[PATCH AUTOSEL 6.17] drm/xe: Set GT as wedged before sending wedged uevent

[Sasha Levin <sashal@kernel.org>]

From: Riana Tauro <riana.tauro@intel.com>

[ Upstream commit 90fdcf5f89e9288c153923f16a60e6f7da18ba76 ]

Userspace should be notified after setting the device as wedged.
Re-order function calls to set gt wedged before sending uevent.

Cc: Matthew Brost <matthew.brost@intel.com>
Suggested-by: Raag Jadav <raag.jadav@intel.com>
Signed-off-by: Riana Tauro <riana.tauro@intel.com>
Reviewed-by: Matthew Brost <matthew.brost@intel.com>
Link: https://lore.kernel.org/r/20250826063419.3022216-4-riana.tauro@intel.com
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

LLM Generated explanations, may be completely bogus:

## Backport Recommendation: YES (with dependency)

**Answer: YES** - This commit should be backported to stable kernel
trees, but ONLY together with its prerequisite commit 60439ac3f2354
("drm/xe: Add a helper function to set recovery method").

---

## Comprehensive Analysis

### Race Condition Being Fixed

This commit addresses a critical **Time-of-Check-to-Time-of-Use (TOCTOU)
race condition** in the device wedging error path.

**The Problem (OLD CODE):**
```c
if (!atomic_xchg(&xe->wedged.flag, 1)) {
    // Set device as wedged
    xe->needs_flr_on_fini = true;
    drm_err(&xe->drm, ...);

    // BUG: Send uevent to userspace HERE
    drm_dev_wedged_event(&xe->drm, ...);
}

// Wedge GTs AFTER userspace notification
for_each_gt(gt, xe, id)
    xe_gt_declare_wedged(gt);
```

**The Race:**
1. Thread sets `xe->wedged.flag = 1`
2. Thread sends uevent to userspace notifying of wedged state
3. **Userspace receives notification and may check device state**
4. **BUT: GTs are NOT yet wedged!**
5. Thread finally calls `xe_gt_declare_wedged()` which:
   - Stops submission via `xe_guc_submit_wedge()`
   - Stops command transport via `xe_guc_ct_stop()`
   - Resets TLB invalidation via `xe_tlb_inval_reset()`

**The Impact:**
Userspace receiving the wedged uevent might:
- Query device state and see inconsistent information
- Initiate recovery procedures on a partially-wedged device
- Experience race conditions in error handling logic
- See submissions still active when device should be fully wedged

### The Fix (NEW CODE)

The commit reorders operations to ensure atomicity from userspace's
perspective:

```c
if (!atomic_xchg(&xe->wedged.flag, 1)) {
    xe->needs_flr_on_fini = true;
    drm_err(&xe->drm, ...);
}  // ← Close the atomic block

// Wedge ALL GTs FIRST (always executed)
for_each_gt(gt, xe, id)
    xe_gt_declare_wedged(gt);

// Then notify userspace (always executed if flag is set)
if (xe_device_wedged(xe)) {
    if (!xe->wedged.method)
        xe_device_set_wedged_method(xe, ...);
    drm_dev_wedged_event(&xe->drm, xe->wedged.method, NULL);
}
```

This ensures that:
1. Device wedged flag is set
2. **ALL GTs are fully wedged (submissions stopped, CT stopped, TLB
   reset)**
3. **ONLY THEN is userspace notified**

### Code Changes Analysis

**From xe_device.c:1260-1280:**

The key changes are:
1. **Moved closing brace** - The uevent call is moved OUT of the `if
   (!atomic_xchg(...))` block
2. **Reordered operations** - `for_each_gt()` loop moved BEFORE the
   uevent
3. **Added new guard** - `if (xe_device_wedged(xe))` wraps the uevent
   notification
4. **Uses new infrastructure** - References `xe->wedged.method` (from
   dependency commit)

### Behavioral Changes

**Minor behavioral change:** The uevent is now sent on every call after
the flag is set (not just the first call). However, this is likely
benign because:

1. Most callers check `xe_device_wedged()` before calling (see
   xe_gt.c:816, xe_guc_submit.c:1038)
2. These are error recovery paths that shouldn't execute repeatedly
3. Userspace should handle wedged events idempotently anyway

### Critical Dependency

**This commit has a HARD DEPENDENCY on commit 60439ac3f2354** ("drm/xe:
Add a helper function to set recovery method") which:

1. Adds `xe->wedged.method` field to `struct xe_device`
   (xe_device_types.h:544)
2. Adds `xe_device_set_wedged_method()` function (xe_device.c:1186)
3. Modifies `drm_dev_wedged_event()` call to use `xe->wedged.method`

**Without this dependency, the commit will NOT compile!**

The code in lines 1274-1276 references:
```c
if (!xe->wedged.method)
    xe_device_set_wedged_method(xe, DRM_WEDGE_RECOVERY_REBIND |
                                DRM_WEDGE_RECOVERY_BUS_RESET);
```

And line 1279 uses:
```c
drm_dev_wedged_event(&xe->drm, xe->wedged.method, NULL);
```

Both require the infrastructure from commit 60439ac3f2354.

