); return err; |