From 88adaf726ee3fc04c88198ce7632b9ebc3e7d9b1 Mon Sep 17 00:00:00 2001
From: Narendra Muppalla <NarendraM@codeaurora.org>
Date: Mon, 12 Oct 2020 18:04:06 -0700
Subject: [PATCH] Revert "ANDROID: drivers: gpu: drm: fix bugs encountered
 while fuzzing"

Necessary changes to fix bugs encountered while fuzzing have been
made to vendor specific drivers.

This reverts commit 9a6a3c73590559bce0b247a564e101a79427eeac.

Bug: 163689280
Change-Id: I1a8f1c8ea51cc6d2d2a669a8ee513ef2c369687a
Signed-off-by: Narendra Muppalla <NarendraM@codeaurora.org>
---
 drivers/gpu/drm/drm_file.c     |  7 -------
 drivers/gpu/drm/drm_property.c | 17 ++---------------
 2 files changed, 2 insertions(+), 22 deletions(-)

diff --git a/drivers/gpu/drm/drm_file.c b/drivers/gpu/drm/drm_file.c
index 3fe268ed01c8..0ac4566ae3f4 100644
--- a/drivers/gpu/drm/drm_file.c
+++ b/drivers/gpu/drm/drm_file.c
@@ -56,8 +56,6 @@
 /* from BKL pushdown */
 DEFINE_MUTEX(drm_global_mutex);
 
-#define MAX_DRM_OPEN_COUNT		128
-
 bool drm_dev_needs_global_mutex(struct drm_device *dev)
 {
 	/*
@@ -426,11 +424,6 @@ int drm_open(struct inode *inode, struct file *filp)
 	if (!atomic_fetch_inc(&dev->open_count))
 		need_setup = 1;
 
-	if (atomic_read(&dev->open_count) >= MAX_DRM_OPEN_COUNT) {
-		retcode = -EPERM;
-		goto err_undo;
-	}
-
 	/* share address_space across all char-devs of a single device */
 	filp->f_mapping = dev->anon_inode->i_mapping;
 
diff --git a/drivers/gpu/drm/drm_property.c b/drivers/gpu/drm/drm_property.c
index 29dd4a93838b..892ce636ef72 100644
--- a/drivers/gpu/drm/drm_property.c
+++ b/drivers/gpu/drm/drm_property.c
@@ -31,9 +31,6 @@
 
 #include "drm_crtc_internal.h"
 
-#define MAX_BLOB_PROP_SIZE	(PAGE_SIZE * 30)
-#define MAX_BLOB_PROP_COUNT	250
-
 /**
  * DOC: overview
  *
@@ -564,8 +561,7 @@ drm_property_create_blob(struct drm_device *dev, size_t length,
 	struct drm_property_blob *blob;
 	int ret;
 
-	if (!length || length > MAX_BLOB_PROP_SIZE -
-				sizeof(struct drm_property_blob))
+	if (!length || length > ULONG_MAX - sizeof(struct drm_property_blob))
 		return ERR_PTR(-EINVAL);
 
 	blob = kvzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL);
@@ -791,21 +787,12 @@ int drm_mode_createblob_ioctl(struct drm_device *dev,
 			      void *data, struct drm_file *file_priv)
 {
 	struct drm_mode_create_blob *out_resp = data;
-	struct drm_property_blob *blob, *bt;
+	struct drm_property_blob *blob;
 	int ret = 0;
-	u32 count = 0;
 
 	if (!drm_core_check_feature(dev, DRIVER_MODESET))
 		return -EOPNOTSUPP;
 
-	mutex_lock(&dev->mode_config.blob_lock);
-	list_for_each_entry(bt, &file_priv->blobs, head_file)
-		count++;
-	mutex_unlock(&dev->mode_config.blob_lock);
-
-	if (count >= MAX_BLOB_PROP_COUNT)
-		return -EOPNOTSUPP;
-
 	blob = drm_property_create_blob(dev, out_resp->length, NULL);
 	if (IS_ERR(blob))
 		return PTR_ERR(blob);