From 2b86d9b8ec6efb86fc5ea44f2d49b1df17f699a1 Mon Sep 17 00:00:00 2001 From: Samuel Thibault Date: Tue, 4 Aug 2020 18:06:37 +0200 Subject: [PATCH 01/16] speakup: Fix wait_for_xmitr for ttyio case This was missed while introducing the tty-based serial access. The only remaining use of wait_for_xmitr with tty-based access is in spk_synth_is_alive_restart to check whether the synth can be restarted. With tty-based this is up to the tty layer to cope with the buffering etc. so we can just say yes. Signed-off-by: Samuel Thibault Link: https://lore.kernel.org/r/20200804160637.x3iycau5izywbgzl@function Signed-off-by: Greg Kroah-Hartman --- drivers/accessibility/speakup/serialio.c | 8 +++++--- drivers/accessibility/speakup/spk_priv.h | 1 - drivers/accessibility/speakup/spk_ttyio.c | 7 +++++++ drivers/accessibility/speakup/spk_types.h | 1 + drivers/accessibility/speakup/synth.c | 2 +- 5 files changed, 14 insertions(+), 5 deletions(-) diff --git a/drivers/accessibility/speakup/serialio.c b/drivers/accessibility/speakup/serialio.c index 177a2988641c..403b01d66367 100644 --- a/drivers/accessibility/speakup/serialio.c +++ b/drivers/accessibility/speakup/serialio.c @@ -32,6 +32,7 @@ static void spk_serial_tiocmset(unsigned int set, unsigned int clear); static unsigned char spk_serial_in(void); static unsigned char spk_serial_in_nowait(void); static void spk_serial_flush_buffer(void); +static int spk_serial_wait_for_xmitr(struct spk_synth *in_synth); struct spk_io_ops spk_serial_io_ops = { .synth_out = spk_serial_out, @@ -40,6 +41,7 @@ struct spk_io_ops spk_serial_io_ops = { .synth_in = spk_serial_in, .synth_in_nowait = spk_serial_in_nowait, .flush_buffer = spk_serial_flush_buffer, + .wait_for_xmitr = spk_serial_wait_for_xmitr, }; EXPORT_SYMBOL_GPL(spk_serial_io_ops); @@ -211,7 +213,7 @@ void spk_stop_serial_interrupt(void) } EXPORT_SYMBOL_GPL(spk_stop_serial_interrupt); -int spk_wait_for_xmitr(struct spk_synth *in_synth) +static int spk_serial_wait_for_xmitr(struct spk_synth *in_synth) { int tmout = SPK_XMITR_TIMEOUT; @@ -280,7 +282,7 @@ static void spk_serial_flush_buffer(void) static int spk_serial_out(struct spk_synth *in_synth, const char ch) { - if (in_synth->alive && spk_wait_for_xmitr(in_synth)) { + if (in_synth->alive && spk_serial_wait_for_xmitr(in_synth)) { outb_p(ch, speakup_info.port_tts); return 1; } @@ -295,7 +297,7 @@ const char *spk_serial_synth_immediate(struct spk_synth *synth, while ((ch = *buff)) { if (ch == '\n') ch = synth->procspeech; - if (spk_wait_for_xmitr(synth)) + if (spk_serial_wait_for_xmitr(synth)) outb(ch, speakup_info.port_tts); else return buff; diff --git a/drivers/accessibility/speakup/spk_priv.h b/drivers/accessibility/speakup/spk_priv.h index c75b40838794..0f4bcbe5ddb9 100644 --- a/drivers/accessibility/speakup/spk_priv.h +++ b/drivers/accessibility/speakup/spk_priv.h @@ -34,7 +34,6 @@ const struct old_serial_port *spk_serial_init(int index); void spk_stop_serial_interrupt(void); -int spk_wait_for_xmitr(struct spk_synth *in_synth); void spk_serial_release(void); void spk_ttyio_release(void); void spk_ttyio_register_ldisc(void); diff --git a/drivers/accessibility/speakup/spk_ttyio.c b/drivers/accessibility/speakup/spk_ttyio.c index 9b95f77f9265..a831ff64f8ba 100644 --- a/drivers/accessibility/speakup/spk_ttyio.c +++ b/drivers/accessibility/speakup/spk_ttyio.c @@ -116,6 +116,7 @@ static void spk_ttyio_tiocmset(unsigned int set, unsigned int clear); static unsigned char spk_ttyio_in(void); static unsigned char spk_ttyio_in_nowait(void); static void spk_ttyio_flush_buffer(void); +static int spk_ttyio_wait_for_xmitr(struct spk_synth *in_synth); struct spk_io_ops spk_ttyio_ops = { .synth_out = spk_ttyio_out, @@ -125,6 +126,7 @@ struct spk_io_ops spk_ttyio_ops = { .synth_in = spk_ttyio_in, .synth_in_nowait = spk_ttyio_in_nowait, .flush_buffer = spk_ttyio_flush_buffer, + .wait_for_xmitr = spk_ttyio_wait_for_xmitr, }; EXPORT_SYMBOL_GPL(spk_ttyio_ops); @@ -286,6 +288,11 @@ static void spk_ttyio_tiocmset(unsigned int set, unsigned int clear) mutex_unlock(&speakup_tty_mutex); } +static int spk_ttyio_wait_for_xmitr(struct spk_synth *in_synth) +{ + return 1; +} + static unsigned char ttyio_in(int timeout) { struct spk_ldisc_data *ldisc_data = speakup_tty->disc_data; diff --git a/drivers/accessibility/speakup/spk_types.h b/drivers/accessibility/speakup/spk_types.h index d3272c6d199a..7398f1196e10 100644 --- a/drivers/accessibility/speakup/spk_types.h +++ b/drivers/accessibility/speakup/spk_types.h @@ -158,6 +158,7 @@ struct spk_io_ops { unsigned char (*synth_in)(void); unsigned char (*synth_in_nowait)(void); void (*flush_buffer)(void); + int (*wait_for_xmitr)(struct spk_synth *synth); }; struct spk_synth { diff --git a/drivers/accessibility/speakup/synth.c b/drivers/accessibility/speakup/synth.c index 3568bfb89912..ac47dbac7207 100644 --- a/drivers/accessibility/speakup/synth.c +++ b/drivers/accessibility/speakup/synth.c @@ -159,7 +159,7 @@ int spk_synth_is_alive_restart(struct spk_synth *synth) { if (synth->alive) return 1; - if (spk_wait_for_xmitr(synth) > 0) { + if (synth->io_ops->wait_for_xmitr(synth) > 0) { /* restart */ synth->alive = 1; synth_printf("%s", synth->init); From dfe650be6f79fc69021a9b7a559d5aca1e2ef359 Mon Sep 17 00:00:00 2001 From: Samuel Thibault Date: Tue, 4 Aug 2020 18:06:59 +0200 Subject: [PATCH 02/16] speakup: only build serialio when ISA is enabled Drivers using serialio were already made available in Kconfig only under the ISA condition. Signed-off-by: Samuel Thibault Link: https://lore.kernel.org/r/20200804160659.7y76sdseow43lfms@function Signed-off-by: Greg Kroah-Hartman --- drivers/accessibility/speakup/Kconfig | 13 +++++++++---- drivers/accessibility/speakup/Makefile | 2 +- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/drivers/accessibility/speakup/Kconfig b/drivers/accessibility/speakup/Kconfig index 0803c2013cf4..07ecbbde0384 100644 --- a/drivers/accessibility/speakup/Kconfig +++ b/drivers/accessibility/speakup/Kconfig @@ -42,6 +42,11 @@ config SPEAKUP one of the listed synthesizers, you should say n. if SPEAKUP + +config SPEAKUP_SERIALIO + def_bool y + depends on ISA || COMPILE_TEST + config SPEAKUP_SYNTH_ACNTSA tristate "Accent SA synthesizer support" help @@ -52,7 +57,7 @@ config SPEAKUP_SYNTH_ACNTSA config SPEAKUP_SYNTH_ACNTPC tristate "Accent PC synthesizer support" - depends on ISA || COMPILE_TEST + depends on SPEAKUP_SERIALIO help This is the Speakup driver for the accent pc synthesizer. You can say y to build it into the kernel, @@ -104,7 +109,7 @@ config SPEAKUP_SYNTH_DECEXT config SPEAKUP_SYNTH_DECPC depends on m - depends on ISA || COMPILE_TEST + depends on SPEAKUP_SERIALIO tristate "DECtalk PC (big ISA card) synthesizer support" help @@ -127,7 +132,7 @@ config SPEAKUP_SYNTH_DECPC config SPEAKUP_SYNTH_DTLK tristate "DoubleTalk PC synthesizer support" - depends on ISA || COMPILE_TEST + depends on SPEAKUP_SERIALIO help This is the Speakup driver for the internal DoubleTalk @@ -138,7 +143,7 @@ config SPEAKUP_SYNTH_DTLK config SPEAKUP_SYNTH_KEYPC tristate "Keynote Gold PC synthesizer support" - depends on ISA || COMPILE_TEST + depends on SPEAKUP_SERIALIO help This is the Speakup driver for the Keynote Gold diff --git a/drivers/accessibility/speakup/Makefile b/drivers/accessibility/speakup/Makefile index 5befb4933b85..6e4bfac8af65 100644 --- a/drivers/accessibility/speakup/Makefile +++ b/drivers/accessibility/speakup/Makefile @@ -25,8 +25,8 @@ speakup-y := \ keyhelp.o \ kobjects.o \ selection.o \ - serialio.o \ spk_ttyio.o \ synth.o \ thread.o \ varhandlers.o +speakup-$(CONFIG_SPEAKUP_SERIALIO) += serialio.o From 51072c0f5b5e98a035c6f63b83ba2afedbb7accd Mon Sep 17 00:00:00 2001 From: Tomas Winkler Date: Tue, 18 Aug 2020 10:54:06 +0300 Subject: [PATCH 03/16] mei: hdcp: fix mei_hdcp_verify_mprime() input parameter wired_cmd_repeater_auth_stream_req_in has a variable length array at the end. we use struct_size() overflow macro to determine the size for the allocation and sending size. This also fixes bug in case number of streams is > 0 in the original submission. This bug was not triggered as the number of streams is always one. Fixes: c56967d674e3 (mei: hdcp: Replace one-element array with flexible-array member) Fixes: 0a1af1b5c18d (misc/mei/hdcp: Verify M_prime) Cc: # v5.1+: c56967d674e3 (mei: hdcp: Replace one-element array with flexible-array member) Signed-off-by: Tomas Winkler Reviewed-by: Gustavo A. R. Silva Link: https://lore.kernel.org/r/20200818075406.2532605-1-tomas.winkler@intel.com Signed-off-by: Greg Kroah-Hartman --- drivers/misc/mei/hdcp/mei_hdcp.c | 40 +++++++++++++++++++------------- 1 file changed, 24 insertions(+), 16 deletions(-) diff --git a/drivers/misc/mei/hdcp/mei_hdcp.c b/drivers/misc/mei/hdcp/mei_hdcp.c index d1d3e025ca0e..9ae9669e46ea 100644 --- a/drivers/misc/mei/hdcp/mei_hdcp.c +++ b/drivers/misc/mei/hdcp/mei_hdcp.c @@ -546,38 +546,46 @@ static int mei_hdcp_verify_mprime(struct device *dev, struct hdcp_port_data *data, struct hdcp2_rep_stream_ready *stream_ready) { - struct wired_cmd_repeater_auth_stream_req_in - verify_mprime_in = { { 0 } }; + struct wired_cmd_repeater_auth_stream_req_in *verify_mprime_in; struct wired_cmd_repeater_auth_stream_req_out verify_mprime_out = { { 0 } }; struct mei_cl_device *cldev; ssize_t byte; + size_t cmd_size; if (!dev || !stream_ready || !data) return -EINVAL; cldev = to_mei_cl_device(dev); - verify_mprime_in.header.api_version = HDCP_API_VERSION; - verify_mprime_in.header.command_id = WIRED_REPEATER_AUTH_STREAM_REQ; - verify_mprime_in.header.status = ME_HDCP_STATUS_SUCCESS; - verify_mprime_in.header.buffer_len = + cmd_size = struct_size(verify_mprime_in, streams, data->k); + if (cmd_size == SIZE_MAX) + return -EINVAL; + + verify_mprime_in = kzalloc(cmd_size, GFP_KERNEL); + if (!verify_mprime_in) + return -ENOMEM; + + verify_mprime_in->header.api_version = HDCP_API_VERSION; + verify_mprime_in->header.command_id = WIRED_REPEATER_AUTH_STREAM_REQ; + verify_mprime_in->header.status = ME_HDCP_STATUS_SUCCESS; + verify_mprime_in->header.buffer_len = WIRED_CMD_BUF_LEN_REPEATER_AUTH_STREAM_REQ_MIN_IN; - verify_mprime_in.port.integrated_port_type = data->port_type; - verify_mprime_in.port.physical_port = (u8)data->fw_ddi; - verify_mprime_in.port.attached_transcoder = (u8)data->fw_tc; + verify_mprime_in->port.integrated_port_type = data->port_type; + verify_mprime_in->port.physical_port = (u8)data->fw_ddi; + verify_mprime_in->port.attached_transcoder = (u8)data->fw_tc; - memcpy(verify_mprime_in.m_prime, stream_ready->m_prime, - HDCP_2_2_MPRIME_LEN); - drm_hdcp_cpu_to_be24(verify_mprime_in.seq_num_m, data->seq_num_m); - memcpy(verify_mprime_in.streams, data->streams, + memcpy(verify_mprime_in->m_prime, stream_ready->m_prime, HDCP_2_2_MPRIME_LEN); + drm_hdcp_cpu_to_be24(verify_mprime_in->seq_num_m, data->seq_num_m); + + memcpy(verify_mprime_in->streams, data->streams, array_size(data->k, sizeof(*data->streams))); - verify_mprime_in.k = cpu_to_be16(data->k); + verify_mprime_in->k = cpu_to_be16(data->k); - byte = mei_cldev_send(cldev, (u8 *)&verify_mprime_in, - sizeof(verify_mprime_in)); + byte = mei_cldev_send(cldev, (u8 *)verify_mprime_in, cmd_size); + kfree(verify_mprime_in); if (byte < 0) { dev_dbg(dev, "mei_cldev_send failed. %zd\n", byte); return byte; From f1aae40e8dbd2655e3b10cae381a1e8292b19d57 Mon Sep 17 00:00:00 2001 From: Ofir Bitton Date: Thu, 16 Jul 2020 13:33:52 +0300 Subject: [PATCH 04/16] habanalabs: unmap PCI bars upon iATU failure In case the driver fails to configure the PCI controller iATU, it needs to unmap the PCI bars before exiting so if the driver is removed, the bars won't be left mapped. Signed-off-by: Ofir Bitton Reviewed-by: Oded Gabbay Signed-off-by: Oded Gabbay --- drivers/misc/habanalabs/common/pci.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/misc/habanalabs/common/pci.c b/drivers/misc/habanalabs/common/pci.c index 7bd3737571f3..b8184cb49034 100644 --- a/drivers/misc/habanalabs/common/pci.c +++ b/drivers/misc/habanalabs/common/pci.c @@ -369,15 +369,17 @@ int hl_pci_init(struct hl_device *hdev) rc = hdev->asic_funcs->init_iatu(hdev); if (rc) { dev_err(hdev->dev, "Failed to initialize iATU\n"); - goto disable_device; + goto unmap_pci_bars; } rc = hl_pci_set_dma_mask(hdev); if (rc) - goto disable_device; + goto unmap_pci_bars; return 0; +unmap_pci_bars: + hl_pci_bars_unmap(hdev); disable_device: pci_clear_master(pdev); pci_disable_device(pdev); From bf6d10963ed0db290e9aba05a97bfc4c72c7c0e4 Mon Sep 17 00:00:00 2001 From: Ofir Bitton Date: Thu, 30 Jul 2020 10:00:10 +0300 Subject: [PATCH 05/16] habanalabs: Validate user address before mapping User address must be validated before driver performs address map. Signed-off-by: Ofir Bitton Reviewed-by: Oded Gabbay Signed-off-by: Oded Gabbay --- drivers/misc/habanalabs/common/command_buffer.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/drivers/misc/habanalabs/common/command_buffer.c b/drivers/misc/habanalabs/common/command_buffer.c index 7c38c4f7f9c0..a8004911c977 100644 --- a/drivers/misc/habanalabs/common/command_buffer.c +++ b/drivers/misc/habanalabs/common/command_buffer.c @@ -10,6 +10,7 @@ #include #include +#include #include static void cb_fini(struct hl_device *hdev, struct hl_cb *cb) @@ -300,7 +301,7 @@ int hl_cb_mmap(struct hl_fpriv *hpriv, struct vm_area_struct *vma) struct hl_device *hdev = hpriv->hdev; struct hl_cb *cb; phys_addr_t address; - u32 handle; + u32 handle, user_cb_size; int rc; handle = vma->vm_pgoff; @@ -314,7 +315,8 @@ int hl_cb_mmap(struct hl_fpriv *hpriv, struct vm_area_struct *vma) } /* Validation check */ - if ((vma->vm_end - vma->vm_start) != ALIGN(cb->size, PAGE_SIZE)) { + user_cb_size = vma->vm_end - vma->vm_start; + if (user_cb_size != ALIGN(cb->size, PAGE_SIZE)) { dev_err(hdev->dev, "CB mmap failed, mmap size 0x%lx != 0x%x cb size\n", vma->vm_end - vma->vm_start, cb->size); @@ -322,6 +324,16 @@ int hl_cb_mmap(struct hl_fpriv *hpriv, struct vm_area_struct *vma) goto put_cb; } + if (!access_ok((void __user *) (uintptr_t) vma->vm_start, + user_cb_size)) { + dev_err(hdev->dev, + "user pointer is invalid - 0x%lx\n", + vma->vm_start); + + rc = -EINVAL; + goto put_cb; + } + spin_lock(&cb->lock); if (cb->mmap) { From bc75be24fa88ef10eecaff2b2a9ada8189e5ab5d Mon Sep 17 00:00:00 2001 From: Ofir Bitton Date: Thu, 30 Jul 2020 14:56:38 +0300 Subject: [PATCH 06/16] habanalabs: validate packet id during CB parse During command buffer parsing, driver extracts packet id from user buffer. Driver must validate this packet id, since it is being used in order to extract information from internal structures. Signed-off-by: Ofir Bitton Reviewed-by: Oded Gabbay Signed-off-by: Oded Gabbay --- drivers/misc/habanalabs/gaudi/gaudi.c | 35 +++++++++++++++++++++++++++ drivers/misc/habanalabs/goya/goya.c | 31 ++++++++++++++++++++++++ 2 files changed, 66 insertions(+) diff --git a/drivers/misc/habanalabs/gaudi/gaudi.c b/drivers/misc/habanalabs/gaudi/gaudi.c index 00a0a7238d81..9ed4989b6fd4 100644 --- a/drivers/misc/habanalabs/gaudi/gaudi.c +++ b/drivers/misc/habanalabs/gaudi/gaudi.c @@ -154,6 +154,29 @@ static const u16 gaudi_packet_sizes[MAX_PACKET_ID] = { [PACKET_LOAD_AND_EXE] = sizeof(struct packet_load_and_exe) }; +static inline bool validate_packet_id(enum packet_id id) +{ + switch (id) { + case PACKET_WREG_32: + case PACKET_WREG_BULK: + case PACKET_MSG_LONG: + case PACKET_MSG_SHORT: + case PACKET_CP_DMA: + case PACKET_REPEAT: + case PACKET_MSG_PROT: + case PACKET_FENCE: + case PACKET_LIN_DMA: + case PACKET_NOP: + case PACKET_STOP: + case PACKET_ARB_POINT: + case PACKET_WAIT: + case PACKET_LOAD_AND_EXE: + return true; + default: + return false; + } +} + static const char * const gaudi_tpc_interrupts_cause[GAUDI_NUM_OF_TPC_INTR_CAUSE] = { "tpc_address_exceed_slm", @@ -3772,6 +3795,12 @@ static int gaudi_validate_cb(struct hl_device *hdev, PACKET_HEADER_PACKET_ID_MASK) >> PACKET_HEADER_PACKET_ID_SHIFT); + if (!validate_packet_id(pkt_id)) { + dev_err(hdev->dev, "Invalid packet id %u\n", pkt_id); + rc = -EINVAL; + break; + } + pkt_size = gaudi_packet_sizes[pkt_id]; cb_parsed_length += pkt_size; if (cb_parsed_length > parser->user_cb_size) { @@ -3995,6 +4024,12 @@ static int gaudi_patch_cb(struct hl_device *hdev, PACKET_HEADER_PACKET_ID_MASK) >> PACKET_HEADER_PACKET_ID_SHIFT); + if (!validate_packet_id(pkt_id)) { + dev_err(hdev->dev, "Invalid packet id %u\n", pkt_id); + rc = -EINVAL; + break; + } + pkt_size = gaudi_packet_sizes[pkt_id]; cb_parsed_length += pkt_size; if (cb_parsed_length > parser->user_cb_size) { diff --git a/drivers/misc/habanalabs/goya/goya.c b/drivers/misc/habanalabs/goya/goya.c index 85030759b2af..33cd2ae653d2 100644 --- a/drivers/misc/habanalabs/goya/goya.c +++ b/drivers/misc/habanalabs/goya/goya.c @@ -139,6 +139,25 @@ static u16 goya_packet_sizes[MAX_PACKET_ID] = { [PACKET_STOP] = sizeof(struct packet_stop) }; +static inline bool validate_packet_id(enum packet_id id) +{ + switch (id) { + case PACKET_WREG_32: + case PACKET_WREG_BULK: + case PACKET_MSG_LONG: + case PACKET_MSG_SHORT: + case PACKET_CP_DMA: + case PACKET_MSG_PROT: + case PACKET_FENCE: + case PACKET_LIN_DMA: + case PACKET_NOP: + case PACKET_STOP: + return true; + default: + return false; + } +} + static u64 goya_mmu_regs[GOYA_MMU_REGS_NUM] = { mmDMA_QM_0_GLBL_NON_SECURE_PROPS, mmDMA_QM_1_GLBL_NON_SECURE_PROPS, @@ -3455,6 +3474,12 @@ static int goya_validate_cb(struct hl_device *hdev, PACKET_HEADER_PACKET_ID_MASK) >> PACKET_HEADER_PACKET_ID_SHIFT); + if (!validate_packet_id(pkt_id)) { + dev_err(hdev->dev, "Invalid packet id %u\n", pkt_id); + rc = -EINVAL; + break; + } + pkt_size = goya_packet_sizes[pkt_id]; cb_parsed_length += pkt_size; if (cb_parsed_length > parser->user_cb_size) { @@ -3690,6 +3715,12 @@ static int goya_patch_cb(struct hl_device *hdev, PACKET_HEADER_PACKET_ID_MASK) >> PACKET_HEADER_PACKET_ID_SHIFT); + if (!validate_packet_id(pkt_id)) { + dev_err(hdev->dev, "Invalid packet id %u\n", pkt_id); + rc = -EINVAL; + break; + } + pkt_size = goya_packet_sizes[pkt_id]; cb_parsed_length += pkt_size; if (cb_parsed_length > parser->user_cb_size) { From eeec23cd325ad4d83927b8ee162693579cf3813f Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Mon, 3 Aug 2020 17:36:36 +0300 Subject: [PATCH 07/16] habanalabs: Fix memory corruption in debugfs This has to be a long instead of a u32 because we write a long value. On 64 bit systems, this will cause memory corruption. Fixes: c216477363a3 ("habanalabs: add debugfs support") Signed-off-by: Dan Carpenter Reviewed-by: Oded Gabbay Signed-off-by: Oded Gabbay --- drivers/misc/habanalabs/common/debugfs.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/misc/habanalabs/common/debugfs.c b/drivers/misc/habanalabs/common/debugfs.c index c50c6fc9e905..37701e4f9d5a 100644 --- a/drivers/misc/habanalabs/common/debugfs.c +++ b/drivers/misc/habanalabs/common/debugfs.c @@ -19,7 +19,7 @@ static struct dentry *hl_debug_root; static int hl_debugfs_i2c_read(struct hl_device *hdev, u8 i2c_bus, u8 i2c_addr, - u8 i2c_reg, u32 *val) + u8 i2c_reg, long *val) { struct armcp_packet pkt; int rc; @@ -36,7 +36,7 @@ static int hl_debugfs_i2c_read(struct hl_device *hdev, u8 i2c_bus, u8 i2c_addr, pkt.i2c_reg = i2c_reg; rc = hdev->asic_funcs->send_cpu_message(hdev, (u32 *) &pkt, sizeof(pkt), - 0, (long *) val); + 0, val); if (rc) dev_err(hdev->dev, "Failed to read from I2C, error %d\n", rc); @@ -827,7 +827,7 @@ static ssize_t hl_i2c_data_read(struct file *f, char __user *buf, struct hl_dbg_device_entry *entry = file_inode(f)->i_private; struct hl_device *hdev = entry->hdev; char tmp_buf[32]; - u32 val; + long val; ssize_t rc; if (*ppos) @@ -842,7 +842,7 @@ static ssize_t hl_i2c_data_read(struct file *f, char __user *buf, return rc; } - sprintf(tmp_buf, "0x%02x\n", val); + sprintf(tmp_buf, "0x%02lx\n", val); rc = simple_read_from_buffer(buf, count, ppos, tmp_buf, strlen(tmp_buf)); From b0353540ffd2d78dca232990719916bee58c7523 Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Wed, 5 Aug 2020 12:51:05 +0300 Subject: [PATCH 08/16] habanalabs: Fix a