mirror of
git://nv-tegra.nvidia.com/linux-nvgpu.git
synced 2025-12-24 02:22:34 +03:00
6500ce7581
CTS test dEQP-VK.api.object_management.max_concurrent.device_group crashes with invalid userspace memory access. Currently, nvgpu_submit_prepare_syncs() races with gk20a_channel_clean_up_jobs() and this race condition is exposed when aggressive_sync_destroy_thresh is set to non-zero value. nvgpu_submit_prepare_syncs() gets ref for c->sync to submit job and releases channel sync_lock immediately. Meanwhile, gk20a_channel_worker_process() triggers gk20a_channel_clean_up_jobs(), which destroys ref'd c->sync pointer. Channel sync is deleted by gk20a_channel_clean_up_jobs() only if aggressive_sync_destroy_thresh is non-zero. So, gk20a_channel_clean_up_jobs() and nvgpu_submit_prepare_syncs() will race only in this scenario. Hence, if aggressive_sync_destroy_thresh value is non-zero, this patch protects channel's sync pointer by holding channel sync_lock during complete execution of nvgpu_submit_prepare_syncs(). Bug 2613870 Change-Id: I6f3d48aff361d1cb38c30d2ce5de276d0c55fb6f Signed-off-by: Vedashree Vidwans <vvidwans@nvidia.com> Reviewed-on: https://git-master.nvidia.com/r/2180550 Reviewed-by: Seema Khowala <seemaj@nvidia.com> GVS: Gerrit_Virtual_Submit Reviewed-by: Seshendra Gadagottu <sgadagottu@nvidia.com> Reviewed-by: Vinod Gopalakrishnakurup <vinodg@nvidia.com> Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com> Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>
16 KiB
16 KiB