From patchwork Tue Jul 24 14:19:36 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Chris Wilson <chris@chris-wilson.co.uk>
X-Patchwork-Id: 10542231
Return-Path: <intel-gfx-bounces@lists.freedesktop.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9E091112B
	for <patchwork-intel-gfx@patchwork.kernel.org>;
 Tue, 24 Jul 2018 14:19:51 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8E30428B4C
	for <patchwork-intel-gfx@patchwork.kernel.org>;
 Tue, 24 Jul 2018 14:19:51 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 8CBAF28B91; Tue, 24 Jul 2018 14:19:51 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1
Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 2336E28B4C
	for <patchwork-intel-gfx@patchwork.kernel.org>;
 Tue, 24 Jul 2018 14:19:51 +0000 (UTC)
Received: from gabe.freedesktop.org (localhost [127.0.0.1])
	by gabe.freedesktop.org (Postfix) with ESMTP id 646986E2E5;
	Tue, 24 Jul 2018 14:19:50 +0000 (UTC)
X-Original-To: intel-gfx@lists.freedesktop.org
Delivered-To: intel-gfx@lists.freedesktop.org
Received: from fireflyinternet.com (mail.fireflyinternet.com [109.228.58.192])
 by gabe.freedesktop.org (Postfix) with ESMTPS id ABBF06E2E5
 for <intel-gfx@lists.freedesktop.org>; Tue, 24 Jul 2018 14:19:48 +0000 (UTC)
X-Default-Received-SPF: pass (skip=forwardok (res=PASS))
 x-ip-name=78.156.65.138;
Received: from haswell.alporthouse.com (unverified [78.156.65.138])
 by fireflyinternet.com (Firefly Internet (M1)) with ESMTP id 12448320-1500050
 for multiple; Tue, 24 Jul 2018 15:19:38 +0100
From: Chris Wilson <chris@chris-wilson.co.uk>
To: intel-gfx@lists.freedesktop.org
Date: Tue, 24 Jul 2018 15:19:36 +0100
Message-Id: <20180724141936.18916-1-chris@chris-wilson.co.uk>
X-Mailer: git-send-email 2.18.0
In-Reply-To: <20180724134046.6436-1-chris@chris-wilson.co.uk>
References: <20180724134046.6436-1-chris@chris-wilson.co.uk>
MIME-Version: 1.0
Subject: [Intel-gfx] [PATCH v2] drm/i915: Protect guc_fini_wq() against
 module load abort
X-BeenThere: intel-gfx@lists.freedesktop.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Intel graphics driver community testing & development
 <intel-gfx.lists.freedesktop.org>
List-Unsubscribe: <https://lists.freedesktop.org/mailman/options/intel-gfx>,
 <mailto:intel-gfx-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <https://lists.freedesktop.org/archives/intel-gfx>
List-Post: <mailto:intel-gfx@lists.freedesktop.org>
List-Help: <mailto:intel-gfx-request@lists.freedesktop.org?subject=help>
List-Subscribe: <https://lists.freedesktop.org/mailman/listinfo/intel-gfx>,
 <mailto:intel-gfx-request@lists.freedesktop.org?subject=subscribe>
Errors-To: intel-gfx-bounces@lists.freedesktop.org
Sender: "Intel-gfx" <intel-gfx-bounces@lists.freedesktop.org>
X-Virus-Scanned: ClamAV using ClamSMTP

