Two additional fixes for corner cases found during development when
buggy userspace or firmware ends up subjecting the KMD to error
scenarios.
Carl Vanderlip (1):
accel/qaic: Free user handle on interrupted mutex
Jeffrey Hugo (1):
accel/qaic: Fix NULL pointer deref in qaic_destroy_drm_device()
drivers/accel/qaic/qaic_drv.c | 4 ++++
1 file changed, 4 insertions(+)
--
2.40.1
If qaic_destroy_drm_device() is called before the device has fully
initialized it will cause a NULL pointer dereference as the drm device
has not yet been created. Fix this with a NULL check.
Fixes: c501ca23a6a3 ("accel/qaic: Add uapi and core driver file")
Signed-off-by: Jeffrey Hugo <[email protected]>
Reviewed-by: Carl Vanderlip <[email protected]>
Reviewed-by: Pranjal Ramajor Asha Kanojiya <[email protected]>
---
drivers/accel/qaic/qaic_drv.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/accel/qaic/qaic_drv.c b/drivers/accel/qaic/qaic_drv.c
index 961cd341b414..b5ba550a0c04 100644
--- a/drivers/accel/qaic/qaic_drv.c
+++ b/drivers/accel/qaic/qaic_drv.c
@@ -225,6 +225,9 @@ static void qaic_destroy_drm_device(struct qaic_device *qdev, s32 partition_id)
struct qaic_user *usr;
qddev = qdev->qddev;
+ qdev->qddev = NULL;
+ if (!qddev)
+ return;
/*
* Existing users get unresolvable errors till they close FDs.
--
2.40.1
From: Carl Vanderlip <[email protected]>
After user handle is allocated, if mutex is interrupted, we do not free
the user handle and return an error. Kref had been initialized, but not
added to users list, so device teardown would also not call free_usr.
Fixes: c501ca23a6a3 ("accel/qaic: Add uapi and core driver file")
Signed-off-by: Carl Vanderlip <[email protected]>
Reviewed-by: Pranjal Ramajor Asha Kanojiya <[email protected]>
Reviewed-by: Jeffrey Hugo <[email protected]>
Signed-off-by: Jeffrey Hugo <[email protected]>
---
drivers/accel/qaic/qaic_drv.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/accel/qaic/qaic_drv.c b/drivers/accel/qaic/qaic_drv.c
index 2d0828db28d8..961cd341b414 100644
--- a/drivers/accel/qaic/qaic_drv.c
+++ b/drivers/accel/qaic/qaic_drv.c
@@ -97,6 +97,7 @@ static int qaic_open(struct drm_device *dev, struct drm_file *file)
cleanup_usr:
cleanup_srcu_struct(&usr->qddev_lock);
+ ida_free(&qaic_usrs, usr->handle);
free_usr:
kfree(usr);
dev_unlock:
--
2.40.1
On 6/2/2023 3:04 PM, Jeffrey Hugo wrote:
> Two additional fixes for corner cases found during development when
> buggy userspace or firmware ends up subjecting the KMD to error
> scenarios.
>
> Carl Vanderlip (1):
> accel/qaic: Free user handle on interrupted mutex
>
> Jeffrey Hugo (1):
> accel/qaic: Fix NULL pointer deref in qaic_destroy_drm_device()
>
> drivers/accel/qaic/qaic_drv.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
Pushed to drm-misc-fixes