Merge tag 'drm-fixes-2018-10-05' of git://anongit.freedesktop.org/drm/drm

Dave writes:
  "amdgpu and two core fixes

   Two fixes for amdgpu:
   one corrects a use of process->mm
   one fix for display code race condition that can result in a crash

   Two core fixes:
   One for a use-after-free in the leasing code
   One for a cma/fbdev crash."

* tag 'drm-fixes-2018-10-05' of git://anongit.freedesktop.org/drm/drm:
  drm/amdkfd: Fix incorrect use of process->mm
  drm/amd/display: Signal hw_done() after waiting for flip_done()
  drm/cma-helper: Fix crash in fbdev error path
  drm: fix use-after-free read in drm_mode_create_lease_ioctl()

7 files changed, 75 insertions, 26 deletions

diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
index ec0d62a16e53..4f22e745df51 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
@@ -358,8 +358,8 @@ static int create_compute_queue_nocpsch(struct device_queue_manager *dqm,
                                         struct queue *q,
                                         struct qcm_process_device *qpd)
 {
-        int retval;
         struct mqd_manager *mqd_mgr;
+        int retval;
 
         mqd_mgr = dqm->ops.get_mqd_manager(dqm, KFD_MQD_TYPE_COMPUTE);
         if (!mqd_mgr)
@@ -387,8 +387,12 @@ static int create_compute_queue_nocpsch(struct device_queue_manager *dqm,
         if (!q->properties.is_active)
                 return 0;
 
-        retval = mqd_mgr->load_mqd(mqd_mgr, q->mqd, q->pipe, q->queue,
-                        &q->properties, q->process->mm);
+        if (WARN(q->process->mm != current->mm,
+                 "should only run in user thread"))
+                retval = -EFAULT;
+        else
+                retval = mqd_mgr->load_mqd(mqd_mgr, q->mqd, q->pipe, q->queue,
+                                           &q->properties, current->mm);
         if (retval)
                 goto out_uninit_mqd;
 
@@ -545,9 +549,15 @@ static int update_queue(struct device_queue_manager *dqm, struct queue *q)
                 retval = map_queues_cpsch(dqm);
         else if (q->properties.is_active &&
                  (q->properties.type == KFD_QUEUE_TYPE_COMPUTE ||
-                  q->properties.type == KFD_QUEUE_TYPE_SDMA))
-                retval = mqd_mgr->load_mqd(mqd_mgr, q->mqd, q->pipe, q->queue,
-                                       &q->properties, q->process->mm);
+                  q->properties.type == KFD_QUEUE_TYPE_SDMA)) {
+                if (WARN(q->process->mm != current->mm,
+                         "should only run in user thread"))
+                        retval = -EFAULT;
+                else
+                        retval = mqd_mgr->load_mqd(mqd_mgr, q->mqd,
+                                                   q->pipe, q->queue,
+                                                   &q->properties, current->mm);
+        }
 
 out_unlock:
         dqm_unlock(dqm);
@@ -653,6 +663,7 @@ out:
 static int restore_process_queues_nocpsch(struct device_queue_manager *dqm,
                                           struct qcm_process_device *qpd)
 {
+        struct mm_struct *mm = NULL;
         struct queue *q;
         struct mqd_manager *mqd_mgr;
         struct kfd_process_device *pdd;
@@ -686,6 +697,15 @@ static int restore_process_queues_nocpsch(struct device_queue_manager *dqm,
                 kfd_flush_tlb(pdd);
         }
 
