diff options
author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2020-08-23 13:20:47 +0200 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2020-08-23 13:20:47 +0200 |
commit | 9c97cecab0d49e40460d9b5230ab4bf036f59491 (patch) | |
tree | 5d54d24c3d005f48a9a8148e71225465847e1776 | |
parent | 51072c0f5b5e98a035c6f63b83ba2afedbb7accd (diff) | |
parent | 5aba368893c0d9e275f4b823e053fd16155f63b9 (diff) |
Merge tag 'misc-habanalabs-fixes-2020-08-22' of git://people.freedesktop.org/~gabbayo/linux into char-misc-linus
Oded writes:
This tag contains the following bug fixes for 5.9-rc2/3:
- Correct cleanup of PCI bar mapping in case of failure during
initialization.
- Several security fixes:
- Validating user addresses before mapping them
- Validating packet id (from user) before using it as index for array.
- Validating F/W file size before coping it.
- Prevent possible overflow when validating address from user in
profiler.
- Validate queue index (from user) before using it as index for array.
- Check for correct vmalloc return code
- Fix memory corruption in debugfs entry
- Fix a loop in gaudi_extract_ecc_info()
- Fix the set clock gating function in gaudi code
- Set maximum power to F/W according to the card type
- Cix incorrect check on failed workqueue create
- Correctly report error when configuring the PCI controller
* tag 'misc-habanalabs-fixes-2020-08-22' of git://people.freedesktop.org/~gabbayo/linux:
habanalabs: correctly report inbound pci region cfg error
habanalabs: check correct vmalloc return code
habanalabs: validate FW file size
habanalabs: fix incorrect check on failed workqueue create
habanalabs: set max power according to card type
habanalabs: proper handling of alloc size in coresight
habanalabs: set clock gating according to mask
habanalabs: verify user input in cs_ioctl_signal_wait
habanalabs: Fix a loop in gaudi_extract_ecc_info()
habanalabs: Fix memory corruption in debugfs
habanalabs: validate packet id during CB parse
habanalabs: Validate user address before mapping
habanalabs: unmap PCI bars upon iATU failure
-rw-r--r-- | drivers/misc/habanalabs/common/command_buffer.c | 16 | ||||
-rw-r--r-- | drivers/misc/habanalabs/common/command_submission.c | 8 | ||||
-rw-r--r-- | drivers/misc/habanalabs/common/debugfs.c | 8 | ||||
-rw-r--r-- | drivers/misc/habanalabs/common/device.c | 9 | ||||
-rw-r--r-- | drivers/misc/habanalabs/common/firmware_if.c | 9 | ||||
-rw-r--r-- | drivers/misc/habanalabs/common/habanalabs.h | 7 | ||||
-rw-r--r-- | drivers/misc/habanalabs/common/memory.c | 9 | ||||
-rw-r--r-- | drivers/misc/habanalabs/common/mmu.c | 2 | ||||
-rw-r--r-- | drivers/misc/habanalabs/common/pci.c | 8 | ||||
-rw-r--r-- | drivers/misc/habanalabs/common/sysfs.c | 7 | ||||
-rw-r--r-- | drivers/misc/habanalabs/gaudi/gaudi.c | 92 | ||||
-rw-r--r-- | drivers/misc/habanalabs/gaudi/gaudiP.h | 3 | ||||
-rw-r--r-- | drivers/misc/habanalabs/gaudi/gaudi_coresight.c | 8 | ||||
