From 7aaa9bffff026d76de0ceee0302ca214b6906fee Mon Sep 17 00:00:00 2001
From: Neeraja P <neerp@codeaurora.org>
Date: Thu, 7 Jan 2021 20:48:09 +0530
Subject: [PATCH] msm: kgsl: Deregister gpu address on memdesc_sg_virt failure

When memdesc_sg_virt returns error in kgsl_setup_anon_useraddr function,
the gpu address registered in SVM region will not be deregistered.
This change deregisters the gpu address on memdesc_sg_virt failure.

Change-Id: Ic99167e283a0c6331bb9f5f0b608b6cdb3c918e4
Signed-off-by: Neeraja P <neerp@codeaurora.org>
CVE-2021-1906
---
 drivers/gpu/msm/kgsl.c     | 10 ++++++++--
 drivers/gpu/msm/kgsl_mmu.c |  3 ++-
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/drivers/gpu/msm/kgsl.c b/drivers/gpu/msm/kgsl.c
index f9dfaaedcef3..12f729c96819 100644
--- a/drivers/gpu/msm/kgsl.c
+++ b/drivers/gpu/msm/kgsl.c
@@ -2112,6 +2112,8 @@ static int kgsl_setup_anon_useraddr(struct kgsl_pagetable *pagetable,
 {
 	/* Map an anonymous memory chunk */
 
+	int ret;
+
 	if (size == 0 || offset != 0 ||
 		!IS_ALIGNED(size, PAGE_SIZE))
 		return -EINVAL;
@@ -2121,7 +2123,6 @@ static int kgsl_setup_anon_useraddr(struct kgsl_pagetable *pagetable,
 	entry->memdesc.flags |= KGSL_MEMFLAGS_USERMEM_ADDR;
 
 	if (kgsl_memdesc_use_cpu_map(&entry->memdesc)) {
-		int ret;
 
 		/* Register the address in the database */
 		ret = kgsl_mmu_set_svm_region(pagetable,
@@ -2133,7 +2134,12 @@ static int kgsl_setup_anon_useraddr(struct kgsl_pagetable *pagetable,
 		entry->memdesc.gpuaddr = (uint64_t) hostptr;
 	}
 
-	return memdesc_sg_virt(&entry->memdesc, hostptr);
+	ret = memdesc_sg_virt(&entry->memdesc, hostptr);
+
+	if (ret && kgsl_memdesc_use_cpu_map(&entry->memdesc))
+		kgsl_mmu_put_gpuaddr(&entry->memdesc);
+
+	return ret;
 }
 
 static int match_file(const void *p, struct file *file, unsigned int fd)
diff --git a/drivers/gpu/msm/kgsl_mmu.c b/drivers/gpu/msm/kgsl_mmu.c
index aa7157e882ac..d7fbde5ded7d 100644
--- a/drivers/gpu/msm/kgsl_mmu.c
+++ b/drivers/gpu/msm/kgsl_mmu.c
@@ -432,7 +432,8 @@ void kgsl_mmu_put_gpuaddr(struct kgsl_memdesc *memdesc)
 	if (memdesc->size == 0 || memdesc->gpuaddr == 0)
 		return;
 
-	if (!kgsl_memdesc_is_global(memdesc))
+	if (!kgsl_memdesc_is_global(memdesc) &&
+			 (KGSL_MEMDESC_MAPPED & memdesc->priv))
 		unmap_fail = kgsl_mmu_unmap(pagetable, memdesc);
 
 	/*