+        /* Take a safe reference to the mm_struct, which may otherwise
+         * disappear even while the kfd_process is still referenced.
+         */
+        mm = get_task_mm(pdd->process->lead_thread);
+        if (!mm) {
+                retval = -EFAULT;
+                goto out;
+        }
+
         /* activate all active queues on the qpd */
         list_for_each_entry(q, &qpd->queues_list, list) {
                 if (!q->properties.is_evicted)
@@ -700,14 +720,15 @@ static int restore_process_queues_nocpsch(struct device_queue_manager *dqm,
                 q->properties.is_evicted = false;
                 q->properties.is_active = true;
                 retval = mqd_mgr->load_mqd(mqd_mgr, q->mqd, q->pipe,
-                                       q->queue, &q->properties,
-                                       q->process->mm);
+                                       q->queue, &q->properties, mm);
                 if (retval)
                         goto out;
                 dqm->queue_count++;
         }
         qpd->evicted = 0;
 out:
+        if (mm)
+                mmput(mm);
         dqm_unlock(dqm);
         return retval;
 }
diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
index 96875950845a..6903fe6c894b 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
@@ -4633,12 +4633,18 @@ static void amdgpu_dm_atomic_commit_tail(struct drm_atomic_state *state)
         }
         spin_unlock_irqrestore(&adev->ddev->event_lock, flags);
 
-        /* Signal HW programming completion */
-        drm_atomic_helper_commit_hw_done(state);
 
         if (wait_for_vblank)
                 drm_atomic_helper_wait_for_flip_done(dev, state);
 
+        /*
+         * FIXME:
+         * Delay hw_done() until flip_done() is signaled. This is to block
+         * another commit from freeing the CRTC state while we're still
+         * waiting on flip_done.
+         */
+        drm_atomic_helper_commit_hw_done(state);
+
         drm_atomic_helper_cleanup_planes(dev, state);
 
         /* Finally, drop a runtime PM reference for each newly disabled CRTC,
diff --git a/drivers/gpu/drm/drm_client.c b/drivers/gpu/drm/drm_client.c
index baff50a4c234..df31c3815092 100644
--- a/drivers/gpu/drm/drm_client.c
+++ b/drivers/gpu/drm/drm_client.c
@@ -63,20 +63,21 @@ static void drm_client_close(struct drm_client_dev *client)
 EXPORT_SYMBOL(drm_client_close);
 
 /**
- * drm_client_new - Create a DRM client
+ * drm_client_init - Initialise a DRM client
  * @dev: DRM device
  * @client: DRM client
  * @name: Client name
  * @funcs: DRM client functions (optional)
  *
+ * This initialises the client and opens a &drm_file. Use drm_client_add() to complete the process.
  * The caller needs to hold a reference on @dev before calling this function.
  * The client is freed when the &drm_device is unregistered. See drm_client_release().
  *
  * Returns:
  * Zero on success or negative error code on failure.
  */
-int drm_client_new(struct drm_device *dev, struct drm_client_dev *client,
-                   const char *name, const struct drm_client_funcs *funcs)
+int drm_client_init(struct drm_device *dev, struct drm_client_dev *client,
+                    const char *name, const struct drm_client_funcs *funcs)
 {
         int ret;
 
@@ -95,10 +96,6 @@ int drm_client_new(struct drm_device *dev, struct drm_client_dev *client,
         if (ret)
                 goto err_put_module;
 
-        mutex_lock(&dev->clientlist_mutex);
-        list_add(&client->list, &dev->clientlist);
-        mutex_unlock(&dev->clientlist_mutex);
-
         drm_dev_get(dev);
 
         return 0;
@@ -109,13 +106,33 @@ err_put_module:
 
         return ret;
 }
-EXPORT_SYMBOL(drm_client_new);
+EXPORT_SYMBOL(drm_client_init);
+
+/**
+ * drm_client_add - Add client to the device list
+ * @client: DRM client
+ *
+ * Add the client to the &drm_device client list to activate its callbacks.
+ * @client must be initialized by a call to drm_client_init(). After
+ * drm_client_add() it is no longer permissible to call drm_client_release()
+ * directly (outside the unregister callback), instead cleanup will happen
+ * automatically on driver unload.
+ */
+void drm_client_add(struct drm_client_dev *client)
+{
+        struct drm_device *dev = client->dev;
+
+        mutex_lock(&dev->clientlist_mutex);
+        list_add(&client->list, &dev->clientlist);
+        mutex_unlock(&dev->clientlist_mutex);
+}
+EXPORT_SYMBOL(drm_client_add);
 
