From 51ec41e0208a9cf8456f9ae4374aa2217839c2db Mon Sep 17 00:00:00 2001
From: David Chiang <davidchiang@google.com>
Date: Tue, 14 Dec 2021 15:48:03 +0800
Subject: edgetpu: dmabuf fix potential UAF

Fix read-after-free by not accessing dmap->map after it's added to
mappings.

Bug: 210571509
Signed-off-by: David Chiang <davidchiang@google.com>
Change-Id: Ia63df2f1604b593db5a81e631792abf797e7dccb
---
 drivers/edgetpu/edgetpu-dmabuf.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/edgetpu/edgetpu-dmabuf.c b/drivers/edgetpu/edgetpu-dmabuf.c
index f98aafe..276da72 100644
--- a/drivers/edgetpu/edgetpu-dmabuf.c
+++ b/drivers/edgetpu/edgetpu-dmabuf.c
@@ -723,7 +723,7 @@ int edgetpu_map_dmabuf(struct edgetpu_device_group *group,
 			  __func__, ret);
 		goto err_release_map;
 	}
-	arg->device_address = dmap->map.device_address;
+	arg->device_address = tpu_addr;
 	mutex_unlock(&group->lock);
 	dma_buf_put(dmabuf);
 	return 0;
-- 
cgit v1.2.3


From e3c8f9749cf0312782e159253187fab5dbb88c86 Mon Sep 17 00:00:00 2001
From: Nishant Prajapati <nishantpjpt@google.com>
Date: Thu, 18 Nov 2021 09:55:27 +0530
Subject: edgetpu: unregister KCI irq handler

Unregister KCI irq handler while cancelling
KCI work queues to avoid serving interrupt in
case of device in power down state.
Bug: 210571509

Note:206717576,204847583
Signed-off-by: Nishant Prajapati <nishantpjpt@google.com>
Change-Id: Ia77c0470c82bae39086b498f31a598b996a715eb
---
 drivers/edgetpu/edgetpu-kci.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/drivers/edgetpu/edgetpu-kci.c b/drivers/edgetpu/edgetpu-kci.c
index bfa356f..9339953 100644
--- a/drivers/edgetpu/edgetpu-kci.c
+++ b/drivers/edgetpu/edgetpu-kci.c
@@ -507,6 +507,8 @@ int edgetpu_kci_init(struct edgetpu_mailbox_manager *mgr,
 int edgetpu_kci_reinit(struct edgetpu_kci *kci)
 {
 	struct edgetpu_mailbox *mailbox = kci->mailbox;
+	struct edgetpu_mailbox_manager *mgr;
+	unsigned long flags;
 	int ret;
 
 	if (!mailbox)
@@ -521,6 +523,13 @@ int edgetpu_kci_reinit(struct edgetpu_kci *kci)
 					QUEUE_SIZE);
 	if (ret)
 		return ret;
+
+	mgr = mailbox->etdev->mailbox_manager;
+	/* Restore KCI irq handler */
+	write_lock_irqsave(&mgr->mailboxes_lock, flags);
+	mailbox->handle_irq = edgetpu_kci_handle_irq;
+	write_unlock_irqrestore(&mgr->mailboxes_lock, flags);
+
 	edgetpu_mailbox_init_doorbells(mailbox);
 	edgetpu_mailbox_enable(mailbox);
 
@@ -529,6 +538,16 @@ int edgetpu_kci_reinit(struct edgetpu_kci *kci)
 
 void edgetpu_kci_cancel_work_queues(struct edgetpu_kci *kci)
 {
+	struct edgetpu_mailbox_manager *mgr;
+	unsigned long flags;
+
+	if (kci->mailbox) {
+		mgr = kci->mailbox->etdev->mailbox_manager;
+		/* Remove IRQ handler to stop responding to interrupts */
+		write_lock_irqsave(&mgr->mailboxes_lock, flags);
+		kci->mailbox->handle_irq = NULL;
+		write_unlock_irqrestore(&mgr->mailboxes_lock, flags);
+	}
 	/* Cancel workers that may send KCIs. */
 	cancel_work_sync(&kci->usage_work);
 	/* Cancel KCI and reverse KCI workers. */
-- 
cgit v1.2.3