Revert "BACKPORT: kgsl: hwsched: Don't cross dereference kgsl_mem_entry pointer"

This reverts commit e7fe0e2788. According to Qualcomm, this platform is not affected [1]. It causes NULL pointer dereference on older kernels due to the lack of 976b6d97c6. [1] https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2024-bulletin.html#_cve-2024-21478 Change-Id: Ic50a8c89ec9f0b4f56ac90125be646147bae5f20 Signed-off-by: Alexander Winkowski <dereference23@outlook.com>
2024-08-18 18:05:56 +00:00 · 2024-08-18 18:05:56 +00:00 · 02b9f89f58
commit 02b9f89f58
parent 9944a4c53c
4 changed files with 16 additions and 18 deletions
--- a/drivers/gpu/msm/kgsl.c
+++ b/drivers/gpu/msm/kgsl.c
@ -2378,7 +2378,8 @@ static long gpuobj_free_on_fence(struct kgsl_device_private *dev_priv,
 		return -EINVAL;
 	}

-	handle = kgsl_sync_fence_async_wait(event.fd, gpuobj_free_fence_func, entry);
+	handle = kgsl_sync_fence_async_wait(event.fd,
+		gpuobj_free_fence_func, entry, NULL);

 	if (IS_ERR(handle)) {
 		kgsl_mem_entry_unset_pend(entry);
--- a/drivers/gpu/msm/kgsl_drawobj.c
+++ b/drivers/gpu/msm/kgsl_drawobj.c
@ -566,7 +566,8 @@ static int drawobj_add_sync_fence(struct kgsl_device *device,

 	set_bit(event->id, &syncobj->pending);

-	event->handle = kgsl_sync_fence_async_wait(sync.fd, drawobj_sync_fence_func, event);
+	event->handle = kgsl_sync_fence_async_wait(sync.fd,
+				drawobj_sync_fence_func, event, priv);

 	event->priv = priv;

@ -588,8 +589,6 @@ static int drawobj_add_sync_fence(struct kgsl_device *device,
 		return ret;
 	}

-	kgsl_get_fence_info(event);
-
 	for (i = 0; priv && i < priv->num_fences; i++)
 		trace_syncpoint_fence(syncobj, priv->fences[i].name);

--- a/drivers/gpu/msm/kgsl_sync.c
+++ b/drivers/gpu/msm/kgsl_sync.c
@ -424,20 +424,19 @@ static void kgsl_sync_fence_callback(struct dma_fence *fence,
 	}
 }

-void kgsl_get_fence_info(struct kgsl_drawobj_sync_event *event)
+static void kgsl_get_fence_names(struct dma_fence *fence,
+	struct event_fence_info *info_ptr)
 {
 	unsigned int num_fences;
-	struct dma_fence *fence, **fences;
+	struct dma_fence **fences;
 	struct dma_fence_array *array;
-	struct event_fence_info *info_ptr = event->priv;
 	int i;

 	if (!info_ptr)
 		return;

-	fence = event->handle->fence;
-
 	array = to_dma_fence_array(fence);
+
 	if (array != NULL) {
 		num_fences = array->num_fences;
 		fences = array->fences;
@ -472,7 +471,7 @@ void kgsl_get_fence_info(struct kgsl_drawobj_sync_event *event)
 }

 struct kgsl_sync_fence_cb *kgsl_sync_fence_async_wait(int fd,
-	bool (*func)(void *priv), void *priv)
+	bool (*func)(void *priv), void *priv, struct event_fence_info *info_ptr)
 {
 	struct kgsl_sync_fence_cb *kcb;
 	struct dma_fence *fence;
@ -493,6 +492,8 @@ struct kgsl_sync_fence_cb *kgsl_sync_fence_async_wait(int fd,
 	kcb->priv = priv;
 	kcb->func = func;

+	kgsl_get_fence_names(fence, info_ptr);
+
 	/* if status then error or signaled */
 	status = dma_fence_add_callback(fence, &kcb->fence_cb,
 				kgsl_sync_fence_callback);
--- a/drivers/gpu/msm/kgsl_sync.h
+++ b/drivers/gpu/msm/kgsl_sync.h
@ -85,9 +85,9 @@ void kgsl_sync_timeline_detach(struct kgsl_sync_timeline *ktimeline);

 void kgsl_sync_timeline_put(struct kgsl_sync_timeline *ktimeline);

-struct kgsl_sync_fence_cb *kgsl_sync_fence_async_wait(int fd, bool (*func)(void *priv), void *priv);
-
-void kgsl_get_fence_info(struct kgsl_drawobj_sync_event *event);
+struct kgsl_sync_fence_cb *kgsl_sync_fence_async_wait(int fd,
+					bool (*func)(void *priv), void *priv,
+					struct event_fence_info *info_ptr);

 void kgsl_sync_fence_async_cancel(struct kgsl_sync_fence_cb *kcb);

@ -128,12 +128,9 @@ static inline void kgsl_sync_timeline_put(struct kgsl_sync_timeline *ktimeline)
 }


-static inline void kgsl_get_fence_info(struct kgsl_drawobj_sync_event *event)
-{
-}
-
 static inline struct kgsl_sync_fence_cb *kgsl_sync_fence_async_wait(int fd,
-	bool (*func)(void *priv), void *priv);
+					bool (*func)(void *priv), void *priv,
+					struct event_fence_info *info_ptr)
 {
 	return NULL;
 }