<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux.git/drivers/accel/qaic, branch v6.5</title>
<subtitle>Linux kernel source tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/'/>
<entry>
<title>accel/qaic: Clean up integer overflow checking in map_user_pages()</title>
<updated>2023-08-15T15:51:13+00:00</updated>
<author>
<name>Dan Carpenter</name>
<email>dan.carpenter@linaro.org</email>
</author>
<published>2023-08-10T12:23:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=96d3c1cadedb6ae2e8965e19cd12caa244afbd9c'/>
<id>96d3c1cadedb6ae2e8965e19cd12caa244afbd9c</id>
<content type='text'>
The encode_dma() function has some validation on in_trans-&gt;size but it
would be more clear to move those checks to find_and_map_user_pages().

The encode_dma() had two checks:

	if (in_trans-&gt;addr + in_trans-&gt;size &lt; in_trans-&gt;addr || !in_trans-&gt;size)
		return -EINVAL;

The in_trans-&gt;addr variable is the starting address.  The in_trans-&gt;size
variable is the total size of the transfer.  The transfer can occur in
parts and the resources-&gt;xferred_dma_size tracks how many bytes we have
already transferred.

This patch introduces a new variable "remaining" which represents the
amount we want to transfer (in_trans-&gt;size) minus the amount we have
already transferred (resources-&gt;xferred_dma_size).

I have modified the check for if in_trans-&gt;size is zero to instead check
if in_trans-&gt;size is less than resources-&gt;xferred_dma_size.  If we have
already transferred more bytes than in_trans-&gt;size then there are negative
bytes remaining which doesn't make sense.  If there are zero bytes
remaining to be copied, just return success.

The check in encode_dma() checked that "addr + size" could not overflow
and barring a driver bug that should work, but it's easier to check if
we do this in parts.  First check that "in_trans-&gt;addr +
resources-&gt;xferred_dma_size" is safe.  Then check that "xfer_start_addr +
remaining" is safe.

My final concern was that we are dealing with u64 values but on 32bit
systems the kmalloc() function will truncate the sizes to 32 bits.  So
I calculated "total = in_trans-&gt;size + offset_in_page(xfer_start_addr);"
and returned -EINVAL if it were &gt;= SIZE_MAX.  This will not affect 64bit
systems.

Fixes: 129776ac2e38 ("accel/qaic: Add control path")
Signed-off-by: Dan Carpenter &lt;dan.carpenter@linaro.org&gt;
Reviewed-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Reviewed-by: Carl Vanderlip &lt;quic_carlv@quicinc.com&gt;
Signed-off-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/24d3348b-25ac-4c1b-b171-9dae7c43e4e0@moroto.mountain
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The encode_dma() function has some validation on in_trans-&gt;size but it
would be more clear to move those checks to find_and_map_user_pages().

The encode_dma() had two checks:

	if (in_trans-&gt;addr + in_trans-&gt;size &lt; in_trans-&gt;addr || !in_trans-&gt;size)
		return -EINVAL;

The in_trans-&gt;addr variable is the starting address.  The in_trans-&gt;size
variable is the total size of the transfer.  The transfer can occur in
parts and the resources-&gt;xferred_dma_size tracks how many bytes we have
already transferred.

This patch introduces a new variable "remaining" which represents the
amount we want to transfer (in_trans-&gt;size) minus the amount we have
already transferred (resources-&gt;xferred_dma_size).

I have modified the check for if in_trans-&gt;size is zero to instead check
if in_trans-&gt;size is less than resources-&gt;xferred_dma_size.  If we have
already transferred more bytes than in_trans-&gt;size then there are negative
bytes remaining which doesn't make sense.  If there are zero bytes
remaining to be copied, just return success.

The check in encode_dma() checked that "addr + size" could not overflow
and barring a driver bug that should work, but it's easier to check if
we do this in parts.  First check that "in_trans-&gt;addr +
resources-&gt;xferred_dma_size" is safe.  Then check that "xfer_start_addr +
remaining" is safe.

My final concern was that we are dealing with u64 values but on 32bit
systems the kmalloc() function will truncate the sizes to 32 bits.  So
I calculated "total = in_trans-&gt;size + offset_in_page(xfer_start_addr);"
and returned -EINVAL if it were &gt;= SIZE_MAX.  This will not affect 64bit
systems.