-rw-r--r-- | drivers/misc/habanalabs/goya/goya.c | 31 | ||||
-rw-r--r-- | drivers/misc/habanalabs/goya/goya_coresight.c | 8 |
15 files changed, 178 insertions, 47 deletions
diff --git a/drivers/misc/habanalabs/common/command_buffer.c b/drivers/misc/habanalabs/common/command_buffer.c index 7c38c4f7f9c0..a8004911c977 100644 --- a/drivers/misc/habanalabs/common/command_buffer.c +++ b/drivers/misc/habanalabs/common/command_buffer.c @@ -10,6 +10,7 @@ #include <linux/mm.h> #include <linux/slab.h> +#include <linux/uaccess.h> #include <linux/genalloc.h> static void cb_fini(struct hl_device *hdev, struct hl_cb *cb) @@ -300,7 +301,7 @@ int hl_cb_mmap(struct hl_fpriv *hpriv, struct vm_area_struct *vma) struct hl_device *hdev = hpriv->hdev; struct hl_cb *cb; phys_addr_t address; - u32 handle; + u32 handle, user_cb_size; int rc; handle = vma->vm_pgoff; @@ -314,7 +315,8 @@ int hl_cb_mmap(struct hl_fpriv *hpriv, struct vm_area_struct *vma) } /* Validation check */ - if ((vma->vm_end - vma->vm_start) != ALIGN(cb->size, PAGE_SIZE)) { + user_cb_size = vma->vm_end - vma->vm_start; + if (user_cb_size != ALIGN(cb->size, PAGE_SIZE)) { dev_err(hdev->dev, "CB mmap failed, mmap size 0x%lx != 0x%x cb size\n", vma->vm_end - vma->vm_start, cb->size); @@ -322,6 +324,16 @@ int hl_cb_mmap(struct hl_fpriv *hpriv, struct vm_area_struct *vma) goto put_cb; } + if (!access_ok((void __user *) (uintptr_t) vma->vm_start, + user_cb_size)) { + dev_err(hdev->dev, + "user pointer is invalid - 0x%lx\n", + vma->vm_start); + + rc = -EINVAL; + goto put_cb; + } + spin_lock(&cb->lock); if (cb->mmap) { diff --git a/drivers/misc/habanalabs/common/command_submission.c b/drivers/misc/habanalabs/common/command_submission.c index b9840e368eb5..2e3fcbc794db 100644 --- a/drivers/misc/habanalabs/common/command_submission.c +++ b/drivers/misc/habanalabs/common/command_submission.c @@ -808,6 +808,14 @@ static int cs_ioctl_signal_wait(struct hl_fpriv *hpriv, enum hl_cs_type cs_type, /* currently it is guaranteed to have only one chunk */ chunk = &cs_chunk_array[0]; + + if (chunk->queue_index >= hdev->asic_prop.max_queues) { + dev_err(hdev->dev, "Queue index %d is invalid\n", + chunk->queue_index); + rc = -EINVAL; + goto free_cs_chunk_array; + } + q_idx = chunk->queue_index; hw_queue_prop = &hdev->asic_prop.hw_queues_props[q_idx]; q_type = hw_queue_prop->type; diff --git a/drivers/misc/habanalabs/common/debugfs.c b/drivers/misc/habanalabs/common/debugfs.c index c50c6fc9e905..37701e4f9d5a 100644 --- a/drivers/misc/habanalabs/common/debugfs.c +++ b/drivers/misc/habanalabs/common/debugfs.c @@ -19,7 +19,7 @@ static struct dentry *hl_debug_root; static int hl_debugfs_i2c_read(struct hl_device *hdev, u8 i2c_bus, u8 i2c_addr, - u8 i2c_reg, u32 *val) + u8 i2c_reg, long *val) { struct armcp_packet pkt; int rc; @@ -36,7 +36,7 @@ static int hl_debugfs_i2c_read(struct hl_device *hdev, u8 i2c_bus, u8 i2c_addr, pkt.i2c_reg = i2c_reg; rc = hdev->asic_funcs->send_cpu_message(hdev, (u32 *) &pkt, sizeof(pkt), - 0, (long *) val); + 0, val); if (rc) dev_err(hdev->dev, "Failed to read from I2C, error %d\n", rc); @@ -827,7 +827,7 @@ static ssize_t hl_i2c_data_read(struct file *f, char __user *buf, struct hl_dbg_device_entry *entry = file_inode(f)->i_private; struct hl_device *hdev = entry->hdev; char tmp_buf[32]; - u32 val; + long val; ssize_t rc; if (*ppos) @@ -842,7 +842,7 @@ static ssize_t hl_i2c_data_read(struct file *f, char __user *buf, return rc; } - sprintf(tmp_buf, "0x%02x\n", val); + sprintf(tmp_buf, "0x%02lx\n", val); rc = simple_read_from_buffer(buf, count, ppos, tmp_buf, strlen(tmp_buf)); diff --git a/drivers/misc/habanalabs/common/device.c b/drivers/misc/habanalabs/common/device.c index be16b75bdfdb..24b01cce0a38 100644 --- a/drivers/misc/habanalabs/common/device.c +++ b/drivers/misc/habanalabs/common/device.c @@ -288,7 +288,7 @@ static int device_early_init(struct hl_device *hdev) for (i = 0 ; i < hdev->asic_prop.completion_queues_count ; i++) { snprintf(workq_name, 32, "hl-free-jobs-%u", i); hdev->cq_wq[i] = create_singlethread_workqueue(workq_name); - if (hdev->cq_wq == NULL) { + if (hdev->cq_wq[i] == NULL) { dev_err(hdev->dev, "Failed to allocate CQ workqueue\n"); rc = -ENOMEM; goto free_cq_wq; @@ -1069,7 +1069,7 @@ again: goto out_err; } - hl_set_max_power(hdev, hdev->max_power); + hl_set_max_power(hdev); } else { rc = hdev->asic_funcs->soft_reset_late_init(hdev); if (rc) { @@ -1318,6 +1318,11 @@ int hl_device_init(struct hl_device *hdev, struct class *hclass) goto out_disabled; } + /* Need to call this again because the max power might change, + * depending on card type for certain ASICs + */ + hl_set_max_power(hdev); + /* * hl_hwmon_init() must be called after device_late_init(), because only * there we get the information from the device about which diff --git a/drivers/misc/habanalabs/common/firmware_if.c b/drivers/misc/habanalabs/common/firmware_if.c index f70302cdab1b..f52bc690dfc5 100644 --- a/drivers/misc/habanalabs/common/firmware_if.c +++ b/drivers/misc/habanalabs/common/firmware_if.c @@ -13,6 +13,7 @@ #include <linux/io-64-nonatomic-lo-hi.h> #include <linux/slab.h> +#define FW_FILE_MAX_SIZE 0x1400000 /* maximum size of 20MB */ /** * hl_fw_load_fw_to_device() - Load F/W code to device's memory. * @@ -48,6 +49,14 @@ int hl_fw_load_fw_to_device(struct hl_device *hdev, const char *fw_name, dev_dbg(hdev->dev, "%s firmware size == %zu\n", fw_name, fw_size); + if (fw_size > FW_FILE_MAX_SIZE) { + dev_err(hdev->dev, + "FW file size %zu exceeds maximum of %u bytes\n", + fw_size, FW_FILE_MAX_SIZE); + rc = -EINVAL; + goto out; + } + fw_data = (const u64 *) fw->data; memcpy_toio(dst, fw_data, fw_size); diff --git a/drivers/misc/habanalabs/common/habanalabs.h b/drivers/misc/habanalabs/common/habanalabs.h index 018d9d67e8e6..edbd627b29d2 100644 --- a/drivers/misc/habanalabs/common/habanalabs.h +++ b/drivers/misc/habanalabs/common/habanalabs.h @@ -1462,6 +1462,8 @@ struct hl_device_idle_busy_ts { * details. * @in_reset: is device in reset flow. * @curr_pll_profile: current PLL profile. + * @card_type: Various ASICs have several card types. This indicates the card + * type of the current device. * @cs_active_cnt: number of active command submissions on this device (active * means already in H/W queues) * @major: habanalabs kernel driver major. @@ -1566,6 +1568,7 @@ struct hl_device { u64 clock_gating_mask; atomic_t in_reset; enum hl_pll_frequency curr_pll_profile; + enum armcp_card_types card_type; int cs_active_cnt; u32 major; u32 high_pll; @@ -1651,7 +1654,7 @@ struct hl_ioctl_desc { * * Return: true if the area is inside the valid range, false otherwise. */ -static inline bool hl_mem_area_inside_range(u64 address, u32 size, +static inline bool hl_mem_area_inside_range(u64 address, u64 size, u64 range_start_address, u64 range_end_address) { u64 end_address = address + size; @@ -1858,7 +1861,7 @@ int hl_get_pwm_info(struct hl_device *hdev, void hl_set_pwm_info(struct hl_device *hdev, int sensor_index, u32 attr, long value); u64 hl_get_max_power(struct hl_device *hdev); -void hl_set_max_power(struct hl_device *hdev, u64 value); +void hl_set_max_power(struct hl_device *hdev); int hl_set_voltage(struct hl_device *hdev, int sensor_index, u32 attr, long value); int hl_set_current(struct hl_device *hdev, diff --git a/drivers/misc/habanalabs/common/memory.c b/drivers/misc/habanalabs/common/memory.c index dce9273e557a..5ff4688683fd 100644 --- a/drivers/misc/habanalabs/common/memory.c +++ b/drivers/misc/habanalabs/common/memory.c @@ -66,6 +66,11 @@ static int alloc_device_memory(struct hl_ctx *ctx, struct hl_mem_in *args, num_pgs = (args->alloc.mem_size + (page_size - 1)) >> page_shift; total_size = num_pgs << page_shift; + if (!total_size) { + dev_err(hdev->dev, "Cannot allocate 0 bytes\n"); + return -EINVAL; + } + contiguous = args->flags & HL_MEM_CONTIGUOUS; if (contiguous) { @@ -93,7 +98,7 @@ static int alloc_device_memory(struct hl_ctx *ctx, struct hl_mem_in *args, phys_pg_pack->contiguous = contiguous; phys_pg_pack->pages = kvmalloc_array(num_pgs, sizeof(u64), GFP_KERNEL); - if (!phys_pg_pack->pages) { + if (ZERO_OR_NULL_PTR(phys_pg_pack->pages)) { rc = -ENOMEM; goto pages_arr_err; } @@ -683,7 +688,7 @@ static int init_phys_pg_pack_from_userptr(struct hl_ctx *ctx, phys_pg_pack->pages = kvmalloc_array(total_npages, sizeof(u64), GFP_KERNEL); - if (!phys_pg_pack->pages) { + if (ZERO_OR_NULL_PTR(phys_pg_pack->pages)) { rc = -ENOMEM; goto page_pack_arr_mem_err; } diff --git a/drivers/misc/habanalabs/common/mmu.c b/drivers/misc/habanalabs/common/mmu.c index edcc11d5eaf1..3fc0f497fab3 100644 --- a/drivers/misc/habanalabs/common/mmu.c +++ b/drivers/misc/habanalabs/common/mmu.c @@ -450,7 +450,7 @@ int hl_mmu_init(struct hl_device *hdev) hdev->mmu_shadow_hop0 = kvmalloc_array(prop->max_asid, prop->mmu_hop_table_size, GFP_KERNEL | __GFP_ZERO); - if (!hdev->mmu_shadow_hop0) { + if (ZERO_OR_NULL_PTR(hdev->mmu_shadow_hop0)) { rc = -ENOMEM; goto err_pool_add; } diff --git a/drivers/misc/habanalabs/common/pci.c b/drivers/misc/habanalabs/common/pci.c index 7bd3737571f3..2770f03b6cbb 100644 --- a/drivers/misc/habanalabs/common/pci.c +++ b/drivers/misc/habanalabs/common/pci.c @@ -227,7 +227,7 @@ int hl_pci_set_inbound_region(struct hl_device *hdev, u8 region, } /* Point to the specified address */ - rc = hl_pci_iatu_write(hdev, offset + 0x14, + rc |= hl_pci_iatu_write(hdev, offset + 0x14, lower_32_bits(pci_region->addr)); rc |= hl_pci_iatu_write(hdev, offset + 0x18, upper_32_bits(pci_region->addr)); @@ -369,15 +369,17 @@ int hl_pci_init(struct hl_device *hdev) rc = hdev->asic_funcs->init_iatu(hdev); if (rc) { dev_err(hdev->dev, "Failed to initialize iATU\n"); - goto disable_device; + goto unmap_pci_bars; } rc = hl_pci_set_dma_mask(hdev); if (rc) - goto disable_device; + goto unmap_pci_bars; return 0; +unmap_pci_bars: + hl_pci_bars_unmap(hdev); disable_device: pci_clear_master(pdev); pci_disable_device(pdev); diff --git a/drivers/misc/habanalabs/common/sysfs.c b/drivers/misc/habanalabs/common/sysfs.c index b3cb0ac4721c..5ae484cc84cd 100644 --- a/drivers/misc/habanalabs/common/sysfs.c +++ b/drivers/misc/habanalabs/common/sysfs.c @@ -81,7 +81,7 @@ u64 hl_get_max_power(struct hl_device *hdev) return result; } -void hl_set_max_power(struct hl_device *hdev, u64 value) +void hl_set_max_power(struct hl_device *hdev) { struct armcp_packet pkt; int rc; @@ -90,7 +90,7 @@ void hl_set_max_power(struct hl_device *hdev, u64 value) pkt.ctl = cpu_to_le32(ARMCP_PACKET_MAX_POWER_SET << ARMCP_PKT_CTL_OPCODE_SHIFT); - pkt.value = cpu_to_le64(value); + pkt.value = cpu_to_le64(hdev->max_power); rc = hdev->asic_funcs->send_cpu_message(hdev, (u32 *) &pkt, sizeof(pkt), 0, NULL); @@ -316,7 +316,7 @@ static ssize_t max_power_store(struct device *dev, } hdev->max_power = value; - hl_set_max_power(hdev, value); + hl_set_max_power(hdev); out: return count; @@ -422,6 +422,7 @@ int hl_sysfs_init(struct hl_device *hdev) hdev->pm_mng_profile = PM_AUTO; else hdev->pm_mng_profile = PM_MANUAL; + hdev->max_power = hdev->asic_prop.max_power_default; hdev->asic_funcs->add_device_attr(hdev, &hl_dev_clks_attr_group); diff --git a/drivers/misc/habanalabs/gaudi/gaudi.c b/drivers/misc/habanalabs/gaudi/gaudi.c index 00a0a7238d81..4009b7df4caf 100644 --- a/drivers/misc/habanalabs/gaudi/gaudi.c +++ b/drivers/misc/habanalabs/gaudi/gaudi.c @@ -154,6 +154,29 @@ static const u16 gaudi_packet_sizes[MAX_PACKET_ID] = { [PACKET_LOAD_AND_EXE] = sizeof(struct packet_load_and_exe) }; +static inline bool validate_packet_id(enum packet_id id) +{ + switch (id) { + case PACKET_WREG_32: + case PACKET_WREG_BULK: + case PACKET_MSG_LONG: + case PACKET_MSG_SHORT: + case