From c28e73ee2f92d1d287637a22d40d170b42771f96 Mon Sep 17 00:00:00 2001
From: Thomas Fleury <tfleury@nvidia.com>
Date: Sat, 1 Sep 2018 14:05:36 -0700
Subject: gpu: nvgpu: fix race condition in pmu_rpc_handler

There was a race condition between pmu_rpc_handler and
nvgpu_pmu_rpc_execute. The later could free the buffer before
pmu_rpc_handler could access related data.
Added explicit field in rpc_payload, so that nvgpu_pmu_rpc_execute
can wait until pmu_rpc_handler completes.

Bug 2331655

Change-Id: Ic2653524159eff10504b9c2625b5241610b5f5f0
Reviewed-on: https://git-master.nvidia.com/r/1811299
Signed-off-by: Vaikundanathan S <vaikuns@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1817582
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>
---
 drivers/gpu/nvgpu/common/pmu/pmu_ipc.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

(limited to 'drivers/gpu/nvgpu/common/pmu/pmu_ipc.c')

diff --git a/drivers/gpu/nvgpu/common/pmu/pmu_ipc.c b/drivers/gpu/nvgpu/common/pmu/pmu_ipc.c
index 6f88260f..01b91662 100644
--- a/drivers/gpu/nvgpu/common/pmu/pmu_ipc.c
+++ b/drivers/gpu/nvgpu/common/pmu/pmu_ipc.c
@@ -740,7 +740,9 @@ int pmu_wait_message_cond(struct nvgpu_pmu *pmu, u32 timeout_ms,
 	nvgpu_timeout_init(g, &timeout, timeout_ms, NVGPU_TIMER_CPU_TIMER);
 
 	do {
-		if (*(u8 *)var == val) {
+		nvgpu_rmb();
+
+		if (*(volatile u8 *)var == val) {
 			return 0;
 		}
 
@@ -859,6 +861,8 @@ static void pmu_rpc_handler(struct gk20a *g, struct pmu_msg *msg,
 	}
 
 exit:
+	rpc_payload->complete = true;
+
 	/* free allocated memory */
 	if (rpc_payload->is_mem_free_set) {
 		nvgpu_kfree(g, rpc_payload);
@@ -914,6 +918,7 @@ int nvgpu_pmu_rpc_execute(struct nvgpu_pmu *pmu, struct nv_pmu_rpc_header *rpc,
 		rpc_payload->rpc_buff = caller_cb_param;
 		rpc_payload->is_mem_free_set = true;
 		callback = caller_cb;
+		WARN_ON(is_copy_back);
 	}
 
 	rpc_buff = rpc_payload->rpc_buff;
@@ -945,12 +950,9 @@ int nvgpu_pmu_rpc_execute(struct nvgpu_pmu *pmu, struct nv_pmu_rpc_header *rpc,
 	 * to read data back in nvgpu
 	 */
 	if (is_copy_back) {
-		/* clear buff */
-		memset(rpc_buff, 0xFF, size_rpc);
 		/* wait till RPC execute in PMU & ACK */
 		pmu_wait_message_cond(pmu, gk20a_get_gr_idle_timeout(g),
-			&((struct nv_pmu_rpc_header *)rpc_buff)->function,
-			rpc->function);
+			&rpc_payload->complete, true);
 		/* copy back data to caller */
 		memcpy(rpc, rpc_buff, size_rpc);
 		/* free allocated memory */
-- 
cgit v1.2.2