gpu: nvgpu: fix clk_arb completion file private data access race

clk_arb completion file descriptor can get closed immediately after
poll finishes in the work item gp10b_clk_arb_run_arbiter_cb. In
that case, the refcount for nvgpu_clk_dev can become zero in
the work item and can lead to invalid access while removing
nvgpu_clk_dev from the lists.

Remove nvgpu_clk_dev from the list before dropping the reference to
it.

Also, delete the nvgpu_clk_dev in completion file release handler
within the session and requests spinlocks to avoid race with
gp10b_clk_arb_run_arbiter_cb using it.

bug 200757277

Change-Id: I054eee547f2a6fa633d7ef55df216ec36647a826
Signed-off-by: Sagar Kamble <skamble@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/c/linux-nvgpu/+/2569522
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>
Reviewed-by: Debarshi Dutta <ddutta@nvidia.com>
Reviewed-by: Deepak Nibade <dnibade@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>

4 files changed, 20 insertions, 11 deletions

diff --git a/drivers/gpu/nvgpu/clk/clk_arb.c b/drivers/gpu/nvgpu/clk/clk_arb.c
index 6cf005c8..8e9fb419 100644
--- a/drivers/gpu/nvgpu/clk/clk_arb.c
+++ b/drivers/gpu/nvgpu/clk/clk_arb.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016-2018, NVIDIA CORPORATION.  All rights reserved.
+ * Copyright (c) 2016-2021, NVIDIA CORPORATION.  All rights reserved.
  *
  * Permission is hereby granted, free of charge, to any person obtaining a
  * copy of this software and associated documentation files (the "Software"),
@@ -886,8 +886,8 @@ void nvgpu_clk_arb_free_session(struct nvgpu_ref *refcount)
         nvgpu_spinlock_acquire(&session->session_lock);
         nvgpu_list_for_each_entry_safe(dev, tmp, &session->targets,
                         nvgpu_clk_dev, node) {
-                nvgpu_ref_put(&dev->refcount, nvgpu_clk_arb_free_fd);
                 nvgpu_list_del(&dev->node);
+                nvgpu_ref_put(&dev->refcount, nvgpu_clk_arb_free_fd);
         }
         nvgpu_spinlock_release(&session->session_lock);
 
diff --git a/drivers/gpu/nvgpu/gp106/clk_arb_gp106.c b/drivers/gpu/nvgpu/gp106/clk_arb_gp106.c
index ce0c03b9..2dd5651c 100644
--- a/drivers/gpu/nvgpu/gp106/clk_arb_gp106.c
+++ b/drivers/gpu/nvgpu/gp106/clk_arb_gp106.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016-2018, NVIDIA CORPORATION.  All rights reserved.
+ * Copyright (c) 2016-2021, NVIDIA CORPORATION.  All rights reserved.
  *
  * Permission is hereby granted, free of charge, to any person obtaining a
  * copy of this software and associated documentation files (the "Software"),
@@ -730,8 +730,8 @@ exit_arb:
                 nvgpu_atomic_set(&dev->poll_mask,
                  NVGPU_POLLIN | NVGPU_POLLRDNORM);
                 nvgpu_clk_arb_event_post_event(dev);
-                nvgpu_ref_put(&dev->refcount, nvgpu_clk_arb_free_fd);
                 nvgpu_list_del(&dev->node);
+                nvgpu_ref_put(&dev->refcount, nvgpu_clk_arb_free_fd);
         }
         nvgpu_spinlock_release(&arb->requests_lock);
 
@@ -768,4 +768,4 @@ void gp106_clk_arb_cleanup(struct nvgpu_clk_arb *arb)
         nvgpu_kfree(g, g->clk_arb);
 
         g->clk_arb = NULL;
-}
\ No newline at end of file
+}
diff --git a/drivers/gpu/nvgpu/gp10b/clk_arb_gp10b.c b/drivers/gpu/nvgpu/gp10b/clk_arb_gp10b.c
index d8e4e705..4e0cb2ee 100644
--- a/drivers/gpu/nvgpu/gp10b/clk_arb_gp10b.c
+++ b/drivers/gpu/nvgpu/gp10b/clk_arb_gp10b.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, NVIDIA CORPORATION.  All rights reserved.
+ * Copyright (c) 2018-2021, NVIDIA CORPORATION.  All rights reserved.
  *
  * Permission is hereby granted, free of charge, to any person obtaining a
  * copy of this software and associated documentation files (the "Software"),
@@ -393,8 +393,8 @@ exit_arb:
                         nvgpu_clk_dev, node) {
                 nvgpu_atomic_set(&dev->poll_mask, NVGPU_POLLIN | NVGPU_POLLRDNORM);
                 nvgpu_clk_arb_event_post_event(dev);
-                nvgpu_ref_put(&dev->refcount, nvgpu_clk_arb_free_fd);
                 nvgpu_list_del(&dev->node);
+                nvgpu_ref_put(&dev->refcount, nvgpu_clk_arb_free_fd);
         }
         nvgpu_spinlock_release(&arb->requests_lock);
 
diff --git a/drivers/gpu/nvgpu/os/linux/ioctl_clk_arb.c b/drivers/gpu/nvgpu/os/linux/ioctl_clk_arb.c
index 477222dc..9f321021 100644
--- a/drivers/gpu/nvgpu/os/linux/ioctl_clk_arb.c
+++ b/drivers/gpu/nvgpu/os/linux/ioctl_clk_arb.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016-2018, NVIDIA CORPORATION.  All rights reserved.
+ * Copyright (c) 2016-2021, NVIDIA CORPORATION.  All rights reserved.
  *
  * This software is licensed under the terms of the GNU General Public
  * License version 2, as published by the Free Software Foundation, and
@@ -51,19 +51,28 @@ static int nvgpu_clk_arb_release_completion_dev(struct inode *inode,
 {
         struct nvgpu_clk_dev *dev = filp->private_data;
         struct nvgpu_clk_session *session = dev->session;
+        struct gk20a *g = session->g;
+        struct nvgpu_clk_arb *arb = g->clk_arb;
 
+        clk_arb_dbg(g, " ");
 
-        clk_arb_dbg(session->g, " ");
+        nvgpu_spinlock_acquire(&session->session_lock);
+        nvgpu_spinlock_acquire(&arb->requests_lock);
+
+        nvgpu_list_del(&dev->node);
+
+        nvgpu_spinlock_release(&arb->requests_lock);
+        nvgpu_spinlock_release(&session->session_lock);
 
         /* This is done to account for the extra refcount taken in
          * nvgpu_clk_arb_commit_request_fd without events support in iGPU
          */
-        if (!session->g->clk_arb->clk_arb_events_supported) {
+        if (!arb->clk_arb_events_supported) {
                 nvgpu_ref_put(&dev->refcount, nvgpu_clk_arb_free_fd);
         }
 
-        nvgpu_ref_put(&session->refcount, nvgpu_clk_arb_free_session);
         nvgpu_ref_put(&dev->refcount, nvgpu_clk_arb_free_fd);
+        nvgpu_ref_put(&session->refcount, nvgpu_clk_arb_free_session);
         return 0;
 }