PACKET_CP_DMA: + case PACKET_REPEAT: + case PACKET_MSG_PROT: + case PACKET_FENCE: + case PACKET_LIN_DMA: + case PACKET_NOP: + case PACKET_STOP: + case PACKET_ARB_POINT: + case PACKET_WAIT: + case PACKET_LOAD_AND_EXE: + return true; + default: + return false; + } +} + static const char * const gaudi_tpc_interrupts_cause[GAUDI_NUM_OF_TPC_INTR_CAUSE] = { "tpc_address_exceed_slm", @@ -433,7 +456,7 @@ static int gaudi_get_fixed_properties(struct hl_device *hdev) prop->num_of_events = GAUDI_EVENT_SIZE; prop->tpc_enabled_mask = TPC_ENABLED_MASK; - prop->max_power_default = MAX_POWER_DEFAULT; + prop->max_power_default = MAX_POWER_DEFAULT_PCI; prop->cb_pool_cb_cnt = GAUDI_CB_POOL_CB_CNT; prop->cb_pool_cb_size = GAUDI_CB_POOL_CB_SIZE; @@ -2485,6 +2508,7 @@ static void gaudi_set_clock_gating(struct hl_device *hdev) { struct gaudi_device *gaudi = hdev->asic_specific; u32 qman_offset; + bool enable; int i; /* In case we are during debug session, don't enable the clock gate @@ -2494,46 +2518,43 @@ static void gaudi_set_clock_gating(struct hl_device *hdev) return; for (i = GAUDI_PCI_DMA_1, qman_offset = 0 ; i < GAUDI_HBM_DMA_1 ; i++) { - if (!(hdev->clock_gating_mask & - (BIT_ULL(gaudi_dma_assignment[i])))) - continue; + enable = !!(hdev->clock_gating_mask & + (BIT_ULL(gaudi_dma_assignment[i]))); qman_offset = gaudi_dma_assignment[i] * DMA_QMAN_OFFSET; - WREG32(mmDMA0_QM_CGM_CFG1 + qman_offset, QMAN_CGM1_PWR_GATE_EN); + WREG32(mmDMA0_QM_CGM_CFG1 + qman_offset, + enable ? QMAN_CGM1_PWR_GATE_EN : 0); WREG32(mmDMA0_QM_CGM_CFG + qman_offset, - QMAN_UPPER_CP_CGM_PWR_GATE_EN); + enable ? QMAN_UPPER_CP_CGM_PWR_GATE_EN : 0); } for (i = GAUDI_HBM_DMA_1 ; i < GAUDI_DMA_MAX ; i++) { - if (!(hdev->clock_gating_mask & - (BIT_ULL(gaudi_dma_assignment[i])))) - continue; + enable = !!(hdev->clock_gating_mask & + (BIT_ULL(gaudi_dma_assignment[i]))); qman_offset = gaudi_dma_assignment[i] * DMA_QMAN_OFFSET; - WREG32(mmDMA0_QM_CGM_CFG1 + qman_offset, QMAN_CGM1_PWR_GATE_EN); + WREG32(mmDMA0_QM_CGM_CFG1 + qman_offset, + enable ? QMAN_CGM1_PWR_GATE_EN : 0); WREG32(mmDMA0_QM_CGM_CFG + qman_offset, - QMAN_COMMON_CP_CGM_PWR_GATE_EN); + enable ? QMAN_COMMON_CP_CGM_PWR_GATE_EN : 0); } - if (hdev->clock_gating_mask & (BIT_ULL(GAUDI_ENGINE_ID_MME_0))) { - WREG32(mmMME0_QM_CGM_CFG1, QMAN_CGM1_PWR_GATE_EN); - WREG32(mmMME0_QM_CGM_CFG, QMAN_COMMON_CP_CGM_PWR_GATE_EN); - } + enable = !!(hdev->clock_gating_mask & (BIT_ULL(GAUDI_ENGINE_ID_MME_0))); + WREG32(mmMME0_QM_CGM_CFG1, enable ? QMAN_CGM1_PWR_GATE_EN : 0); + WREG32(mmMME0_QM_CGM_CFG, enable ? QMAN_COMMON_CP_CGM_PWR_GATE_EN : 0); - if (hdev->clock_gating_mask & (BIT_ULL(GAUDI_ENGINE_ID_MME_2))) { - WREG32(mmMME2_QM_CGM_CFG1, QMAN_CGM1_PWR_GATE_EN); - WREG32(mmMME2_QM_CGM_CFG, QMAN_COMMON_CP_CGM_PWR_GATE_EN); - } + enable = !!(hdev->clock_gating_mask & (BIT_ULL(GAUDI_ENGINE_ID_MME_2))); + WREG32(mmMME2_QM_CGM_CFG1, enable ? QMAN_CGM1_PWR_GATE_EN : 0); + WREG32(mmMME2_QM_CGM_CFG, enable ? QMAN_COMMON_CP_CGM_PWR_GATE_EN : 0); for (i = 0, qman_offset = 0 ; i < TPC_NUMBER_OF_ENGINES ; i++) { - if (!