Fixes: 129776ac2e38 ("accel/qaic: Add control path")
Signed-off-by: Dan Carpenter &lt;dan.carpenter@linaro.org&gt;
Reviewed-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Reviewed-by: Carl Vanderlip &lt;quic_carlv@quicinc.com&gt;
Signed-off-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/24d3348b-25ac-4c1b-b171-9dae7c43e4e0@moroto.mountain
</pre>
</div>
</content>
</entry>
<entry>
<title>accel/qaic: Fix slicing memory leak</title>
<updated>2023-08-15T15:50:07+00:00</updated>
<author>
<name>Pranjal Ramajor Asha Kanojiya</name>
<email>quic_pkanojiy@quicinc.com</email>
</author>
<published>2023-08-02T14:59:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=2d956177b7c96e62fac762a3b7da4318cde27a73'/>
<id>2d956177b7c96e62fac762a3b7da4318cde27a73</id>
<content type='text'>
The temporary buffer storing slicing configuration data from user is only
freed on error.  This is a memory leak.  Free the buffer unconditionally.

Fixes: ff13be830333 ("accel/qaic: Add datapath")
Signed-off-by: Pranjal Ramajor Asha Kanojiya &lt;quic_pkanojiy@quicinc.com&gt;
Reviewed-by: Carl Vanderlip &lt;quic_carlv@quicinc.com&gt;
Reviewed-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Signed-off-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/20230802145937.14827-1-quic_jhugo@quicinc.com
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The temporary buffer storing slicing configuration data from user is only
freed on error.  This is a memory leak.  Free the buffer unconditionally.

Fixes: ff13be830333 ("accel/qaic: Add datapath")
Signed-off-by: Pranjal Ramajor Asha Kanojiya &lt;quic_pkanojiy@quicinc.com&gt;
Reviewed-by: Carl Vanderlip &lt;quic_carlv@quicinc.com&gt;
Reviewed-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Signed-off-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/20230802145937.14827-1-quic_jhugo@quicinc.com
</pre>
</div>
</content>
</entry>
<entry>
<title>accel/qaic: Fix a leak in map_user_pages()</title>
<updated>2023-07-14T16:14:58+00:00</updated>
<author>
<name>Dan Carpenter</name>
<email>dan.carpenter@linaro.org</email>
</author>
<published>2023-07-11T08:21:13+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=73274c33d961f4aa0f968f763e2c9f4210b4f4a3'/>
<id>73274c33d961f4aa0f968f763e2c9f4210b4f4a3</id>
<content type='text'>
If get_user_pages_fast() allocates some pages but not as many as we
wanted, then the current code leaks those pages.  Call put_page() on
the pages before returning.

Fixes: 129776ac2e38 ("accel/qaic: Add control path")
Signed-off-by: Dan Carpenter &lt;dan.carpenter@linaro.org&gt;
Reviewed-by: Pranjal Ramajor Asha Kanojiya &lt;quic_pkanojiy@quicinc.com&gt;
Reviewed-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Reviewed-by: Dafna Hirschfeld &lt;dhirschfeld@habana.ai&gt;
Cc: stable@vger.kernel.org # 6.4.x
Signed-off-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/ZK0Q+ZuONTsBG+1T@moroto
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
If get_user_pages_fast() allocates some pages but not as many as we
wanted, then the current code leaks those pages.  Call put_page() on
the pages before returning.

Fixes: 129776ac2e38 ("accel/qaic: Add control path")
Signed-off-by: Dan Carpenter &lt;dan.carpenter@linaro.org&gt;
Reviewed-by: Pranjal Ramajor Asha Kanojiya &lt;quic_pkanojiy@quicinc.com&gt;
Reviewed-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Reviewed-by: Dafna Hirschfeld &lt;dhirschfeld@habana.ai&gt;
Cc: stable@vger.kernel.org # 6.4.x
Signed-off-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/ZK0Q+ZuONTsBG+1T@moroto
</pre>
</div>
</content>
</entry>
<entry>
<title>accel/qaic: Add consistent integer overflow checks</title>
<updated>2023-07-14T16:12:05+00:00</updated>
<author>
<name>Dan Carpenter</name>
<email>dan.carpenter@linaro.org</email>
</author>
<published>2023-07-11T08:21:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=47d87f71d00b7091b43a56f608f7151b33e5772e'/>
<id>47d87f71d00b7091b43a56f608f7151b33e5772e</id>
<content type='text'>
The encode_dma() function has integer overflow checks.  The
encode_passthrough(), encode_activate() and encode_status() functions
did not.  I added integer overflow checking everywhere.  I also
updated the integer overflow checking in encode_dma() to use size_add()
so everything is consistent.

