Commit 1a394b4f authored by Matthew Brost's avatar Matthew Brost

drm/xe: Fix possible UAF in guc_exec_queue_process_msg

Store xe_device ahead of processing message as message can be free'd in
some cases.

v2:
 - Including missing local changes
v3:
 - Resend for CI
Reported-by: default avatarkernel test robot <lkp@intel.com>
Reported-by: default avatarDan Carpenter <dan.carpenter@linaro.org>
Closes: https://lore.kernel.org/r/202407231445.rpisd1vA-lkp@intel.com/
Fixes: d930c19f ("drm/xe: Build PM into GuC CT layer")
Signed-off-by: default avatarMatthew Brost <matthew.brost@intel.com>
Reviewed-by: default avatarHimal Prasad Ghimiray <himal.prasad.ghimiray@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20240724164341.1848954-1-matthew.brost@intel.com
parent b4611957
...@@ -1389,6 +1389,8 @@ static void __guc_exec_queue_process_msg_resume(struct xe_sched_msg *msg) ...@@ -1389,6 +1389,8 @@ static void __guc_exec_queue_process_msg_resume(struct xe_sched_msg *msg)
static void guc_exec_queue_process_msg(struct xe_sched_msg *msg) static void guc_exec_queue_process_msg(struct xe_sched_msg *msg)
{ {
struct xe_device *xe = guc_to_xe(exec_queue_to_guc(msg->private_data));
trace_xe_sched_msg_recv(msg); trace_xe_sched_msg_recv(msg);
switch (msg->opcode) { switch (msg->opcode) {
...@@ -1408,7 +1410,7 @@ static void guc_exec_queue_process_msg(struct xe_sched_msg *msg) ...@@ -1408,7 +1410,7 @@ static void guc_exec_queue_process_msg(struct xe_sched_msg *msg)
XE_WARN_ON("Unknown message type"); XE_WARN_ON("Unknown message type");
} }
xe_pm_runtime_put(guc_to_xe(exec_queue_to_guc(msg->private_data))); xe_pm_runtime_put(xe);
} }
static const struct drm_sched_backend_ops drm_sched_ops = { static const struct drm_sched_backend_ops drm_sched_ops = {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment