On 04/08/2022 00:03, Stuart Summers wrote:
There can be a race in the PMU process teardown vs the time when the driver is unbound in which the user attempts to stop the PMU process, but the actual data structure in the kernel is no longer available. Avoid this use-after-free by skipping the PMU disable in i915_pmu_event_stop() when the PMU has already been closed/unregistered by the driver. Fixes: b00bccb3f0bb ("drm/i915/pmu: Handle PCI unbind") Suggested-by: Tvrtko Ursulin <tvrtko.ursulin@xxxxxxxxxxxxxxx> Signed-off-by: Stuart Summers <stuart.summers@xxxxxxxxx> --- drivers/gpu/drm/i915/i915_pmu.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/gpu/drm/i915/i915_pmu.c b/drivers/gpu/drm/i915/i915_pmu.c index 958b37123bf12..0d02f338118e4 100644 --- a/drivers/gpu/drm/i915/i915_pmu.c +++ b/drivers/gpu/drm/i915/i915_pmu.c @@ -760,9 +760,17 @@ static void i915_pmu_event_start(struct perf_event *event, int flags)static void i915_pmu_event_stop(struct perf_event *event, int flags){ + struct drm_i915_private *i915 = + container_of(event->pmu, typeof(*i915), pmu.base); + struct i915_pmu *pmu = &i915->pmu; + + if (pmu->closed) + goto out; + if (flags & PERF_EF_UPDATE) i915_pmu_event_read(event); i915_pmu_disable(event); +out: event->hw.state = PERF_HES_STOPPED; }
LGTM, although I am not sure who feels comfortable to r-b since we all kind of suggested the same fix. :)
FWIW: Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@xxxxxxxxx> Regards, Tvrtko