Prevent
[  397.873143] general protection fault: 0000 [#1] PREEMPT SMP PTI
[  397.873154] CPU: 4 PID: 4799 Comm: drv_module_relo Tainted: G     U            4.18.0-rc6-CI-CI_DRM_4534+ #1
[  397.873162] Hardware name: Micro-Star International Co., Ltd. MS-7B54/Z370M MORTAR (MS-7B54), BIOS 1.10 12/28/2017
[  397.873175] RIP: 0010:__lock_acquire+0xf6/0x1b50
[  397.873179] Code: 85 c0 4c 8b 9d 40 ff ff ff 8b 8d 38 ff ff ff 44 8b 8d 30 ff ff ff 4c 8b 85 28 ff ff ff 44 8b 95 24 ff ff ff 0f 84 54 03 00 00 <f0> ff 80 38 01 00 00 8b 15 45 8c 59 02 45 8b bc 24 70 08 00 00 85
[  397.873240] RSP: 0018:ffffc90000497b40 EFLAGS: 00010002
[  397.873246] RAX: 6b6b6b6b6b6b6b6b RBX: 0000000000000001 RCX: 0000000000000000
[  397.873252] RDX: 0000000000000046 RSI: 0000000000000000 RDI: 0000000000000000
[  397.873258] RBP: ffffc90000497c20 R08: ffffffff810a25e9 R09: 0000000000000000
[  397.873264] R10: 0000000000000000 R11: ffff880255c63c28 R12: ffff8801093b2840
[  397.873270] R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000246
[  397.873277] FS:  00007faf88d71980(0000) GS:ffff880266300000(0000) knlGS:0000000000000000
[  397.873284] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  397.873289] CR2: 000055d866c9ca10 CR3: 000000025472e006 CR4: 00000000003606e0
[  397.873295] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  397.873301] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  397.873308] Call Trace:
[  397.873318]  ? lock_acquire+0xa6/0x210
[  397.873323]  lock_acquire+0xa6/0x210
[  397.873331]  ? drain_workqueue+0x19/0x180
[  397.873339]  __mutex_lock+0x89/0x980
[  397.873346]  ? drain_workqueue+0x19/0x180
[  397.873352]  ? _raw_spin_unlock_irqrestore+0x4c/0x60
[  397.873359]  ? trace_hardirqs_on_caller+0xe0/0x1b0
[  397.873365]  ? drain_workqueue+0x19/0x180
[  397.873373]  ? debug_object_active_state+0x127/0x150
[  397.873381]  ? drain_workqueue+0x19/0x180
[  397.873387]  drain_workqueue+0x19/0x180
[  397.873395]  destroy_workqueue+0x12/0x1f0
[  397.873476]  intel_guc_fini_misc+0x36/0x90 [i915]
[  397.873540]  i915_gem_fini+0x91/0x100 [i915]
[  397.873588]  i915_driver_unload+0xd2/0x110 [i915]
[  397.873638]  i915_pci_remove+0x19/0x30 [i915]
[  397.873646]  pci_device_remove+0x36/0xb0
[  397.873653]  device_release_driver_internal+0x185/0x250
[  397.873660]  driver_detach+0x35/0x70
[  397.873668]  bus_remove_driver+0x53/0xd0
[  397.873675]  pci_unregister_driver+0x25/0xa0
[  397.873683]  __se_sys_delete_module+0x162/0x210
[  397.873691]  ? do_syscall_64+0xd/0x190
[  397.873697]  do_syscall_64+0x55/0x190
[  397.873704]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  397.873710] RIP: 0033:0x7faf884231b7
[  397.873714] Code: 73 01 c3 48 8b 0d d1 8c 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a1 8c 2c 00 f7 d8 64 89 01 48
[  397.873775] RSP: 002b:00007ffda4e98cf8 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
[  397.873784] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007faf884231b7
[  397.873790] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 000055fbb18f1bd8
[  397.873796] RBP: 000055fbb18f1b70 R08: 000055fbb18f1bdc R09: 00007ffda4e98d38
[  397.873802] R10: 00007ffda4e97cf4 R11: 0000000000000206 R12: 000055fbb0d32470
[  397.873808] R13: 00007ffda4e992e0 R14: 0000000000000000 R15: 0000000000000000

v2: It's use-after-free; not a NULL pointer.

Testcase: igt/drv_module_reload/basic-reload-inject
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Michał Winiarski <michal.winiarski@intel.com>
Cc: Michal Wajdeczko <michal.wajdeczko@intel.com>
---
 drivers/gpu/drm/i915/intel_guc.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/drivers/gpu/drm/i915/intel_guc.c b/drivers/gpu/drm/i915/intel_guc.c
index 846d693ecb53..3082d7670f05 100644
--- a/drivers/gpu/drm/i915/intel_guc.c
+++ b/drivers/gpu/drm/i915/intel_guc.c
@@ -128,13 +128,15 @@ static int guc_init_wq(struct intel_guc *guc)
 
 static void guc_fini_wq(struct intel_guc *guc)
 {
-	struct drm_i915_private *dev_priv = guc_to_i915(guc);
+	struct workqueue_struct *wq;
 
-	if (HAS_LOGICAL_RING_PREEMPTION(dev_priv) &&
-	    USES_GUC_SUBMISSION(dev_priv))
-		destroy_workqueue(guc->preempt_wq);
+	wq = fetch_and_zero(&guc->preempt_wq);
+	if (wq)
+		destroy_workqueue(wq);
 
-	destroy_workqueue(guc->log.relay.flush_wq);
+	wq = fetch_and_zero(&guc->log.relay.flush_wq);
+	if (wq)
+		destroy_workqueue(wq);
 }
 
 int intel_guc_init_misc(struct intel_guc *guc)