loop in gaudi_extract_ecc_info() The condition was reversed. It should have been less than instead of greater than. The result is that we never enter the loop. Fixes: fcc6a4e60678 ("habanalabs: Extract ECC information from FW") Signed-off-by: Dan Carpenter Reviewed-by: Oded Gabbay Signed-off-by: Oded Gabbay --- drivers/misc/habanalabs/gaudi/gaudi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/misc/habanalabs/gaudi/gaudi.c b/drivers/misc/habanalabs/gaudi/gaudi.c index 9ed4989b6fd4..08124873483f 100644 --- a/drivers/misc/habanalabs/gaudi/gaudi.c +++ b/drivers/misc/habanalabs/gaudi/gaudi.c @@ -5250,7 +5250,7 @@ static int gaudi_extract_ecc_info(struct hl_device *hdev, *memory_wrapper_idx = 0xFF; /* Iterate through memory wrappers, a single bit must be set */ - for (i = 0 ; i > num_mem_regs ; i++) { + for (i = 0 ; i < num_mem_regs ; i++) { err_addr += i * 4; err_word = RREG32(err_addr); if (err_word) { From 1cff11974080f47864d56ef97db228c51fcb8a0c Mon Sep 17 00:00:00 2001 From: Ofir Bitton Date: Wed, 5 Aug 2020 13:55:12 +0300 Subject: [PATCH 09/16] habanalabs: verify user input in cs_ioctl_signal_wait User input must be validated before using it to access internal structures. Signed-off-by: Ofir Bitton Reviewed-by: Oded Gabbay Signed-off-by: Oded Gabbay --- drivers/misc/habanalabs/common/command_submission.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/misc/habanalabs/common/command_submission.c b/drivers/misc/habanalabs/common/command_submission.c index b9840e368eb5..2e3fcbc794db 100644 --- a/drivers/misc/habanalabs/common/command_submission.c +++ b/drivers/misc/habanalabs/common/command_submission.c @@ -808,6 +808,14 @@ static int cs_ioctl_signal_wait(struct hl_fpriv *hpriv, enum hl_cs_type cs_type, /* currently it is guaranteed to have only one chunk */ chunk = &cs_chunk_array[0]; + + if (chunk->queue_index >= hdev->asic_prop.max_queues) { + dev_err(hdev->dev, "Queue index %d is invalid\n", + chunk->queue_index); + rc = -EINVAL; + goto free_cs_chunk_array; + } + q_idx = chunk->queue_index; hw_queue_prop = &hdev->asic_prop.hw_queues_props[q_idx]; q_type = hw_queue_prop->type; From f44d23b9095abd91dad9f5f3add2a3149833ec83 Mon Sep 17 00:00:00 2001 From: Ofir Bitton Date: Tue, 4 Aug 2020 13:38:43 +0300 Subject: [PATCH 10/16] habanalabs: set clock gating according to mask Once clock gating is set we enable clock gating according to mask, we should also disable clock gating according to relevant bits. Signed-off-by: Ofir Bitton Reviewed-by: Oded Gabbay Signed-off-by: Oded Gabbay --- drivers/misc/habanalabs/gaudi/gaudi.c | 44 +++++++++++++-------------- 1 file changed, 21 insertions(+), 23 deletions(-) diff --git a/drivers/misc/habanalabs/gaudi/gaudi.c b/drivers/misc/habanalabs/gaudi/gaudi.c index 08124873483f..7e0f9f64ffcb 100644 --- a/drivers/misc/habanalabs/gaudi/gaudi.c +++ b/drivers/misc/habanalabs/gaudi/gaudi.c @@ -2508,6 +2508,7 @@ static void gaudi_set_clock_gating(struct hl_device *hdev) { struct gaudi_device *gaudi = hdev->asic_specific; u32 qman_offset; + bool enable; int i; /* In case we are during debug session, don't enable the clock gate @@ -2517,46 +2518,43 @@ static void gaudi_set_clock_gating(struct hl_device *hdev) return; for (i = GAUDI_PCI_DMA_1, qman_offset = 0 ; i < GAUDI_HBM_DMA_1 ; i++) { - if (!(hdev->clock_gating_mask & - (BIT_ULL(gaudi_dma_assignment[i])))) - continue; + enable = !!(hdev->clock_gating_mask & + (BIT_ULL(gaudi_dma_assignment[i]))); qman_offset = gaudi_dma_assignment[i] * DMA_QMAN_OFFSET; - WREG32(mmDMA0_QM_CGM_CFG1 + qman_offset, QMAN_CGM1_PWR_GATE_EN); + WREG32(mmDMA0_QM_CGM_CFG1 + qman_offset, + enable ? QMAN_CGM1_PWR_GATE_EN : 0); WREG32(mmDMA0_QM_CGM_CFG + qman_offset, - QMAN_UPPER_CP_CGM_PWR_GATE_EN); + enable ? QMAN_UPPER_CP_CGM_PWR_GATE_EN : 0); } for (i = GAUDI_HBM_DMA_1 ; i < GAUDI_DMA_MAX ; i++) { - if (!(hdev->clock_gating_mask & - (BIT_ULL(gaudi_dma_assignment[i])))) - continue; + enable = !!(hdev->clock_gating_mask & + (BIT_ULL(gaudi_dma_assignment[i]))); qman_offset = gaudi_dma_assignment[i] * DMA_QMAN_OFFSET; - WREG32(mmDMA0_QM_CGM_CFG1 + qman_offset, QMAN_CGM1_PWR_GATE_EN); + WREG32(mmDMA0_QM_CGM_CFG1 + qman_offset, + enable ? QMAN_CGM1_PWR_GATE_EN : 0); WREG32(mmDMA0_QM_CGM_CFG + qman_offset, - QMAN_COMMON_CP_CGM_PWR_GATE_EN); + enable ? QMAN_COMMON_CP_CGM_PWR_GATE_EN : 0); } - if (hdev->clock_gating_mask & (BIT_ULL(GAUDI_ENGINE_ID_MME_0))) { - WREG32(mmMME0_QM_CGM_CFG1, QMAN_CGM1_PWR_GATE_EN); - WREG32(mmMME0_QM_CGM_CFG, QMAN_COMMON_CP_CGM_PWR_GATE_EN); - } + enable = !!(hdev->clock_gating_mask & (BIT_ULL(GAUDI_ENGINE_ID_MME_0))); + WREG32(mmMME0_QM_CGM_CFG1, enable ? QMAN_CGM1_PWR_GATE_EN : 0); + WREG32(mmMME0_QM_CGM_CFG, enable ? QMAN_COMMON_CP_CGM_PWR_GATE_EN : 0); - if (hdev->clock_gating_mask & (BIT_ULL(GAUDI_ENGINE_ID_MME_2))) { - WREG32(mmMME2_QM_CGM_CFG1, QMAN_CGM1_PWR_GATE_EN); - WREG32(mmMME2_QM_CGM_CFG, QMAN_COMMON_CP_CGM_PWR_GATE_EN); - } + enable = !!(hdev->clock_gating_mask & (BIT_ULL(GAUDI_ENGINE_ID_MME_2))); + WREG32(mmMME2_QM_CGM_CFG1, enable ? QMAN_CGM1_PWR_GATE_EN : 0); + WREG32(mmMME2_QM_CGM_CFG, enable ? QMAN_COMMON_CP_CGM_PWR_GATE_EN : 0); for (i = 0, qman_offset = 0 ; i < TPC_NUMBER_OF_ENGINES ; i++) { - if (!(hdev->clock_gating_mask & - (BIT_ULL(GAUDI_ENGINE_ID_TPC_0 + i)))) - continue; + enable = !!(hdev->clock_gating_mask & + (BIT_ULL(GAUDI_ENGINE_ID_TPC_0 + i))); WREG32(mmTPC0_QM_CGM_CFG1 + qman_offset, - QMAN_CGM1_PWR_GATE_EN); + enable ? QMAN_CGM1_PWR_GATE_EN : 0); WREG32(mmTPC0_QM_CGM_CFG + qman_offset, - QMAN_COMMON_CP_CGM_PWR_GATE_EN); + enable ? QMAN_COMMON_CP_CGM_PWR_GATE_EN : 0); qman_offset += TPC_QMAN_OFFSET; } From 36545279f076afeb77104f5ffeab850da3b6d107 Mon Sep 17 00:00:00 2001 From: Ofir Bitton Date: Thu, 6 Aug 2020 11:33:27 +0300 Subject: [PATCH 11/16] habanalabs: proper handling of alloc size in coresight Allocation size can go up to 64bit but truncated to 32bit, we should make sure it is not truncated and validate no address overflow. Signed-off-by: Ofir Bitton Reviewed-by: Oded Gabbay Signed-off-by: Oded Gabbay --- drivers/misc/habanalabs/common/habanalabs.h | 2 +- drivers/misc/habanalabs/gaudi/gaudi_coresight.c | 8 +++++++- drivers/misc/habanalabs/goya/goya_coresight.c | 8 +++++++- 3 files changed, 15 insertions(+), 3 deletions(-) diff --git a/drivers/misc/habanalabs/common/habanalabs.h b/drivers/misc/habanalabs/common/habanalabs.h index 018d9d67e8e6..13c18f3d9a9b 100644 --- a/drivers/misc/habanalabs/common/habanalabs.h +++ b/drivers/misc/habanalabs/common/habanalabs.h @@ -1651,7 +1651,7 @@ struct hl_ioctl_desc { * * Return: true if the area is inside the valid range, false otherwise. */ -static inline bool hl_mem_area_inside_range(u64 address, u32 size, +static inline bool hl_mem_area_inside_range(u64 address, u64 size, u64 range_start_address, u64 range_end_address) { u64 end_address = address + size; diff --git a/drivers/misc/habanalabs/gaudi/gaudi_coresight.c b/drivers/misc/habanalabs/gaudi/gaudi_coresight.c index 5673ee49819e..881531d4d9da 100644 --- a/drivers/misc/habanalabs/gaudi/gaudi_coresight.c +++ b/drivers/misc/habanalabs/gaudi/gaudi_coresight.c @@ -527,7 +527,7 @@ static int gaudi_config_etf(struct hl_device *hdev, } static bool gaudi_etr_validate_address(struct hl_device *hdev, u64 addr, - u32 size, bool *is_host) + u64 size, bool *is_host) { struct asic_fixed_properties *prop = &hdev->asic_prop; struct gaudi_device *gaudi = hdev->asic_specific; @@ -539,6 +539,12 @@ static bool gaudi_etr_validate_address(struct hl_device *hdev, u64 addr, return false; } + if (addr > (addr + size)) { + dev_err(hdev->dev, + "ETR buffer size %llu overflow\n", size); + return false; + } + /* PMMU and HPMMU addresses are equal, check only one of them */ if ((gaudi->hw_cap_initialized & HW_CAP_MMU) && hl_mem_area_inside_range(addr, size, diff --git a/drivers/misc/habanalabs/goya/goya_coresight.c b/drivers/misc/habanalabs/goya/goya_coresight.c index b03912483de0..4027a6a334d7 100644 --- a/drivers/misc/habanalabs/goya/goya_coresight.c +++ b/drivers/misc/habanalabs/goya/goya_coresight.c @@ -362,11 +362,17 @@ static int goya_config_etf(struct hl_device *hdev, } static int goya_etr_validate_address(struct hl_device *hdev, u64 addr, - u32 size) + u64 size) { struct asic_fixed_properties *prop = &hdev->asic_prop; u64 range_start, range_end; + if (addr > (addr + size)) { + dev_err(hdev->dev, + "ETR buffer size %llu overflow\n", size); + return false; + } + if (hdev->mmu_enable) { range_start = prop->dmmu.start_addr; range_end = prop->dmmu.end_addr; From 58361aae4b0eed388680a89ac153d27177f40510 Mon Sep 17 00:00:00 2001 From: Oded Gabbay Date: Sat, 8 Aug 2020 23:34:47 +0300 Subject: [PATCH 12/16] habanalabs: set max power according to card type In Gaudi, the default max power setting is different between PCI and PMC cards. Therefore, the driver need to set the default after knowing what is the card type. The current code has a bug where it limits the maximum power of the PMC card to 200W after a reset occurs. Signed-off-by: Oded Gabbay --- drivers/misc/habanalabs/common/device.c | 7 ++++++- drivers/misc/habanalabs/common/habanalabs.h | 5 ++++- drivers/misc/habanalabs/common/sysfs.c | 7 ++++--- drivers/misc/habanalabs/gaudi/gaudi.c | 11 ++++++++++- drivers/misc/habanalabs/gaudi/gaudiP.h | 3 ++- 5 files changed, 26 insertions(+), 7 deletions(-) diff --git a/drivers/misc/habanalabs/common/device.c b/drivers/misc/habanalabs/common/device.c index be16b75bdfdb..8e34c39380a9 100644 --- a/drivers/misc/habanalabs/common/device.c +++ b/drivers/misc/habanalabs/common/device.c @@ -1069,7 +1069,7 @@ again: goto out_err; } - hl_set_max_power(hdev, hdev->max_power); + hl_set_max_power(hdev); } else { rc = hdev->asic_funcs->soft_reset_late_init(hdev); if (rc) { @@ -1318,6 +1318,11 @@ int hl_device_init(struct hl_device *hdev, struct class *hclass) goto out_disabled; } + /* Need to call this again because the max power might change, + * depending on card type for certain ASICs + */ + hl_set_max_power(hdev); + /* * hl_hwmon_init() must be called