[PATCH v2] drm/xe: Fix possible UAF in guc_exec_queue_process_msg
Ghimiray, Himal Prasad
himal.prasad.ghimiray at intel.com
Wed Jul 24 15:43:31 UTC 2024
On 24-07-2024 00:49, Matthew Brost wrote:
> Store xe_device ahead of processing message as message can be free'd in
> some cases.
>
> v2:
> - Including missing local changes
>
> Reported-by: kernel test robot <lkp at intel.com>
> Reported-by: Dan Carpenter <dan.carpenter at linaro.org>
> Closes: https://lore.kernel.org/r/202407231445.rpisd1vA-lkp@intel.com/
> Fixes: d930c19fdff3 ("drm/xe: Build PM into GuC CT layer")
> Signed-off-by: Matthew Brost <matthew.brost at intel.com>
> ---
> drivers/gpu/drm/xe/xe_guc_submit.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/xe/xe_guc_submit.c b/drivers/gpu/drm/xe/xe_guc_submit.c
> index da2ead86b9ae..b8f938539a90 100644
> --- a/drivers/gpu/drm/xe/xe_guc_submit.c
> +++ b/drivers/gpu/drm/xe/xe_guc_submit.c
> @@ -1395,6 +1395,8 @@ static void __guc_exec_queue_process_msg_resume(struct xe_sched_msg *msg)
>
> static void guc_exec_queue_process_msg(struct xe_sched_msg *msg)
> {
> + struct xe_device *xe = guc_to_xe(exec_queue_to_guc(msg->private_data));
> +
> trace_xe_sched_msg_recv(msg);
>
> switch (msg->opcode) {
> @@ -1414,7 +1416,7 @@ static void guc_exec_queue_process_msg(struct xe_sched_msg *msg)
> XE_WARN_ON("Unknown message type");
> }
>
> - xe_pm_runtime_put(guc_to_xe(exec_queue_to_guc(msg->private_data)));
> + xe_pm_runtime_put(xe);
Patch LGTM.
Reviewed-by: Himal Prasad Ghimiray <himal.prasad.ghimiray at intel.com>
> }
>
> static const struct drm_sched_backend_ops drm_sched_ops = {
More information about the Intel-xe
mailing list