drm/xe: Drop HW fence pointer to HW fence ctx

The HW fence ctx objects are not ref counted rather tied to the life of
an LRC object. HW fences reference the HW fence ctx, HW fences can
outlive LRCs thus resulting in UAF. Drop the  HW fence pointer to HW
fence ctx rather just store what is needed directly in HW fence.

v2:
 - Fix typo in commit (Ashutosh)
 - Use snprintf (Ashutosh)

Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs")
Signed-off-by: Matthew Brost <matthew.brost@intel.com>
Reviewed-by: Ashutosh Dixit <ashutosh.dixit@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20240815193522.16008-1-matthew.brost@intel.com
(cherry picked from commit 60db6f540af9f93144d5039140aa2ed17171d168)
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>

diff --git a/drivers/gpu/drm/xe/xe_hw_fence.c b/drivers/gpu/drm/xe/xe_hw_fence.c
index 45a9789cf50191bdbccbf47b4e9bd5de3f23c92f..0b4f12be3692ab206d623c3403d8c9c69fe4f2c2 100644 (file)
--- a/drivers/gpu/drm/xe/xe_hw_fence.c
+++ b/drivers/gpu/drm/xe/xe_hw_fence.c
@@ -148,20 +148,20 @@ static const char *xe_hw_fence_get_driver_name(struct dma_fence *dma_fence)
 {
        struct xe_hw_fence *fence = to_xe_hw_fence(dma_fence);
 
-       return dev_name(gt_to_xe(fence->ctx->gt)->drm.dev);
+       return dev_name(fence->xe->drm.dev);
 }
 
 static const char *xe_hw_fence_get_timeline_name(struct dma_fence *dma_fence)
 {
        struct xe_hw_fence *fence = to_xe_hw_fence(dma_fence);
 
-       return fence->ctx->name;
+       return fence->name;
 }
 
 static bool xe_hw_fence_signaled(struct dma_fence *dma_fence)
 {
        struct xe_hw_fence *fence = to_xe_hw_fence(dma_fence);
-       struct xe_device *xe = gt_to_xe(fence->ctx->gt);
+       struct xe_device *xe = fence->xe;
        u32 seqno = xe_map_rd(xe, &fence->seqno_map, 0, u32);
 
        return dma_fence->error ||
@@ -253,7 +253,8 @@ void xe_hw_fence_init(struct dma_fence *fence, struct xe_hw_fence_ctx *ctx,
        struct  xe_hw_fence *hw_fence =
                container_of(fence, typeof(*hw_fence), dma);
 
-       hw_fence->ctx = ctx;
+       hw_fence->xe = gt_to_xe(ctx->gt);
+       snprintf(hw_fence->name, sizeof(hw_fence->name), "%s", ctx->name);
        hw_fence->seqno_map = seqno_map;
        INIT_LIST_HEAD(&hw_fence->irq_link);
 

diff --git a/drivers/gpu/drm/xe/xe_hw_fence_types.h b/drivers/gpu/drm/xe/xe_hw_fence_types.h
index b33c4956e8ea0eba0a9f4438ba72577e7e3b69d1..364a61f4bfda98cf6a1111e18f233caad5aeb172 100644 (file)
--- a/drivers/gpu/drm/xe/xe_hw_fence_types.h
+++ b/drivers/gpu/drm/xe/xe_hw_fence_types.h
@@ -12,6 +12,7 @@
 #include <linux/list.h>
 #include <linux/spinlock.h>
 
+struct xe_device;
 struct xe_gt;
 
 /**
@@ -61,8 +62,10 @@ struct xe_hw_fence_ctx {
 struct xe_hw_fence {
        /** @dma: base dma fence for hardware fence context */
        struct dma_fence dma;
-       /** @ctx: hardware fence context */
-       struct xe_hw_fence_ctx *ctx;
+       /** @xe: Xe device for hw fence driver name */
+       struct xe_device *xe;
+       /** @name: name of hardware fence context */
+       char name[MAX_FENCE_NAME_LEN];
        /** @seqno_map: I/O map for seqno */
        struct iosys_map seqno_map;
        /** @irq_link: Link in struct xe_hw_fence_irq.pending */

diff --git a/drivers/gpu/drm/xe/xe_trace.h b/drivers/gpu/drm/xe/xe_trace.h
index baba14fb1e32e6b511dff637e7330c5221b9bdf7..01837f6f609f52f98663a2cf1bc4b968a1bd42ab 100644 (file)
--- a/drivers/gpu/drm/xe/xe_trace.h
+++ b/drivers/gpu/drm/xe/xe_trace.h
@@ -309,7 +309,7 @@ DECLARE_EVENT_CLASS(xe_hw_fence,
                    TP_ARGS(fence),
 
                    TP_STRUCT__entry(
-                            __string(dev, __dev_name_gt(fence->ctx->gt))
+                            __string(dev, __dev_name_xe(fence->xe))
                             __field(u64, ctx)
                             __field(u32, seqno)
                             __field(struct xe_hw_fence *, fence)