after device_late_init(), because only * there we get the information from the device about which diff --git a/drivers/misc/habanalabs/common/habanalabs.h b/drivers/misc/habanalabs/common/habanalabs.h index 13c18f3d9a9b..edbd627b29d2 100644 --- a/drivers/misc/habanalabs/common/habanalabs.h +++ b/drivers/misc/habanalabs/common/habanalabs.h @@ -1462,6 +1462,8 @@ struct hl_device_idle_busy_ts { * details. * @in_reset: is device in reset flow. * @curr_pll_profile: current PLL profile. + * @card_type: Various ASICs have several card types. This indicates the card + * type of the current device. * @cs_active_cnt: number of active command submissions on this device (active * means already in H/W queues) * @major: habanalabs kernel driver major. @@ -1566,6 +1568,7 @@ struct hl_device { u64 clock_gating_mask; atomic_t in_reset; enum hl_pll_frequency curr_pll_profile; + enum armcp_card_types card_type; int cs_active_cnt; u32 major; u32 high_pll; @@ -1858,7 +1861,7 @@ int hl_get_pwm_info(struct hl_device *hdev, void hl_set_pwm_info(struct hl_device *hdev, int sensor_index, u32 attr, long value); u64 hl_get_max_power(struct hl_device *hdev); -void hl_set_max_power(struct hl_device *hdev, u64 value); +void hl_set_max_power(struct hl_device *hdev); int hl_set_voltage(struct hl_device *hdev, int sensor_index, u32 attr, long value); int hl_set_current(struct hl_device *hdev, diff --git a/drivers/misc/habanalabs/common/sysfs.c b/drivers/misc/habanalabs/common/sysfs.c index b3cb0ac4721c..5ae484cc84cd 100644 --- a/drivers/misc/habanalabs/common/sysfs.c +++ b/drivers/misc/habanalabs/common/sysfs.c @@ -81,7 +81,7 @@ u64 hl_get_max_power(struct hl_device *hdev) return result; } -void hl_set_max_power(struct hl_device *hdev, u64 value) +void hl_set_max_power(struct hl_device *hdev) { struct armcp_packet pkt; int rc; @@ -90,7 +90,7 @@ void hl_set_max_power(struct hl_device *hdev, u64 value) pkt.ctl = cpu_to_le32(ARMCP_PACKET_MAX_POWER_SET << ARMCP_PKT_CTL_OPCODE_SHIFT); - pkt.value = cpu_to_le64(value); + pkt.value = cpu_to_le64(hdev->max_power); rc = hdev->asic_funcs->send_cpu_message(hdev, (u32 *) &pkt, sizeof(pkt), 0, NULL); @@ -316,7 +316,7 @@ static ssize_t max_power_store(struct device *dev, } hdev->max_power = value; - hl_set_max_power(hdev, value); + hl_set_max_power(hdev); out: return count; @@ -422,6 +422,7 @@ int hl_sysfs_init(struct hl_device *hdev) hdev->pm_mng_profile = PM_AUTO; else hdev->pm_mng_profile = PM_MANUAL; + hdev->max_power = hdev->asic_prop.max_power_default; hdev->asic_funcs->add_device_attr(hdev, &hl_dev_clks_attr_group); diff --git a/drivers/misc/habanalabs/gaudi/gaudi.c b/drivers/misc/habanalabs/gaudi/gaudi.c index 7e0f9f64ffcb..4009b7df4caf 100644 --- a/drivers/misc/habanalabs/gaudi/gaudi.c +++ b/drivers/misc/habanalabs/gaudi/gaudi.c @@ -456,7 +456,7 @@ static int gaudi_get_fixed_properties(struct hl_device *hdev) prop->num_of_events = GAUDI_EVENT_SIZE; prop->tpc_enabled_mask = TPC_ENABLED_MASK; - prop->max_power_default = MAX_POWER_DEFAULT; + prop->max_power_default = MAX_POWER_DEFAULT_PCI; prop->cb_pool_cb_cnt = GAUDI_CB_POOL_CB_CNT; prop->cb_pool_cb_size = GAUDI_CB_POOL_CB_SIZE; @@ -6055,6 +6055,15 @@ static int gaudi_armcp_info_get(struct hl_device *hdev) strncpy(prop->armcp_info.card_name, GAUDI_DEFAULT_CARD_NAME, CARD_NAME_MAX_LEN); + hdev->card_type = le32_to_cpu(hdev->asic_prop.armcp_info.card_type); + + if (hdev->card_type == armcp_card_type_pci) + prop->max_power_default = MAX_POWER_DEFAULT_PCI; + else if (hdev->card_type == armcp_card_type_pmc) + prop->max_power_default = MAX_POWER_DEFAULT_PMC; + + hdev->max_power = prop->max_power_default; + return 0; } diff --git a/drivers/misc/habanalabs/gaudi/gaudiP.h b/drivers/misc/habanalabs/gaudi/gaudiP.h index 5dc99f6f0296..82137c3f3e2e 100644 --- a/drivers/misc/habanalabs/gaudi/gaudiP.h +++ b/drivers/misc/habanalabs/gaudi/gaudiP.h @@ -41,7 +41,8 @@ #define GAUDI_MAX_CLK_FREQ 2200000000ull /* 2200 MHz */ -#define MAX_POWER_DEFAULT 200000 /* 200W */ +#define MAX_POWER_DEFAULT_PCI 200000 /* 200W */ +#define MAX_POWER_DEFAULT_PMC 350000 /* 350W */ #define GAUDI_CPU_TIMEOUT_USEC 15000000 /* 15s */ From 804d057cfae25c5447b36099fa59682d0d184ed6 Mon Sep 17 00:00:00 2001 From: Colin Ian King Date: Thu, 30 Jul 2020 09:20:22 +0100 Subject: [PATCH 13/16] habanalabs: fix incorrect check on failed workqueue create The null check on a failed workqueue create is currently null checking hdev->cq_wq rather than the pointer hdev->cq_wq[i] and so the test will never be true on a failed workqueue create. Fix this by checking hdev->cq_wq[i]. Addresses-Coverity: ("Dereference before null check") Fixes: 5574cb2194b1 ("habanalabs: Assign each CQ with its own work queue") Signed-off-by: Colin Ian King Reviewed-by: Oded Gabbay Signed-off-by: Oded Gabbay --- drivers/misc/habanalabs/common/device.