### Backporting Criteria Evaluation

1. **Does it fix a bug that affects users?** ✓ YES
   - Fixes a race condition in critical error handling
   - Affects device recovery and error reporting
   - Can cause inconsistent state reporting to userspace

2. **Is the fix relatively small and contained?** ✓ YES
   - Just 8 lines added, 4 lines removed
   - Single function modified
   - Localized to xe_device_declare_wedged()

3. **Does it have clear side effects beyond fixing the issue?** ✓ NO
   - Only minor behavioral change (potential multiple uevents)
   - No new functionality added
   - No API changes

4. **Does it include major architectural changes?** ✓ NO
   - Simple code reordering
   - No new subsystems or abstractions

5. **Does it touch critical kernel subsystems?** ⚠ YES (but contained)
   - Touches DRM Xe driver (Intel GPU driver)
   - Critical for device error handling
   - But change is confined to xe driver only

6. **Is there explicit mention of stable tree backporting?** ✗ NO
   - No `Cc: stable@vger.kernel.org` tag
   - No `Fixes:` tag

7. **Does it follow stable tree rules?** ✓ YES
   - Important bugfix (race condition)
   - Minimal risk of regression
   - No new features
   - Confined to single driver

### Risk Assessment

**Risk Level: LOW**

**Reasons:**
- The reordering is logically sound and correct
- Code has been reviewed by maintainers (Reviewed-by: Matthew Brost)
- No reverts found in subsequent commits
- The potential multiple-uevent issue is mitigated by caller checks
- Change is contained to error handling paths

**Testing considerations:**
- Error paths are inherently difficult to test
- Requires triggering GT reset failures or GuC load failures
- May need fault injection testing

### Recommendation

**YES - Backport this commit, BUT as part of a series with its
dependency.**

**Required commits for backport (in order):**
1. **60439ac3f2354** - "drm/xe: Add a helper function to set recovery
   method"
2. **90fdcf5f89e92** - "drm/xe: Set GT as wedged before sending wedged
   uevent" (this commit)

**Rationale:**
- Fixes a real race condition that can cause inconsistent device state
- Small, contained, and low-risk change
- Important for proper error handling and recovery
- Has clear benefit for users with Intel Xe GPUs
- No known regressions or issues

**Target stable trees:**
- Any stable kernel that includes the DRM Xe driver
- Likely 6.8+ (when Xe driver was merged)

**Note:** The commits should be backported as a pair in the correct
order to maintain compilation and functionality.

 drivers/gpu/drm/xe/xe_device.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/drivers/gpu/drm/xe/xe_device.c b/drivers/gpu/drm/xe/xe_device.c
index 1c9907b8a4e9e..d399c2628fa33 100644
--- a/drivers/gpu/drm/xe/xe_device.c
+++ b/drivers/gpu/drm/xe/xe_device.c
@@ -1157,8 +1157,10 @@ static void xe_device_wedged_fini(struct drm_device *drm, void *arg)
  * xe_device_declare_wedged - Declare device wedged
  * @xe: xe device instance
  *
- * This is a final state that can only be cleared with a module
+ * This is a final state that can only be cleared with the recovery method
+ * specified in the drm wedged uevent. The default recovery method is
  * re-probe (unbind + bind).
+ *
  * In this state every IOCTL will be blocked so the GT cannot be used.
  * In general it will be called upon any critical error such as gt reset
  * failure or guc loading failure. Userspace will be notified of this state
@@ -1192,13 +1194,15 @@ void xe_device_declare_wedged(struct xe_device *xe)
 			"IOCTLs and executions are blocked. Only a rebind may clear the failure\n"
 			"Please file a _new_ bug report at https://gitlab.freedesktop.org/drm/xe/kernel/issues/new\n",
 			dev_name(xe->drm.dev));
+	}
+
+	for_each_gt(gt, xe, id)
+		xe_gt_declare_wedged(gt);
 
+	if (xe_device_wedged(xe)) {
 		/* Notify userspace of wedged device */
 		drm_dev_wedged_event(&xe->drm,
 				     DRM_WEDGE_RECOVERY_REBIND | DRM_WEDGE_RECOVERY_BUS_RESET,
 				     NULL);
 	}
-
-	for_each_gt(gt, xe, id)
-		xe_gt_declare_wedged(gt);
 }
-- 
2.51.0