drm/xe: Fix unreffed ptr leak on engine lookup

The engine xarray holds a ref to engine, guarded by the lock. While we do lookup for engine, we need to take the ref inside the lock to prevent unreffed pointer escaping and causing potential use-after-free after. v2: remove branch prediction hint (Thomas) Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com> Signed-off-by: Mika Kuoppala <mika.kuoppala@linux.intel.com> Reviewed-by: Thomas Hellström <thomas.hellstrom@linux.intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20230602172732.1001057-1-mika.kuoppala@linux.intel.comSigned-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>

drm/xe: Fix unreffed ptr leak on engine lookup
The engine xarray holds a ref to engine, guarded by the lock. While we do lookup for engine, we need to take the ref inside the lock to prevent unreffed pointer escaping and causing potential use-after-free after. v2: remove branch prediction hint (Thomas) Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com> Signed-off-by: Mika Kuoppala <mika.kuoppala@linux.intel.com> Reviewed-by: Thomas Hellström <thomas.hellstrom@linux.intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20230602172732.1001057-1-mika.kuoppala@linux.intel.comSigned-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
5db4afe1 · Mika Kuoppala · Rodrigo Vivi · 898f86c2 · 5db4afe1
Commit 5db4afe1 authored Jun 02, 2023 by Mika Kuoppala Committed by Rodrigo Vivi Dec 21, 2023
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 8 deletions

drivers/gpu/drm/xe/xe_engine.c drivers/gpu/drm/xe/xe_engine.c +8 -8

No files found.
--- a/drivers/gpu/drm/xe/xe_engine.c
+++ b/drivers/gpu/drm/xe/xe_engine.c
@@ -162,10 +162,9 @@ struct xe_engine *xe_engine_lookup(struct xe_file *xef, u32 id)

 	mutex_lock(&xef->engine.lock);
 	e = xa_load(&xef->engine.xa, id);
-	mutex_unlock(&xef->engine.lock);
-
 	if (e)
 		xe_engine_get(e);
+	mutex_unlock(&xef->engine.lock);

 	return e;
 }
@@ -644,26 +643,27 @@ int xe_engine_get_property_ioctl(struct drm_device *dev, void *data,
 	struct xe_file *xef = to_xe_file(file);
 	struct drm_xe_engine_get_property *args = data;
 	struct xe_engine *e;
+	int ret;

 	if (XE_IOCTL_ERR(xe, args->reserved[0] || args->reserved[1]))
 		return -EINVAL;

-	mutex_lock(&xef->engine.lock);
-	e = xa_load(&xef->engine.xa, args->engine_id);
-	mutex_unlock(&xef->engine.lock);
-
+	e = xe_engine_lookup(xef, args->engine_id);
 	if (XE_IOCTL_ERR(xe, !e))
 		return -ENOENT;

 	switch (args->property) {
 	case XE_ENGINE_GET_PROPERTY_BAN:
 		args->value = !!(e->flags & ENGINE_FLAG_BANNED);
+		ret = 0;
 		break;
 	default:
-		return -EINVAL;
+		ret = -EINVAL;
 	}

-	return 0;
+	xe_engine_put(e);
+
+	return ret;
 }

 static void engine_kill_compute(struct xe_engine *e)