From b6e0c36f1c764808f1fa189e906d942df2e30e9d Mon Sep 17 00:00:00 2001 From: Deepak Kumar Date: Wed, 1 Aug 2018 11:57:33 +0530 Subject: [PATCH 1/2] msm: kgsl: Don't halt dispatcher if device is not in SUSPEND state Add a check to make sure device actually transitioned to SUSPEND state before halting dispatcher in adreno_suspend_device function. kgsl_pwrctrl_change_state(device,KGSL_STATE_SUSPEND) in kgsl_suspend_device can return zero without actually changing state to SUSPEND if device state is NONE or INIT. Change-Id: I4a5a69007c71651ea2cf7fa7360c960c6856031e Signed-off-by: Deepak Kumar Signed-off-by: Archana Sriram --- drivers/gpu/msm/adreno.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/msm/adreno.c b/drivers/gpu/msm/adreno.c index 9cb65033ed13..d2aa0a0f9507 100644 --- a/drivers/gpu/msm/adreno.c +++ b/drivers/gpu/msm/adreno.c @@ -2807,7 +2807,8 @@ static void adreno_suspend_device(struct kgsl_device *device, struct adreno_gpudev *gpudev = ADRENO_GPU_DEVICE(adreno_dev); int pm_event = pm_state.event; - adreno_dispatcher_halt(device); + if (device->state == KGSL_STATE_SUSPEND) + adreno_dispatcher_halt(device); if ((pm_event == PM_EVENT_FREEZE) || (pm_event == PM_EVENT_QUIESCE) || From 25611b44f1efba8a7c3cbbf72c9387313f96906c Mon Sep 17 00:00:00 2001 From: Mohammed Javid Date: Mon, 8 Oct 2018 20:04:48 +0530 Subject: [PATCH 2/2] msm: ipa3: Fix to validate the user inputs Adding code changes to validate user inputs. Before allocating the NAT entry verifying the NAT entry size in range or not. Change-Id: I21147f20a12243af5d21aebdc206703964db2be4 Acked-by: Ashok Vuyyuru Signed-off-by: Mohammed Javid --- drivers/platform/msm/ipa/ipa_v2/ipa_nat.c | 14 ++++++++++++++ drivers/platform/msm/ipa/ipa_v3/ipa_nat.c | 14 ++++++++++++++ 2 files changed, 28 insertions(+) diff --git a/drivers/platform/msm/ipa/ipa_v2/ipa_nat.c b/drivers/platform/msm/ipa/ipa_v2/ipa_nat.c index 7cddbf850540..a7cdf691ec68 100644 --- a/drivers/platform/msm/ipa/ipa_v2/ipa_nat.c +++ b/drivers/platform/msm/ipa/ipa_v2/ipa_nat.c @@ -35,6 +35,13 @@ enum nat_table_type { #define NAT_TABLE_ENTRY_SIZE_BYTE 32 #define NAT_INTEX_TABLE_ENTRY_SIZE_BYTE 4 +/* + * Max NAT table entries is limited 1000 entries. + * Limit the memory size required by user to prevent kernel memory starvation + */ +#define IPA_TABLE_MAX_ENTRIES 1000 +#define MAX_ALLOC_NAT_SIZE (IPA_TABLE_MAX_ENTRIES * NAT_TABLE_ENTRY_SIZE_BYTE) + static int ipa_nat_vma_fault_remap( struct vm_area_struct *vma, struct vm_fault *vmf) { @@ -270,6 +277,13 @@ int ipa2_allocate_nat_device(struct ipa_ioc_nat_alloc_mem *mem) goto bail; } + if (mem->size > MAX_ALLOC_NAT_SIZE) { + IPAERR("Trying allocate more size = %zu, Max allowed = %d\n", + mem->size, MAX_ALLOC_NAT_SIZE); + result = -EPERM; + goto bail; + } + if (mem->size <= 0 || nat_ctx->is_dev_init == true) { IPAERR_RL("Invalid Parameters or device is already init\n"); diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa_nat.c b/drivers/platform/msm/ipa/ipa_v3/ipa_nat.c index 17e4cae311ce..0b52acdeafc1 100644 --- a/drivers/platform/msm/ipa/ipa_v3/ipa_nat.c +++ b/drivers/platform/msm/ipa/ipa_v3/ipa_nat.c @@ -34,6 +34,13 @@ enum nat_table_type { #define NAT_TABLE_ENTRY_SIZE_BYTE 32 #define NAT_INTEX_TABLE_ENTRY_SIZE_BYTE 4 +/* + * Max NAT table entries is limited 1000 entries. + * Limit the memory size required by user to prevent kernel memory starvation + */ +#define IPA_TABLE_MAX_ENTRIES 1000 +#define MAX_ALLOC_NAT_SIZE (IPA_TABLE_MAX_ENTRIES * NAT_TABLE_ENTRY_SIZE_BYTE) + static int ipa3_nat_vma_fault_remap( struct vm_area_struct *vma, struct vm_fault *vmf) { @@ -272,6 +279,13 @@ int ipa3_allocate_nat_device(struct ipa_ioc_nat_alloc_mem *mem) goto bail; } + if (mem->size > MAX_ALLOC_NAT_SIZE) { + IPAERR("Trying allocate more size = %zu, Max allowed = %d\n", + mem->size, MAX_ALLOC_NAT_SIZE); + result = -EPERM; + goto bail; + } + if (mem->size <= 0 || nat_ctx->is_dev_init == true) { IPAERR_RL("Invalid Parameters or device is already init\n");