(hdev->clock_gating_mask & - (BIT_ULL(GAUDI_ENGINE_ID_TPC_0 + i)))) - continue; + enable = !!(hdev->clock_gating_mask & + (BIT_ULL(GAUDI_ENGINE_ID_TPC_0 + i))); WREG32(mmTPC0_QM_CGM_CFG1 + qman_offset, - QMAN_CGM1_PWR_GATE_EN); + enable ? QMAN_CGM1_PWR_GATE_EN : 0); WREG32(mmTPC0_QM_CGM_CFG + qman_offset, - QMAN_COMMON_CP_CGM_PWR_GATE_EN); + enable ? QMAN_COMMON_CP_CGM_PWR_GATE_EN : 0); qman_offset += TPC_QMAN_OFFSET; } @@ -3772,6 +3793,12 @@ static int gaudi_validate_cb(struct hl_device *hdev, PACKET_HEADER_PACKET_ID_MASK) >> PACKET_HEADER_PACKET_ID_SHIFT); + if (!validate_packet_id(pkt_id)) { + dev_err(hdev->dev, "Invalid packet id %u\n", pkt_id); + rc = -EINVAL; + break; + } + pkt_size = gaudi_packet_sizes[pkt_id]; cb_parsed_length += pkt_size; if (cb_parsed_length > parser->user_cb_size) { @@ -3995,6 +4022,12 @@ static int gaudi_patch_cb(struct hl_device *hdev, PACKET_HEADER_PACKET_ID_MASK) >> PACKET_HEADER_PACKET_ID_SHIFT); + if (!validate_packet_id(pkt_id)) { + dev_err(hdev->dev, "Invalid packet id %u\n", pkt_id); + rc = -EINVAL; + break; + } + pkt_size = gaudi_packet_sizes[pkt_id]; cb_parsed_length += pkt_size; if (cb_parsed_length > parser->user_cb_size) { @@ -5215,7 +5248,7 @@ static int gaudi_extract_ecc_info(struct hl_device *hdev, *memory_wrapper_idx = 0xFF; /* Iterate through memory wrappers, a single bit must be set */ - for (i = 0 ; i > num_mem_regs ; i++) { + for (i = 0 ; i < num_mem_regs ; i++) { err_addr += i * 4; err_word = RREG32(err_addr); if (err_word) { @@ -6022,6 +6055,15 @@ static int gaudi_armcp_info_get(struct hl_device *hdev) strncpy(prop->armcp_info.card_name, GAUDI_DEFAULT_CARD_NAME, CARD_NAME_MAX_LEN); + hdev->card_type = le32_to_cpu(hdev->asic_prop.armcp_info.card_type); + + if (hdev->card_type == armcp_card_type_pci) + prop->max_power_default = MAX_POWER_DEFAULT_PCI; + else if (hdev->card_type == armcp_card_type_pmc) + prop->max_power_default = MAX_POWER_DEFAULT_PMC; + + hdev->max_power = prop->max_power_default; + return 0; } diff --git a/drivers/misc/habanalabs/gaudi/gaudiP.h b/drivers/misc/habanalabs/gaudi/gaudiP.h index 5dc99f6f0296..82137c3f3e2e 100644 --- a/drivers/misc/habanalabs/gaudi/gaudiP.h +++ b/drivers/misc/habanalabs/gaudi/gaudiP.h @@ -41,7 +41,8 @@ #define GAUDI_MAX_CLK_FREQ 2200000000ull /* 2200 MHz */ -#define MAX_POWER_DEFAULT 200000 /* 200W */ +#define MAX_POWER_DEFAULT_PCI 200000 /* 200W */ +#define MAX_POWER_DEFAULT_PMC 350000 /* 350W */ #define GAUDI_CPU_TIMEOUT_USEC 15000000 /* 15s */ diff --git a/drivers/misc/habanalabs/gaudi/gaudi_coresight.c b/drivers/misc/habanalabs/gaudi/gaudi_coresight.c index 5673ee49819e..881531d4d9da 100644 --- a/drivers/misc/habanalabs/gaudi/gaudi_coresight.c +++ b/drivers/misc/habanalabs/gaudi/gaudi_coresight.c @@ -527,7 +527,7 @@ static int