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/misc/habanalabs/common/device.c b/drivers/misc/habanalabs/common/device.c index 8e34c39380a9..24b01cce0a38 100644 --- a/drivers/misc/habanalabs/common/device.c +++ b/drivers/misc/habanalabs/common/device.c @@ -288,7 +288,7 @@ static int device_early_init(struct hl_device *hdev) for (i = 0 ; i < hdev->asic_prop.completion_queues_count ; i++) { snprintf(workq_name, 32, "hl-free-jobs-%u", i); hdev->cq_wq[i] = create_singlethread_workqueue(workq_name); - if (hdev->cq_wq == NULL) { + if (hdev->cq_wq[i] == NULL) { dev_err(hdev->dev, "Failed to allocate CQ workqueue\n"); rc = -ENOMEM; goto free_cq_wq; From bce382a8bb080ed5f2f3a06754526dc58b91cca2 Mon Sep 17 00:00:00 2001 From: Ofir Bitton Date: Tue, 11 Aug 2020 09:19:53 +0300 Subject: [PATCH 14/16] habanalabs: validate FW file size We must validate FW size in order not to corrupt memory in case a malicious FW file will be present in system. Signed-off-by: Ofir Bitton Signed-off-by: Oded Gabbay --- drivers/misc/habanalabs/common/firmware_if.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/drivers/misc/habanalabs/common/firmware_if.c b/drivers/misc/habanalabs/common/firmware_if.c index f70302cdab1b..f52bc690dfc5 100644 --- a/drivers/misc/habanalabs/common/firmware_if.c +++ b/drivers/misc/habanalabs/common/firmware_if.c @@ -13,6 +13,7 @@ #include #include +#define FW_FILE_MAX_SIZE 0x1400000 /* maximum size of 20MB */ /** * hl_fw_load_fw_to_device() - Load F/W code to device's memory. * @@ -48,6 +49,14 @@ int hl_fw_load_fw_to_device(struct hl_device *hdev, const char *fw_name, dev_dbg(hdev->dev, "%s firmware size == %zu\n", fw_name, fw_size); + if (fw_size > FW_FILE_MAX_SIZE) { + dev_err(hdev->dev, + "FW file size %zu exceeds maximum of %u bytes\n", + fw_size, FW_FILE_MAX_SIZE); + rc = -EINVAL; + goto out; + } + fw_data = (const u64 *) fw->data; memcpy_toio(dst, fw_data, fw_size); From 0839152f8c1efc1cc2d515d1ff1e253ca9402ad3 Mon Sep 17 00:00:00 2001 From: Ofir Bitton Date: Tue, 11 Aug 2020 08:57:45 +0300 Subject: [PATCH 15/16] habanalabs: check correct vmalloc return code vmalloc can return different return code than NULL and a valid pointer. We must validate it in order to dereference a non valid pointer. Signed-off-by: Ofir Bitton Signed-off-by: Oded Gabbay --- drivers/misc/habanalabs/common/memory.c | 9 +++++++-- drivers/misc/habanalabs/common/mmu.c | 2 +- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/drivers/misc/habanalabs/common/memory.c b/drivers/misc/habanalabs/common/memory.c index dce9273e557a..5ff4688683fd 100644 --- a/drivers/misc/habanalabs/common/memory.c +++ b/drivers/misc/habanalabs/common/memory.c @@ -66,6 +66,11 @@ static int alloc_device_memory(struct hl_ctx *ctx, struct hl_mem_in *args, num_pgs = (args->alloc.mem_size + (page_size - 1)) >> page_shift; total_size = num_pgs << page_shift; + if (!total_size) { + dev_err(hdev->dev, "Cannot allocate 0 bytes\n"); + return -EINVAL; + } + contiguous = args->flags & HL_MEM_CONTIGUOUS; if (contiguous) { @@ -93,7 +98,7 @@ static int alloc_device_memory(struct hl_ctx *ctx, struct hl_mem_in *args, phys_pg_pack->contiguous = contiguous; phys_pg_pack->pages = kvmalloc_array(num_pgs, sizeof(u64), GFP_KERNEL); - if (!phys_pg_pack->pages) { + if (ZERO_OR_NULL_PTR(phys_pg_pack->pages)) { rc = -ENOMEM; goto pages_arr_err; } @@ -683,7 +688,7 @@ static int init_phys_pg_pack_from_userptr(struct hl_ctx *ctx, phys_pg_pack->pages = kvmalloc_array(total_npages, sizeof(u64), GFP_KERNEL); - if (!phys_pg_pack->pages) { + if (ZERO_OR_NULL_PTR(phys_pg_pack->pages)) { rc = -ENOMEM; goto page_pack_arr_mem_err; } diff --git a/drivers/misc/habanalabs/common/mmu.c b/drivers/misc/habanalabs/common/mmu.c index edcc11d5eaf1..3fc0f497fab3 100644 --- a/drivers/misc/habanalabs/common/mmu.c +++ b/drivers/misc/habanalabs/common/mmu.c @@ -450,7 +450,7 @@ int hl_mmu_init(struct hl_device *hdev) hdev->mmu_shadow_hop0 = kvmalloc_array(prop->max_asid, prop->mmu_hop_table_size, GFP_KERNEL | __GFP_ZERO); - if (!hdev->mmu_shadow_hop0) { + if (ZERO_OR_NULL_PTR(hdev->mmu_shadow_hop0)) { rc = -ENOMEM; goto err_pool_add; } From 5aba368893c0d9e275f4b823e053fd16155f63b9 Mon Sep 17 00:00:00 2001 From: Ofir Bitton Date: Tue, 11 Aug 2020 08:11:49 +0300 Subject: [PATCH 16/16] habanalabs: correctly report inbound pci region cfg error During inbound iATU configuration we can get errors while configuring PCI registers, there is a certain scenario in which these errors are not reflected and driver is loaded with wrong configuration. Signed-off-by: Ofir Bitton Signed-off-by: Oded Gabbay --- drivers/misc/habanalabs/common/pci.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/misc/habanalabs/common/pci.c b/drivers/misc/habanalabs/common/pci.c index b8184cb49034..2770f03b6cbb 100644 --- a/drivers/misc/habanalabs/common/pci.c +++ b/drivers/misc/habanalabs/common/pci.c @@ -227,7 +227,7 @@ int hl_pci_set_inbound_region(struct hl_device *hdev, u8 region, } /* Point to the specified address */ - rc = hl_pci_iatu_write(hdev, offset + 0x14, + rc |= hl_pci_iatu_write(hdev, offset + 0x14, lower_32_bits(pci_region->addr)); rc |= hl_pci_iatu_write(hdev, offset + 0x18, upper_32_bits(pci_region->addr));