diff options
author | David Chiang <davidchiang@google.com> | 2021-08-18 08:46:45 +0800 |
---|---|---|
committer | David Chiang <davidchiang@google.com> | 2021-09-11 02:05:59 +0000 |
commit | 5dfa29f9563875b8acc4b9d50b1137bee6babb0e (patch) | |
tree | a825813fb8b1c78160ebb2d816361bd7521dccc1 | |
parent | f3671dbacc743e84c5d35f1c3b35945b4c654a51 (diff) | |
download | abrolhos-5dfa29f9563875b8acc4b9d50b1137bee6babb0e.tar.gz |
edgetpu: sync critical fixes: GSA failure, UAF on mapping
Sync the following CLs from darwinn-2.0:
950f4f74 edgetpu: abrolhos fail firmware run on GSA fails
93cd0c2c edgetpu: fix UAF in edgetpu_device_group_map
Bug: 192641593
Bug: 194942314
Signed-off-by: David Chiang <davidchiang@google.com>
Change-Id: Id4382b28af3deb67ae5cddbc5af8e21f6a9f5cb0
-rw-r--r-- | drivers/edgetpu/abrolhos-firmware.c | 6 | ||||
-rw-r--r-- | drivers/edgetpu/edgetpu-device-group.c | 11 |
2 files changed, 10 insertions, 7 deletions
diff --git a/drivers/edgetpu/abrolhos-firmware.c b/drivers/edgetpu/abrolhos-firmware.c index 5a8cd2e..063d010 100644 --- a/drivers/edgetpu/abrolhos-firmware.c +++ b/drivers/edgetpu/abrolhos-firmware.c @@ -108,10 +108,8 @@ static int abrolhos_firmware_prepare_run(struct edgetpu_firmware *et_fw, tpu_state = gsa_send_tpu_cmd(abpdev->gsa_dev, GSA_TPU_GET_STATE); if (tpu_state < GSA_TPU_STATE_INACTIVE) { - etdev_warn(etdev, "GSA failed to retrieve current status: %d\n", - tpu_state); - etdev_warn(etdev, "Assuming device is inactive\n"); - tpu_state = GSA_TPU_STATE_INACTIVE; + etdev_err(etdev, "GSA failed to retrieve current status: %d\n", tpu_state); + return tpu_state; } etdev_dbg(etdev, "GSA Reports TPU state: %d\n", tpu_state); diff --git a/drivers/edgetpu/edgetpu-device-group.c b/drivers/edgetpu/edgetpu-device-group.c index 1b668f5..3b8ddf8 100644 --- a/drivers/edgetpu/edgetpu-device-group.c +++ b/drivers/edgetpu/edgetpu-device-group.c @@ -1433,6 +1433,7 @@ int edgetpu_device_group_map(struct edgetpu_device_group *group, const u32 mmu_flags = map_to_mmu_flags(flags) | EDGETPU_MMU_HOST; int i; bool readonly; + tpu_addr_t tpu_addr; if (!valid_dma_direction(flags & EDGETPU_MAP_DIR_MASK)) return -EINVAL; @@ -1488,15 +1489,19 @@ int edgetpu_device_group_map(struct edgetpu_device_group *group, goto error; } + /* + * @map can be freed (by another thread) once it's added to the mappings, record the address + * before that. + */ + tpu_addr = map->device_address; ret = edgetpu_mapping_add(&group->host_mappings, map); if (ret) { - etdev_dbg(etdev, "duplicate mapping %u:0x%llx", - group->workload_id, map->device_address); + etdev_dbg(etdev, "duplicate mapping %u:0x%llx", group->workload_id, tpu_addr); goto error; } mutex_unlock(&group->lock); - arg->device_address = map->device_address; + arg->device_address = tpu_addr; kvfree(pages); return 0; |