gaudi_config_etf(struct hl_device *hdev, } static bool gaudi_etr_validate_address(struct hl_device *hdev, u64 addr, - u32 size, bool *is_host) + u64 size, bool *is_host) { struct asic_fixed_properties *prop = &hdev->asic_prop; struct gaudi_device *gaudi = hdev->asic_specific; @@ -539,6 +539,12 @@ static bool gaudi_etr_validate_address(struct hl_device *hdev, u64 addr, return false; } + if (addr > (addr + size)) { + dev_err(hdev->dev, + "ETR buffer size %llu overflow\n", size); + return false; + } + /* PMMU and HPMMU addresses are equal, check only one of them */ if ((gaudi->hw_cap_initialized & HW_CAP_MMU) && hl_mem_area_inside_range(addr, size, diff --git a/drivers/misc/habanalabs/goya/goya.c b/drivers/misc/habanalabs/goya/goya.c index 85030759b2af..33cd2ae653d2 100644 --- a/drivers/misc/habanalabs/goya/goya.c +++ b/drivers/misc/habanalabs/goya/goya.c @@ -139,6 +139,25 @@ static u16 goya_packet_sizes[MAX_PACKET_ID] = { [PACKET_STOP] = sizeof(struct packet_stop) }; +static inline bool validate_packet_id(enum packet_id id) +{ + switch (id) { + case PACKET_WREG_32: + case PACKET_WREG_BULK: + case PACKET_MSG_LONG: + case PACKET_MSG_SHORT: + case PACKET_CP_DMA: + case PACKET_MSG_PROT: + case PACKET_FENCE: + case PACKET_LIN_DMA: + case PACKET_NOP: + case PACKET_STOP: + return true; + default: + return false; + } +} + static u64 goya_mmu_regs[GOYA_MMU_REGS_NUM] = { mmDMA_QM_0_GLBL_NON_SECURE_PROPS, mmDMA_QM_1_GLBL_NON_SECURE_PROPS, @@ -3455,6 +3474,12 @@ static int goya_validate_cb(struct hl_device *hdev, PACKET_HEADER_PACKET_ID_MASK) >> PACKET_HEADER_PACKET_ID_SHIFT); + if (!validate_packet_id(pkt_id)) { + dev_err(hdev->dev, "Invalid packet id %u\n", pkt_id); + rc = -EINVAL; + break; + } + pkt_size = goya_packet_sizes[pkt_id]; cb_parsed_length += pkt_size; if (cb_parsed_length > parser->user_cb_size) { @@ -3690,6 +3715,12 @@ static int goya_patch_cb(struct hl_device *hdev, PACKET_HEADER_PACKET_ID_MASK) >> PACKET_HEADER_PACKET_ID_SHIFT); + if (!validate_packet_id(pkt_id)) { + dev_err(hdev->dev, "Invalid packet id %u\n", pkt_id); + rc = -EINVAL; + break; + } + pkt_size = goya_packet_sizes[pkt_id]; cb_parsed_length += pkt_size; if (cb_parsed_length > parser->user_cb_size) { diff --git a/drivers/misc/habanalabs/goya/goya_coresight.c b/drivers/misc/habanalabs/goya/goya_coresight.c index b03912483de0..4027a6a334d7 100644 --- a/drivers/misc/habanalabs/goya/goya_coresight.c +++ b/drivers/misc/habanalabs/goya/goya_coresight.c @@ -362,11 +362,17 @@ static int goya_config_etf(struct hl_device *hdev, } static int goya_etr_validate_address(struct hl_device *hdev, u64 addr, - u32 size) + u64 size) { struct asic_fixed_properties *prop = &hdev->asic_prop; u64 range_start, range_end; + if (addr > (addr + size)) { + dev_err(hdev->dev, + "ETR buffer size %llu overflow\n", size); + return false; + } + if (hdev->mmu_enable) { range_start = prop->dmmu.start_addr; range_end = prop->dmmu.end_addr; |