Fixes: 129776ac2e38 ("accel/qaic: Add control path")
Signed-off-by: Dan Carpenter &lt;dan.carpenter@linaro.org&gt;
Reviewed-by: Pranjal Ramajor Asha Kanojiya &lt;quic_pkanojiy@quicinc.com&gt;
Reviewed-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Cc: stable@vger.kernel.org # 6.4.x
[jhugo: tweak if in encode_dma() to match existing style]
Signed-off-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/ZK0Q7IsPkj6WSCcL@moroto
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The encode_dma() function has integer overflow checks.  The
encode_passthrough(), encode_activate() and encode_status() functions
did not.  I added integer overflow checking everywhere.  I also
updated the integer overflow checking in encode_dma() to use size_add()
so everything is consistent.

Fixes: 129776ac2e38 ("accel/qaic: Add control path")
Signed-off-by: Dan Carpenter &lt;dan.carpenter@linaro.org&gt;
Reviewed-by: Pranjal Ramajor Asha Kanojiya &lt;quic_pkanojiy@quicinc.com&gt;
Reviewed-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Cc: stable@vger.kernel.org # 6.4.x
[jhugo: tweak if in encode_dma() to match existing style]
Signed-off-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/ZK0Q7IsPkj6WSCcL@moroto
</pre>
</div>
</content>
</entry>
<entry>
<title>accel/qaic: tighten bounds checking in decode_message()</title>
<updated>2023-07-14T16:03:09+00:00</updated>
<author>
<name>Dan Carpenter</name>
<email>dan.carpenter@linaro.org</email>
</author>
<published>2023-07-11T08:20:54+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=51b56382ed2a2b03347372272362b3baa623ed1e'/>
<id>51b56382ed2a2b03347372272362b3baa623ed1e</id>
<content type='text'>
Copy the bounds checking from encode_message() to decode_message().

This patch addresses the following concerns.  Ensure that there is
enough space for at least one header so that we don't have a negative
size later.

	if (msg_hdr_len &lt; sizeof(*trans_hdr))

Ensure that we have enough space to read the next header from the
msg-&gt;data.

	if (msg_len &gt; msg_hdr_len - sizeof(*trans_hdr))
		return -EINVAL;

Check that the trans_hdr-&gt;len is not below the minimum size:

	if (hdr_len &lt; sizeof(*trans_hdr))

This minimum check ensures that we don't corrupt memory in
decode_passthrough() when we do.

	memcpy(out_trans-&gt;data, in_trans-&gt;data, len - sizeof(in_trans-&gt;hdr));

And finally, use size_add() to prevent an integer overflow:

	if (size_add(msg_len, hdr_len) &gt; msg_hdr_len)

Fixes: 129776ac2e38 ("accel/qaic: Add control path")
Signed-off-by: Dan Carpenter &lt;dan.carpenter@linaro.org&gt;
Reviewed-by: Pranjal Ramajor Asha Kanojiya &lt;quic_pkanojiy@quicinc.com&gt;
Reviewed-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Cc: stable@vger.kernel.org # 6.4.x
Signed-off-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/ZK0Q5nbLyDO7kJa+@moroto
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Copy the bounds checking from encode_message() to decode_message().

This patch addresses the following concerns.  Ensure that there is
enough space for at least one header so that we don't have a negative
size later.

	if (msg_hdr_len &lt; sizeof(*trans_hdr))

Ensure that we have enough space to read the next header from the
msg-&gt;data.

	if (msg_len &gt; msg_hdr_len - sizeof(*trans_hdr))
		return -EINVAL;

Check that the trans_hdr-&gt;len is not below the minimum size:

	if (hdr_len &lt; sizeof(*trans_hdr))

This minimum check ensures that we don't corrupt memory in
decode_passthrough() when we do.

	memcpy(out_trans-&gt;data, in_trans-&gt;data, len - sizeof(in_trans-&gt;hdr));

And finally, use size_add() to prevent an integer overflow:

	if (size_add(msg_len, hdr_len) &gt; msg_hdr_len)

Fixes: 129776ac2e38 ("accel/qaic: Add control path")
Signed-off-by: Dan Carpenter &lt;dan.carpenter@linaro.org&gt;
Reviewed-by: Pranjal Ramajor Asha Kanojiya &lt;quic_pkanojiy@quicinc.com&gt;
Reviewed-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Cc: stable@vger.kernel.org # 6.4.x
Signed-off-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/ZK0Q5nbLyDO7kJa+@moroto
</pre>
</div>
</content>
</entry>
<entry>
<title>accel/qaic: tighten bounds checking in encode_message()</title>
<updated>2023-07-14T16:00:45+00:00</updated>
<author>
<name>Dan Carpenter</name>
<email>dan.carpenter@linaro.org</email>
</author>
<published>2023-07-11T08:20:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=ea33cb6fc2788f9fe248d49e1c0b2553a58436ef'/>
<id>ea33cb6fc2788f9fe248d49e1c0b2553a58436ef</id>
<content type='text'>
There are several issues in this code.  The check at the start of the
loop:

	if (user_len &gt;= user_msg-&gt;len) {

This check does not ensure that we have enough space for the trans_hdr
(8 bytes).  Instead the check needs to be:

	if (user_len &gt; user_msg-&gt;len - sizeof(*trans_hdr)) {

That subtraction is done as an unsigned long we want to avoid
negatives.  Add a lower bound to the start of the function.

	if (user_msg-&gt;len &lt; sizeof(*trans_hdr))

There is a second integer underflow which can happen if
trans_hdr-&gt;len is zero inside the encode_passthrough() function.

	memcpy(out_trans-&gt;data, in_trans-&gt;data, in_trans-&gt;hdr.len - sizeof(in_trans-&gt;hdr));

Instead of adding a check to encode_passthrough() it's better to check
in this central place.  Add that check:

	if (trans_hdr-&gt;len &lt; sizeof(trans_hdr)

The final concern is that the "user_len + trans_hdr-&gt;len" might have an
integer overflow bug.  Use size_add() to prevent that.

-	if (user_len + trans_hdr-&gt;len &gt; user_msg-&gt;len) {
+	if (size_add(user_len, trans_hdr-&gt;len) &gt; user_msg-&gt;len) {

Fixes: 129776ac2e38 ("accel/qaic: Add control path")
Signed-off-by: Dan Carpenter &lt;dan.carpenter@linaro.org&gt;
Reviewed-by: Pranjal Ramajor Asha Kanojiya &lt;quic_pkanojiy@quicinc.com&gt;
Reviewed-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Cc: stable@vger.kernel.org # 6.4.x
Signed-off-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/9a0cb0c1-a974-4f10-bc8d-94437983639a@moroto.mountain
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
There are several issues in this code.  The check at the start of the
loop:

	if (user_len &gt;= user_msg-&gt;len) {

This check does not ensure that we have enough space for the trans_hdr
(8 bytes).  Instead the check needs to be:

	if (user_len &gt; user_msg-&gt;len - sizeof(*trans_hdr)) {

That subtraction is done as an unsigned long we want to avoid
negatives.  Add a lower bound to the start of the function.

	if (user_msg-&gt;len &lt; sizeof(*trans_hdr))

There is a second integer underflow which can happen if
trans_hdr-&gt;len is zero inside the encode_passthrough() function.

	memcpy(out_trans-&gt;data, in_trans-&gt;data, in_trans-&gt;hdr.len - sizeof(in_trans-&gt;hdr));

Instead of adding a check to encode_passthrough() it's better to check
in this central place.  Add that check:

	if (trans_hdr-&gt;len &lt; sizeof(trans_hdr)

The final concern is that the "user_len + trans_hdr-&gt;len" might have an
integer overflow bug.  Use size_add() to prevent that.

-	if (user_len + trans_hdr-&gt;len &gt; user_msg-&gt;len) {
+	if (size_add(user_len, trans_hdr-&gt;len) &gt; user_msg-&gt;len) {

