From 7410784b0bb19656e9195ab3f8a7f552954a80e6 Mon Sep 17 00:00:00 2001
From: Sagar Kamble <skamble@nvidia.com>
Date: Wed, 1 Sep 2021 11:45:28 +0530
Subject: [PATCH] gpu: nvgpu: fix clk_arb completion file private data access
 race

clk_arb completion file descriptor can get closed immediately after
poll finishes in the work item gp10b_clk_arb_run_arbiter_cb. In
that case, the refcount for nvgpu_clk_dev can become zero in
the work item and can lead to invalid access while removing
nvgpu_clk_dev from the lists.

Remove nvgpu_clk_dev from the list before dropping the reference to
it.

Also, delete the nvgpu_clk_dev in completion file release handler
within the session and requests spinlocks to avoid race with
gp10b_clk_arb_run_arbiter_cb using it.

bug 200757277

Change-Id: I054eee547f2a6fa633d7ef55df216ec36647a826
Signed-off-by: Sagar Kamble <skamble@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/c/linux-nvgpu/+/2569522
(cherry picked from commit ce8548ec056022c4feccacc9eb09a4e8619bdefa)
Reviewed-on: https://git-master.nvidia.com/r/c/linux-nvgpu/+/2587070
Reviewed-by: svc-mobile-coverity <svc-mobile-coverity@nvidia.com>
Reviewed-by: svc-mobile-misra <svc-mobile-misra@nvidia.com>
Reviewed-by: svc-mobile-cert <svc-mobile-cert@nvidia.com>
Reviewed-by: svc_kernel_abi <svc_kernel_abi@nvidia.com>
Reviewed-by: Deepak Nibade <dnibade@nvidia.com>
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
GVS: Gerrit_Virtual_Submit
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>
---
 drivers/gpu/nvgpu/common/clk_arb/clk_arb.c       |  4 ++--
 drivers/gpu/nvgpu/common/clk_arb/clk_arb_gp10b.c |  4 ++--
 drivers/gpu/nvgpu/common/clk_arb/clk_arb_gv100.c |  4 ++--
 drivers/gpu/nvgpu/os/linux/ioctl_clk_arb.c       | 11 ++++++++++-
 4 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/drivers/gpu/nvgpu/common/clk_arb/clk_arb.c b/drivers/gpu/nvgpu/common/clk_arb/clk_arb.c
index ed7d4c081..2effe0795 100644
--- a/drivers/gpu/nvgpu/common/clk_arb/clk_arb.c
+++ b/drivers/gpu/nvgpu/common/clk_arb/clk_arb.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016-2020, NVIDIA CORPORATION.  All rights reserved.
+ * Copyright (c) 2016-2021, NVIDIA CORPORATION.  All rights reserved.
  *
  * Permission is hereby granted, free of charge, to any person obtaining a
  * copy of this software and associated documentation files (the "Software"),
@@ -597,8 +597,8 @@ void nvgpu_clk_arb_free_session(struct nvgpu_ref *refcount)
 	nvgpu_spinlock_acquire(&session->session_lock);
 	nvgpu_list_for_each_entry_safe(dev, tmp, &session->targets,
 			nvgpu_clk_dev, node) {
-		nvgpu_ref_put(&dev->refcount, nvgpu_clk_arb_free_fd);
 		nvgpu_list_del(&dev->node);
+		nvgpu_ref_put(&dev->refcount, nvgpu_clk_arb_free_fd);
 	}
 	nvgpu_spinlock_release(&session->session_lock);
 
diff --git a/drivers/gpu/nvgpu/common/clk_arb/clk_arb_gp10b.c b/drivers/gpu/nvgpu/common/clk_arb/clk_arb_gp10b.c
index 44b9cf582..fe844a251 100644
--- a/drivers/gpu/nvgpu/common/clk_arb/clk_arb_gp10b.c
+++ b/drivers/gpu/nvgpu/common/clk_arb/clk_arb_gp10b.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018-2020, NVIDIA CORPORATION.  All rights reserved.
+ * Copyright (c) 2018-2021, NVIDIA CORPORATION.  All rights reserved.
  *
  * Permission is hereby granted, free of charge, to any person obtaining a
  * copy of this software and associated documentation files (the "Software"),
@@ -378,8 +378,8 @@ exit_arb:
 		nvgpu_atomic_set(&dev->poll_mask,
 			(int)tmp_poll_mask);
 		nvgpu_clk_arb_event_post_event(dev);
-		nvgpu_ref_put(&dev->refcount, nvgpu_clk_arb_free_fd);
 		nvgpu_list_del(&dev->node);
+		nvgpu_ref_put(&dev->refcount, nvgpu_clk_arb_free_fd);
 	}
 	nvgpu_spinlock_release(&arb->requests_lock);
 
diff --git a/drivers/gpu/nvgpu/common/clk_arb/clk_arb_gv100.c b/drivers/gpu/nvgpu/common/clk_arb/clk_arb_gv100.c
index 6ef8e6973..d030d3ae4 100644
--- a/drivers/gpu/nvgpu/common/clk_arb/clk_arb_gv100.c
+++ b/drivers/gpu/nvgpu/common/clk_arb/clk_arb_gv100.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016-2020, NVIDIA CORPORATION.  All rights reserved.
+ * Copyright (c) 2016-2021, NVIDIA CORPORATION.  All rights reserved.
  *
  * Permission is hereby granted, free of charge, to any person obtaining a
  * copy of this software and associated documentation files (the "Software"),
@@ -514,8 +514,8 @@ exit_arb:
 
 		nvgpu_atomic_set(&dev->poll_mask, (int)tmp_mask);
 		nvgpu_clk_arb_event_post_event(dev);
-		nvgpu_ref_put(&dev->refcount, nvgpu_clk_arb_free_fd);
 		nvgpu_list_del(&dev->node);
+		nvgpu_ref_put(&dev->refcount, nvgpu_clk_arb_free_fd);
 	}
 	nvgpu_spinlock_release(&arb->requests_lock);
 
diff --git a/drivers/gpu/nvgpu/os/linux/ioctl_clk_arb.c b/drivers/gpu/nvgpu/os/linux/ioctl_clk_arb.c
index 56a522e4c..c6b7a7029 100644
--- a/drivers/gpu/nvgpu/os/linux/ioctl_clk_arb.c
+++ b/drivers/gpu/nvgpu/os/linux/ioctl_clk_arb.c
@@ -51,9 +51,18 @@ static int nvgpu_clk_arb_release_completion_dev(struct inode *inode,
 {
 	struct nvgpu_clk_dev *dev = filp->private_data;
 	struct nvgpu_clk_session *session = dev->session;
+	struct gk20a *g = session->g;
+	struct nvgpu_clk_arb *arb = g->clk_arb;
 
+	clk_arb_dbg(g, " ");
 
-	clk_arb_dbg(session->g, " ");
+	nvgpu_spinlock_acquire(&session->session_lock);
+	nvgpu_spinlock_acquire(&arb->requests_lock);
+
+	nvgpu_list_del(&dev->node);
+
+	nvgpu_spinlock_release(&arb->requests_lock);
+	nvgpu_spinlock_release(&session->session_lock);
 
 	/* This is done to account for the extra refcount taken in
 	 * nvgpu_clk_arb_commit_request_fd without events support in iGPU