[PATCH] drm/xe/guc_submit: add missing locking in wedged_fini
Matthew Brost
matthew.brost at intel.com
Tue Sep 24 15:53:26 UTC 2024
On Tue, Sep 24, 2024 at 04:09:48PM +0100, Matthew Auld wrote:
> Any non-wedged queue can have a zero refcount here and can be running
> concurrently with an async queue destroy, therefore dereferencing the
> queue ptr to check wedge status after the lookup can trigger UAF if
> queue is not wedged. Fix this by keeping the submission_state lock held
> around the check to postpone the free and make the check safe, before
> dropping again around the put() to avoid the deadlock.
>
> Fixes: 8ed9aaae39f3 ("drm/xe: Force wedged state and block GT reset upon any GPU hang")
> Signed-off-by: Matthew Auld <matthew.auld at intel.com>
> Cc: Matthew Brost <matthew.brost at intel.com>
Reviewed-by: Matthew Brost <matthew.brost at intel.com>
> ---
> drivers/gpu/drm/xe/xe_guc_submit.c | 10 ++++++++--
> 1 file changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/xe/xe_guc_submit.c b/drivers/gpu/drm/xe/xe_guc_submit.c
> index fbbe6a487bbb..715c761dc7d6 100644
> --- a/drivers/gpu/drm/xe/xe_guc_submit.c
> +++ b/drivers/gpu/drm/xe/xe_guc_submit.c
> @@ -290,9 +290,15 @@ static void guc_submit_wedged_fini(void *arg)
> struct xe_exec_queue *q;
> unsigned long index;
>
> - xa_for_each(&guc->submission_state.exec_queue_lookup, index, q)
> - if (exec_queue_wedged(q))
> + mutex_lock(&guc->submission_state.lock);
> + xa_for_each(&guc->submission_state.exec_queue_lookup, index, q) {
> + if (exec_queue_wedged(q)) {
> + mutex_unlock(&guc->submission_state.lock);
> xe_exec_queue_put(q);
> + mutex_lock(&guc->submission_state.lock);
> + }
> + }
> + mutex_unlock(&guc->submission_state.lock);
> }
>
> static const struct xe_exec_queue_ops guc_exec_queue_ops;
> --
> 2.46.1
>
More information about the Intel-xe
mailing list