Fixes: 129776ac2e38 ("accel/qaic: Add control path")
Signed-off-by: Dan Carpenter &lt;dan.carpenter@linaro.org&gt;
Reviewed-by: Pranjal Ramajor Asha Kanojiya &lt;quic_pkanojiy@quicinc.com&gt;
Reviewed-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Cc: stable@vger.kernel.org # 6.4.x
Signed-off-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/9a0cb0c1-a974-4f10-bc8d-94437983639a@moroto.mountain
</pre>
</div>
</content>
</entry>
<entry>
<title>accel/qaic: Call DRM helper function to destroy prime GEM</title>
<updated>2023-06-20T14:07:29+00:00</updated>
<author>
<name>Pranjal Ramajor Asha Kanojiya</name>
<email>quic_pkanojiy@quicinc.com</email>
</author>
<published>2023-06-14T16:15:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=8d0d16a3ef44c60d66f937c21f32fa2cf8f2c9ed'/>
<id>8d0d16a3ef44c60d66f937c21f32fa2cf8f2c9ed</id>
<content type='text'>
smatch warning:
	drivers/accel/qaic/qaic_data.c:620 qaic_free_object() error:
		dereferencing freed memory 'obj-&gt;import_attach'

obj-&gt;import_attach is detached and freed using dma_buf_detach().
But used after free to decrease the dmabuf ref count using
dma_buf_put().

drm_prime_gem_destroy() handles this issue and performs the proper clean
up instead of open coding it in the driver.

Fixes: ff13be830333 ("accel/qaic: Add datapath")
Reported-by: Sukrut Bellary &lt;sukrut.bellary@linux.com&gt;
Closes: https://lore.kernel.org/all/20230610021200.377452-1-sukrut.bellary@linux.com/
Suggested-by: Christian König &lt;christian.koenig@amd.com&gt;
Signed-off-by: Pranjal Ramajor Asha Kanojiya &lt;quic_pkanojiy@quicinc.com&gt;
Reviewed-by: Carl Vanderlip &lt;quic_carlv@quicinc.com&gt;
Reviewed-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Signed-off-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Reviewed-by: Christian König &lt;christian.koenig@amd.com&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/20230614161528.11710-1-quic_jhugo@quicinc.com
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
smatch warning:
	drivers/accel/qaic/qaic_data.c:620 qaic_free_object() error:
		dereferencing freed memory 'obj-&gt;import_attach'

obj-&gt;import_attach is detached and freed using dma_buf_detach().
But used after free to decrease the dmabuf ref count using
dma_buf_put().

drm_prime_gem_destroy() handles this issue and performs the proper clean
up instead of open coding it in the driver.

Fixes: ff13be830333 ("accel/qaic: Add datapath")
Reported-by: Sukrut Bellary &lt;sukrut.bellary@linux.com&gt;
Closes: https://lore.kernel.org/all/20230610021200.377452-1-sukrut.bellary@linux.com/
Suggested-by: Christian König &lt;christian.koenig@amd.com&gt;
Signed-off-by: Pranjal Ramajor Asha Kanojiya &lt;quic_pkanojiy@quicinc.com&gt;
Reviewed-by: Carl Vanderlip &lt;quic_carlv@quicinc.com&gt;
Reviewed-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Signed-off-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Reviewed-by: Christian König &lt;christian.koenig@amd.com&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/20230614161528.11710-1-quic_jhugo@quicinc.com
</pre>
</div>
</content>
</entry>
<entry>
<title>accel/qaic: Fix NULL pointer deref in qaic_destroy_drm_device()</title>
<updated>2023-06-09T17:07:28+00:00</updated>
<author>
<name>Jeffrey Hugo</name>
<email>quic_jhugo@quicinc.com</email>
</author>
<published>2023-06-02T21:04:40+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=61d8cdb7872c82d8a4d5e5251b0010332c316a67'/>
<id>61d8cdb7872c82d8a4d5e5251b0010332c316a67</id>
<content type='text'>
If qaic_destroy_drm_device() is called before the device has fully
initialized it will cause a NULL pointer dereference as the drm device
has not yet been created. Fix this with a NULL check.

Fixes: c501ca23a6a3 ("accel/qaic: Add uapi and core driver file")
Signed-off-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Reviewed-by: Carl Vanderlip &lt;quic_carlv@quicinc.com&gt;
Reviewed-by: Pranjal Ramajor Asha Kanojiya &lt;quic_pkanojiy@quicinc.com&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/20230602210440.8411-3-quic_jhugo@quicinc.com
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
If qaic_destroy_drm_device() is called before the device has fully
initialized it will cause a NULL pointer dereference as the drm device
has not yet been created. Fix this with a NULL check.

