On Tue, Apr 23, 2024 at 08:47:23AM +0100, Matthew Auld wrote:
> We flush the rebind worker during the vm close phase, however in places
> like preempt_fence_work_func() we seem to queue the rebind worker
> without first checking if the vm has already been closed. The concern
> here is the vm being closed with the worker flushed, but then being
> rearmed later, which looks like potential uaf, since there is no actual
> refcounting to track the queued worker. We can't take the vm->lock here
> in preempt_rebind_work_func() to first check if the vm is closed since
> that will deadlock, so instead flush the worker again when the vm
> refcount reaches zero.
>
> v2:
> - Grabbing vm->lock in the preempt worker creates a deadlock, so
> checking the closed state is tricky. Instead flush the worker when
> the refcount reaches zero. It should be impossible to queue the
> preempt worker without already holding vm ref.
>
Comment in the previous patch applies here as well, with that:
Reviewed-by: Matthew Brost <matthew.brost@xxxxxxxxx>
> Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs")
> Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/1676
> Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/1591
> Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/1304
> Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/1249
> Signed-off-by: Matthew Auld <matthew.auld@xxxxxxxxx>
> Cc: Matthew Brost <matthew.brost@xxxxxxxxx>
> Cc: <stable@xxxxxxxxxxxxxxx> # v6.8+
> ---
> drivers/gpu/drm/xe/xe_vm.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/gpu/drm/xe/xe_vm.c b/drivers/gpu/drm/xe/xe_vm.c
> index 2ba7c920a8af..71de9848bdc2 100644
> --- a/drivers/gpu/drm/xe/xe_vm.c
> +++ b/drivers/gpu/drm/xe/xe_vm.c
> @@ -1509,6 +1509,9 @@ static void vm_destroy_work_func(struct work_struct *w)
> /* xe_vm_close_and_put was not called? */
> xe_assert(xe, !vm->size);
>
> + if (xe_vm_in_preempt_fence_mode(vm))
> + flush_work(&vm->preempt.rebind_work);
> +
> mutex_destroy(&vm->snap_mutex);
>
> if (!(vm->flags & XE_VM_FLAG_MIGRATION))
> --
> 2.44.0
>