 /**
  * drm_client_release - Release DRM client resources
  * @client: DRM client
  *
- * Releases resources by closing the &drm_file that was opened by drm_client_new().
+ * Releases resources by closing the &drm_file that was opened by drm_client_init().
  * It is called automatically if the &drm_client_funcs.unregister callback is _not_ set.
  *
  * This function should only be called from the unregister callback. An exception
diff --git a/drivers/gpu/drm/drm_fb_cma_helper.c b/drivers/gpu/drm/drm_fb_cma_helper.c
index 9da36a6271d3..9ac1f2e0f064 100644
--- a/drivers/gpu/drm/drm_fb_cma_helper.c
+++ b/drivers/gpu/drm/drm_fb_cma_helper.c
@@ -160,7 +160,7 @@ struct drm_fbdev_cma *drm_fbdev_cma_init(struct drm_device *dev,
 
         fb_helper = &fbdev_cma->fb_helper;
 
-        ret = drm_client_new(dev, &fb_helper->client, "fbdev", NULL);
+        ret = drm_client_init(dev, &fb_helper->client, "fbdev", NULL);
         if (ret)
                 goto err_free;
 
@@ -169,6 +169,8 @@ struct drm_fbdev_cma *drm_fbdev_cma_init(struct drm_device *dev,
         if (ret)
                 goto err_client_put;
 
+        drm_client_add(&fb_helper->client);
+
         return fbdev_cma;
 
 err_client_put:
diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c
index 16ec93b75dbf..515a7aec57ac 100644
--- a/drivers/gpu/drm/drm_fb_helper.c
+++ b/drivers/gpu/drm/drm_fb_helper.c
@@ -3218,12 +3218,14 @@ int drm_fbdev_generic_setup(struct drm_device *dev, unsigned int preferred_bpp)
         if (!fb_helper)
                 return -ENOMEM;
 
-        ret = drm_client_new(dev, &fb_helper->client, "fbdev", &drm_fbdev_client_funcs);
+        ret = drm_client_init(dev, &fb_helper->client, "fbdev", &drm_fbdev_client_funcs);
         if (ret) {
                 kfree(fb_helper);
                 return ret;
         }
 
+        drm_client_add(&fb_helper->client);
+
         fb_helper->preferred_bpp = preferred_bpp;
 
         drm_fbdev_client_hotplug(&fb_helper->client);
diff --git a/drivers/gpu/drm/drm_lease.c b/drivers/gpu/drm/drm_lease.c
index b54fb78a283c..b82da96ded5c 100644
--- a/drivers/gpu/drm/drm_lease.c
+++ b/drivers/gpu/drm/drm_lease.c
@@ -566,14 +566,14 @@ int drm_mode_create_lease_ioctl(struct drm_device *dev,
         lessee_priv->is_master = 1;
         lessee_priv->authenticated = 1;
 
-        /* Hook up the fd */
-        fd_install(fd, lessee_file);
-
         /* Pass fd back to userspace */
         DRM_DEBUG_LEASE("Returning fd %d id %d\n", fd, lessee->lessee_id);
         cl->fd = fd;
         cl->lessee_id = lessee->lessee_id;
 
+        /* Hook up the fd */
+        fd_install(fd, lessee_file);
+
         DRM_DEBUG_LEASE("drm_mode_create_lease_ioctl succeeded\n");
         return 0;
 
diff --git a/include/drm/drm_client.h b/include/drm/drm_client.h
index 989f8e52864d..971bb7853776 100644
--- a/include/drm/drm_client.h
+++ b/include/drm/drm_client.h
@@ -87,9 +87,10 @@ struct drm_client_dev {
         struct drm_file *file;
 };
 
-int drm_client_new(struct drm_device *dev, struct drm_client_dev *client,
-                   const char *name, const struct drm_client_funcs *funcs);
+int drm_client_init(struct drm_device *dev, struct drm_client_dev *client,
+                    const char *name, const struct drm_client_funcs *funcs);
 void drm_client_release(struct drm_client_dev *client);
+void drm_client_add(struct drm_client_dev *client);
 
 void drm_client_dev_unregister(struct drm_device *dev);
 void drm_client_dev_hotplug(struct drm_device *dev);