Fixes: c501ca23a6a3 ("accel/qaic: Add uapi and core driver file")
Signed-off-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Reviewed-by: Carl Vanderlip &lt;quic_carlv@quicinc.com&gt;
Reviewed-by: Pranjal Ramajor Asha Kanojiya &lt;quic_pkanojiy@quicinc.com&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/20230602210440.8411-3-quic_jhugo@quicinc.com
</pre>
</div>
</content>
</entry>
<entry>
<title>accel/qaic: Free user handle on interrupted mutex</title>
<updated>2023-06-09T17:06:33+00:00</updated>
<author>
<name>Carl Vanderlip</name>
<email>quic_carlv@quicinc.com</email>
</author>
<published>2023-06-02T21:04:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=3e1b9b2d81901b3ceeb5ec1f1b4c41cd1cff53ba'/>
<id>3e1b9b2d81901b3ceeb5ec1f1b4c41cd1cff53ba</id>
<content type='text'>
After user handle is allocated, if mutex is interrupted, we do not free
the user handle and return an error. Kref had been initialized, but not
added to users list, so device teardown would also not call free_usr.

Fixes: c501ca23a6a3 ("accel/qaic: Add uapi and core driver file")
Signed-off-by: Carl Vanderlip &lt;quic_carlv@quicinc.com&gt;
Reviewed-by: Pranjal Ramajor Asha Kanojiya &lt;quic_pkanojiy@quicinc.com&gt;
Reviewed-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Signed-off-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/20230602210440.8411-2-quic_jhugo@quicinc.com
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
After user handle is allocated, if mutex is interrupted, we do not free
the user handle and return an error. Kref had been initialized, but not
added to users list, so device teardown would also not call free_usr.

Fixes: c501ca23a6a3 ("accel/qaic: Add uapi and core driver file")
Signed-off-by: Carl Vanderlip &lt;quic_carlv@quicinc.com&gt;
Reviewed-by: Pranjal Ramajor Asha Kanojiya &lt;quic_pkanojiy@quicinc.com&gt;
Reviewed-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Signed-off-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/20230602210440.8411-2-quic_jhugo@quicinc.com
</pre>
</div>
</content>
</entry>
<entry>
<title>accel/qaic: Fix NNC message corruption</title>
<updated>2023-05-23T15:51:38+00:00</updated>
<author>
<name>Jeffrey Hugo</name>
<email>quic_jhugo@quicinc.com</email>
</author>
<published>2023-05-17T19:35:40+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=e997c218ad736fd6f524d73a987bad9d94128d3d'/>
<id>e997c218ad736fd6f524d73a987bad9d94128d3d</id>
<content type='text'>
If msg_xfer() is unable to queue part of a NNC message because the MHI ring
is full, it will attempt to give the QSM some time to drain the queue.
However, if QSM fails to make any room, msg_xfer() will fail and tell the
caller to try again.  This is problematic because part of the message may
have been committed to the ring and there is no mechanism to revoke that
content.  This will cause QSM to receive a corrupt message.

The better way to do this is to check if the ring has enough space for the
entire message before committing any of the message.  Since msg_xfer() is
under the cntl_mutex no one else can come in and consume the space.

Fixes: 129776ac2e38 ("accel/qaic: Add control path")
Signed-off-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Reviewed-by: Pranjal Ramajor Asha Kanojiya &lt;quic_pkanojiy@quicinc.com&gt;
Reviewed-by: Carl Vanderlip &lt;quic_carlv@quicinc.com&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/20230517193540.14323-6-quic_jhugo@quicinc.com
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
If msg_xfer() is unable to queue part of a NNC message because the MHI ring
is full, it will attempt to give the QSM some time to drain the queue.
However, if QSM fails to make any room, msg_xfer() will fail and tell the
caller to try again.  This is problematic because part of the message may
have been committed to the ring and there is no mechanism to revoke that
content.  This will cause QSM to receive a corrupt message.

The better way to do this is to check if the ring has enough space for the
entire message before committing any of the message.  Since msg_xfer() is
under the cntl_mutex no one else can come in and consume the space.

Fixes: 129776ac2e38 ("accel/qaic: Add control path")
Signed-off-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Reviewed-by: Pranjal Ramajor Asha Kanojiya &lt;quic_pkanojiy@quicinc.com&gt;
Reviewed-by: Carl Vanderlip &lt;quic_carlv@quicinc.com&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/20230517193540.14323-6-quic_jhugo@quicinc.com
</pre>
</div>
</content>
</entry>
</feed>
