From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <intel-xe-bounces@lists.freedesktop.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 8FFFFC28B28
	for <intel-xe@archiver.kernel.org>; Wed, 12 Mar 2025 22:09:42 +0000 (UTC)
Received: from gabe.freedesktop.org (localhost [127.0.0.1])
	by gabe.freedesktop.org (Postfix) with ESMTP id 373AD10E7D2;
	Wed, 12 Mar 2025 22:09:42 +0000 (UTC)
Authentication-Results: gabe.freedesktop.org;
	dkim=pass (2048-bit key; unprotected) header.d=intel.com header.i=@intel.com header.b="aBq4m7mq";
	dkim-atps=neutral
Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.17])
 by gabe.freedesktop.org (Postfix) with ESMTPS id 06C9F10E7C9
 for <intel-xe@lists.freedesktop.org>; Wed, 12 Mar 2025 22:09:40 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
 d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
 t=1741817381; x=1773353381;
 h=date:message-id:from:to:cc:subject:in-reply-to:
 references:mime-version;
 bh=biXDvgSygJTCXza0xSjOMwROy7sJGCvXIFtEqwi2KnY=;
 b=aBq4m7mqyeM+tnedA5OmuWxY3wNeoGJEIZMLfGt0vklJE416M3Ek1mfP
 P+6lZLXCnUVoq1AI68RjSamf5oryyVPJPidBD0ZVeJrmpPWAgSFgDDnzS
 w34+7MgQNCuZ3fxKIF0ZdM1ft8puwT7thYJhYYx/PSx7AEMsyYLZ0md2l
 2I8a8OEJ0lsooOTMu9mTw67TI0HrjNeRS+swYMGq8X+waP04NcskosM+d
 cwvd23AzHVJhn/ZG5f1pTBYoP6rahvhacjUJQ1nWTPDRWQb/0zNwmWEWJ
 UsdFgdAZUNf/XGAD6vex7kBIMdfQnjXiJBtW39GbAYZULRNMH/qe0wNdK w==;
X-CSE-ConnectionGUID: xFzq8DWWRSWNp7uGUIdLTQ==
X-CSE-MsgGUID: tKGEw72dSK2XBAZ5vPuytA==
X-IronPort-AV: E=McAfee;i="6700,10204,11371"; a="42949667"
X-IronPort-AV: E=Sophos;i="6.14,242,1736841600"; d="scan'208";a="42949667"
Received: from orviesa009.jf.intel.com ([10.64.159.149])
 by orvoesa109.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 12 Mar 2025 15:09:41 -0700
X-CSE-ConnectionGUID: 2BbP7S1fTUeLgkS1btAXHg==
X-CSE-MsgGUID: UlVrYX0tTp2uO01qJRUITA==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.14,242,1736841600"; d="scan'208";a="120473366"
Received: from glanza-mobl3.amr.corp.intel.com (HELO adixit-MOBL3.intel.com)
 ([10.125.84.69])
 by orviesa009-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 12 Mar 2025 15:09:40 -0700
Date: Wed, 12 Mar 2025 15:09:40 -0700
Message-ID: <87v7sd3nq3.wl-ashutosh.dixit@intel.com>
From: "Dixit, Ashutosh" <ashutosh.dixit@intel.com>
To: Harish Chegondi <harish.chegondi@intel.com>
Cc: <intel-xe@lists.freedesktop.org>
Subject: Re: [PATCH 1/1] drm/xe/eustall: Fix a possible pointer dereference
 after free
In-Reply-To: <eae49a414a7314921108e0388810aaee6261ad92.1741800396.git.harish.chegondi@intel.com>
References: <eae49a414a7314921108e0388810aaee6261ad92.1741800396.git.harish.chegondi@intel.com>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue)
 FLIM-LB/1.14.9 (=?ISO-8859-4?Q?Goj=F2?=) APEL-LB/10.8 EasyPG/1.0.0
 Emacs/29.4 (x86_64-pc-linux-gnu) MULE/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
X-BeenThere: intel-xe@lists.freedesktop.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Intel Xe graphics driver <intel-xe.lists.freedesktop.org>
List-Unsubscribe: <https://lists.freedesktop.org/mailman/options/intel-xe>,
 <mailto:intel-xe-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <https://lists.freedesktop.org/archives/intel-xe>
List-Post: <mailto:intel-xe@lists.freedesktop.org>
List-Help: <mailto:intel-xe-request@lists.freedesktop.org?subject=help>
List-Subscribe: <https://lists.freedesktop.org/mailman/listinfo/intel-xe>,
 <mailto:intel-xe-request@lists.freedesktop.org?subject=subscribe>
Errors-To: intel-xe-bounces@lists.freedesktop.org
Sender: "Intel-xe" <intel-xe-bounces@lists.freedesktop.org>

On Wed, 12 Mar 2025 10:31:20 -0700, Harish Chegondi wrote:
>
> If devm_add_action_or_reset() isn't successful, xe_eu_stall_fini()
> is invoked. So, unsuccessful return from devm_add_action_or_reset()
> shouldn't dereference gt->eu_stall as xe_eu_stall_fini() already
> frees it. Fix this issue.

Needs a Fixes tag. No need to resend the patch, I will add the tag when
merging this. With that this is:

Reviewed-by: Ashutosh Dixit <ashutosh.dixit@intel.com>

>
> Signed-off-by: Harish Chegondi <harish.chegondi@intel.com>
> ---
>  drivers/gpu/drm/xe/xe_eu_stall.c | 8 +-------
>  1 file changed, 1 insertion(+), 7 deletions(-)
>
> diff --git a/drivers/gpu/drm/xe/xe_eu_stall.c b/drivers/gpu/drm/xe/xe_eu_stall.c
> index 88a92baf5c95..f2bb9168967c 100644
> --- a/drivers/gpu/drm/xe/xe_eu_stall.c
> +++ b/drivers/gpu/drm/xe/xe_eu_stall.c
> @@ -222,13 +222,7 @@ int xe_eu_stall_init(struct xe_gt *gt)
>		goto exit_free;
>	}
>
> -	ret = devm_add_action_or_reset(xe->drm.dev, xe_eu_stall_fini, gt);
> -	if (ret)
> -		goto exit_destroy;
> -
> -	return 0;
> -exit_destroy:
> -	destroy_workqueue(gt->eu_stall->buf_ptr_poll_wq);
> +	return devm_add_action_or_reset(xe->drm.dev, xe_eu_stall_fini, gt);
>  exit_free:
>	mutex_destroy(&gt->eu_stall->stream_lock);
>	kfree(gt->eu_stall);
> --
> 2.48.1
>