From ce8548ec056022c4feccacc9eb09a4e8619bdefa Mon Sep 17 00:00:00 2001 From: Sagar Kamble Date: Tue, 3 Aug 2021 09:11:33 +0530 Subject: gpu: nvgpu: fix clk_arb completion file private data access race clk_arb completion file descriptor can get closed immediately after poll finishes in the work item gp10b_clk_arb_run_arbiter_cb. In that case, the refcount for nvgpu_clk_dev can become zero in the work item and can lead to invalid access while removing nvgpu_clk_dev from the lists. Remove nvgpu_clk_dev from the list before dropping the reference to it. Also, delete the nvgpu_clk_dev in completion file release handler within the session and requests spinlocks to avoid race with gp10b_clk_arb_run_arbiter_cb using it. bug 200757277 Change-Id: I054eee547f2a6fa633d7ef55df216ec36647a826 Signed-off-by: Sagar Kamble Reviewed-on: https://git-master.nvidia.com/r/c/linux-nvgpu/+/2569522 Tested-by: mobile promotions Reviewed-by: Debarshi Dutta Reviewed-by: Deepak Nibade Reviewed-by: Bibek Basu Reviewed-by: mobile promotions --- drivers/gpu/nvgpu/clk/clk_arb.c | 4 ++-- drivers/gpu/nvgpu/gp106/clk_arb_gp106.c | 6 +++--- drivers/gpu/nvgpu/gp10b/clk_arb_gp10b.c | 4 ++-- drivers/gpu/nvgpu/os/linux/ioctl_clk_arb.c | 17 +++++++++++++---- 4 files changed, 20 insertions(+), 11 deletions(-) diff --git a/drivers/gpu/nvgpu/clk/clk_arb.c b/drivers/gpu/nvgpu/clk/clk_arb.c index 6cf005c8..8e9fb419 100644 --- a/drivers/gpu/nvgpu/clk/clk_arb.c +++ b/drivers/gpu/nvgpu/clk/clk_arb.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2016-2018, NVIDIA CORPORATION. All rights reserved. + * Copyright (c) 2016-2021, NVIDIA CORPORATION. All rights reserved. * * Permission is hereby granted, free of charge, to any person obtaining a * copy of this software and associated documentation files (the "Software"), @@ -886,8 +886,8 @@ void nvgpu_clk_arb_free_session(struct nvgpu_ref *refcount) nvgpu_spinlock_acquire(&session->session_lock); nvgpu_list_for_each_entry_safe(dev, tmp, &session->targets, nvgpu_clk_dev, node) { - nvgpu_ref_put(&dev->refcount, nvgpu_clk_arb_free_fd); nvgpu_list_del(&dev->node); + nvgpu_ref_put(&dev->refcount, nvgpu_clk_arb_free_fd); } nvgpu_spinlock_release(&session->session_lock); diff --git a/drivers/gpu/nvgpu/gp106/clk_arb_gp106.c b/drivers/gpu/nvgpu/gp106/clk_arb_gp106.c index ce0c03b9..2dd5651c 100644 --- a/drivers/gpu/nvgpu/gp106/clk_arb_gp106.c +++ b/drivers/gpu/nvgpu/gp106/clk_arb_gp106.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2016-2018, NVIDIA CORPORATION. All rights reserved. + * Copyright (c) 2016-2021, NVIDIA CORPORATION. All rights reserved. * * Permission is hereby granted, free of charge, to any person obtaining a * copy of this software and associated documentation files (the "Software"), @@ -730,8 +730,8 @@ exit_arb: nvgpu_atomic_set(&dev->poll_mask, NVGPU_POLLIN | NVGPU_POLLRDNORM); nvgpu_clk_arb_event_post_event(dev); - nvgpu_ref_put(&dev->refcount, nvgpu_clk_arb_free_fd); nvgpu_list_del(&dev->node); + nvgpu_ref_put(&dev->refcount, nvgpu_clk_arb_free_fd); } nvgpu_spinlock_release(&arb->requests_lock); @@ -768,4 +768,4 @@ void gp106_clk_arb_cleanup(struct nvgpu_clk_arb *arb) nvgpu_kfree(g, g->clk_arb); g->clk_arb = NULL; -} \ No newline at end of file +} diff --git a/drivers/gpu/nvgpu/gp10b/clk_arb_gp10b.c b/drivers/gpu/nvgpu/gp10b/clk_arb_gp10b.c index d8e4e705..4e0cb2ee 100644 --- a/drivers/gpu/nvgpu/gp10b/clk_arb_gp10b.c +++ b/drivers/gpu/nvgpu/gp10b/clk_arb_gp10b.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2018, NVIDIA CORPORATION. All rights reserved. + * Copyright (c) 2018-2021, NVIDIA CORPORATION. All rights reserved. * * Permission is hereby granted, free of charge, to any person obtaining a * copy of this software and associated documentation files (the "Software"), @@ -393,8 +393,8 @@ exit_arb: nvgpu_clk_dev, node) { nvgpu_atomic_set(&dev->poll_mask, NVGPU_POLLIN | NVGPU_POLLRDNORM); nvgpu_clk_arb_event_post_event(dev); - nvgpu_ref_put(&dev->refcount, nvgpu_clk_arb_free_fd); nvgpu_list_del(&dev->node); + nvgpu_ref_put(&dev->refcount, nvgpu_clk_arb_free_fd); } nvgpu_spinlock_release(&arb->requests_lock); diff --git a/drivers/gpu/nvgpu/os/linux/ioctl_clk_arb.c b/drivers/gpu/nvgpu/os/linux/ioctl_clk_arb.c index 477222dc..9f321021 100644 --- a/drivers/gpu/nvgpu/os/linux/ioctl_clk_arb.c +++ b/drivers/gpu/nvgpu/os/linux/ioctl_clk_arb.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2016-2018, NVIDIA CORPORATION. All rights reserved. + * Copyright (c) 2016-2021, NVIDIA CORPORATION. All rights reserved. * * This software is licensed under the terms of the GNU General Public * License version 2, as published by the Free Software Foundation, and @@ -51,19 +51,28 @@ static int nvgpu_clk_arb_release_completion_dev(struct inode *inode, { struct nvgpu_clk_dev *dev = filp->private_data; struct nvgpu_clk_session *session = dev->session; + struct gk20a *g = session->g; + struct nvgpu_clk_arb *arb = g->clk_arb; + clk_arb_dbg(g, " "); - clk_arb_dbg(session->g, " "); + nvgpu_spinlock_acquire(&session->session_lock); + nvgpu_spinlock_acquire(&arb->requests_lock); + + nvgpu_list_del(&dev->node); + + nvgpu_spinlock_release(&arb->requests_lock); + nvgpu_spinlock_release(&session->session_lock); /* This is done to account for the extra refcount taken in * nvgpu_clk_arb_commit_request_fd without events support in iGPU */ - if (!session->g->clk_arb->clk_arb_events_supported) { + if (!arb->clk_arb_events_supported) { nvgpu_ref_put(&dev->refcount, nvgpu_clk_arb_free_fd); } - nvgpu_ref_put(&session->refcount, nvgpu_clk_arb_free_session); nvgpu_ref_put(&dev->refcount, nvgpu_clk_arb_free_fd); + nvgpu_ref_put(&session->refcount, nvgpu_clk_arb_free_session); return 0; } -- cgit v1.2.2