diff options
author | Sagar Kamble <skamble@nvidia.com> | 2021-08-02 23:41:33 -0400 |
---|---|---|
committer | mobile promotions <svcmobile_promotions@nvidia.com> | 2021-08-03 14:39:44 -0400 |
commit | ce8548ec056022c4feccacc9eb09a4e8619bdefa (patch) | |
tree | aa419fc8b0287d85727854c8a98e87453dde7258 /drivers/gpu/nvgpu/os | |
parent | 2c441a83d44857b71a599acfe76395942ea936bf (diff) |
gpu: nvgpu: fix clk_arb completion file private data access race
clk_arb completion file descriptor can get closed immediately after
poll finishes in the work item gp10b_clk_arb_run_arbiter_cb. In
that case, the refcount for nvgpu_clk_dev can become zero in
the work item and can lead to invalid access while removing
nvgpu_clk_dev from the lists.
Remove nvgpu_clk_dev from the list before dropping the reference to
it.
Also, delete the nvgpu_clk_dev in completion file release handler
within the session and requests spinlocks to avoid race with
gp10b_clk_arb_run_arbiter_cb using it.
bug 200757277
Change-Id: I054eee547f2a6fa633d7ef55df216ec36647a826
Signed-off-by: Sagar Kamble <skamble@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/c/linux-nvgpu/+/2569522
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>
Reviewed-by: Debarshi Dutta <ddutta@nvidia.com>
Reviewed-by: Deepak Nibade <dnibade@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Diffstat (limited to 'drivers/gpu/nvgpu/os')
-rw-r--r-- | drivers/gpu/nvgpu/os/linux/ioctl_clk_arb.c | 17 |
1 files changed, 13 insertions, 4 deletions
diff --git a/drivers/gpu/nvgpu/os/linux/ioctl_clk_arb.c b/drivers/gpu/nvgpu/os/linux/ioctl_clk_arb.c index 477222dc..9f321021 100644 --- a/drivers/gpu/nvgpu/os/linux/ioctl_clk_arb.c +++ b/drivers/gpu/nvgpu/os/linux/ioctl_clk_arb.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (c) 2016-2018, NVIDIA CORPORATION. All rights reserved. | 2 | * Copyright (c) 2016-2021, NVIDIA CORPORATION. All rights reserved. |
3 | * | 3 | * |
4 | * This software is licensed under the terms of the GNU General Public | 4 | * This software is licensed under the terms of the GNU General Public |
5 | * License version 2, as published by the Free Software Foundation, and | 5 | * License version 2, as published by the Free Software Foundation, and |
@@ -51,19 +51,28 @@ static int nvgpu_clk_arb_release_completion_dev(struct inode *inode, | |||
51 | { | 51 | { |
52 | struct nvgpu_clk_dev *dev = filp->private_data; | 52 | struct nvgpu_clk_dev *dev = filp->private_data; |
53 | struct nvgpu_clk_session *session = dev->session; | 53 | struct nvgpu_clk_session *session = dev->session; |
54 | struct gk20a *g = session->g; | ||
55 | struct nvgpu_clk_arb *arb = g->clk_arb; | ||
54 | 56 | ||
57 | clk_arb_dbg(g, " "); | ||
55 | 58 | ||
56 | clk_arb_dbg(session->g, " "); | 59 | nvgpu_spinlock_acquire(&session->session_lock); |
60 | nvgpu_spinlock_acquire(&arb->requests_lock); | ||
61 | |||
62 | nvgpu_list_del(&dev->node); | ||
63 | |||
64 | nvgpu_spinlock_release(&arb->requests_lock); | ||
65 | nvgpu_spinlock_release(&session->session_lock); | ||
57 | 66 | ||
58 | /* This is done to account for the extra refcount taken in | 67 | /* This is done to account for the extra refcount taken in |
59 | * nvgpu_clk_arb_commit_request_fd without events support in iGPU | 68 | * nvgpu_clk_arb_commit_request_fd without events support in iGPU |
60 | */ | 69 | */ |
61 | if (!session->g->clk_arb->clk_arb_events_supported) { | 70 | if (!arb->clk_arb_events_supported) { |
62 | nvgpu_ref_put(&dev->refcount, nvgpu_clk_arb_free_fd); | 71 | nvgpu_ref_put(&dev->refcount, nvgpu_clk_arb_free_fd); |
63 | } | 72 | } |
64 | 73 | ||
65 | nvgpu_ref_put(&session->refcount, nvgpu_clk_arb_free_session); | ||
66 | nvgpu_ref_put(&dev->refcount, nvgpu_clk_arb_free_fd); | 74 | nvgpu_ref_put(&dev->refcount, nvgpu_clk_arb_free_fd); |
75 | nvgpu_ref_put(&session->refcount, nvgpu_clk_arb_free_session); | ||
67 | return 0; | 76 | return 0; |
68 | } | 77 | } |
69 | 78 | ||