From: jsg <jsg@openbsd.org>
Date: Tue, 19 Sep 2023 12:30:02 +0000 (+0000)
Subject: drm/i915: mark requests for GuC virtual engines to avoid use-after-free
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=2e4f5bb9e0019cd6edb3716d3f0fa08ec49b83dc;p=openbsd

drm/i915: mark requests for GuC virtual engines to avoid use-after-free

From Andrzej Hajda
8017a27cec32eac8c8f9430b0a3055840136b856 in linux-6.1.y/6.1.54
5eefc5307c983b59344a4cb89009819f580c84fa in mainline linux
---

diff --git a/sys/dev/pci/drm/i915/gt/intel_engine_types.h b/sys/dev/pci/drm/i915/gt/intel_engine_types.h
index 0e1f9977d50..8b93cdcbd0c 100644
--- a/sys/dev/pci/drm/i915/gt/intel_engine_types.h
+++ b/sys/dev/pci/drm/i915/gt/intel_engine_types.h
@@ -56,6 +56,7 @@ struct intel_breadcrumbs;
 
 typedef u32 intel_engine_mask_t;
 #define ALL_ENGINES ((intel_engine_mask_t)~0ul)
+#define VIRTUAL_ENGINES BIT(BITS_PER_TYPE(intel_engine_mask_t) - 1)
 
 struct intel_hw_status_page {
 	struct list_head timelines;
diff --git a/sys/dev/pci/drm/i915/gt/uc/intel_guc_submission.c b/sys/dev/pci/drm/i915/gt/uc/intel_guc_submission.c
index 3a811a65340..5eab9d43ae3 100644
--- a/sys/dev/pci/drm/i915/gt/uc/intel_guc_submission.c
+++ b/sys/dev/pci/drm/i915/gt/uc/intel_guc_submission.c
@@ -5121,6 +5121,11 @@ guc_create_virtual(struct intel_engine_cs **siblings, unsigned int count,
 
 	ve->base.flags = I915_ENGINE_IS_VIRTUAL;
 
+#ifdef notyet
+	BUILD_BUG_ON(ilog2(VIRTUAL_ENGINES) < I915_NUM_ENGINES);
+#endif
+	ve->base.mask = VIRTUAL_ENGINES;
+
 	intel_context_init(&ve->context, &ve->base);
 
 	for (n = 0; n < count; n++) {
diff --git a/sys/dev/pci/drm/i915/i915_request.c b/sys/dev/pci/drm/i915/i915_request.c
index 1e37187e84e..b5c0bf163c5 100644
--- a/sys/dev/pci/drm/i915/i915_request.c
+++ b/sys/dev/pci/drm/i915/i915_request.c
@@ -141,9 +141,7 @@ static void i915_fence_release(struct dma_fence *fence)
 	i915_sw_fence_fini(&rq->semaphore);
 
 	/*
-	 * Keep one request on each engine for reserved use under mempressure
-	 * do not use with virtual engines as this really is only needed for
-	 * kernel contexts.
+	 * Keep one request on each engine for reserved use under mempressure.
 	 *
 	 * We do not hold a reference to the engine here and so have to be
 	 * very careful in what rq->engine we poke. The virtual engine is
@@ -173,8 +171,7 @@ static void i915_fence_release(struct dma_fence *fence)
 	 * know that if the rq->execution_mask is a single bit, rq->engine
 	 * can be a physical engine with the exact corresponding mask.
 	 */
-	if (!intel_engine_is_virtual(rq->engine) &&
-	    is_power_of_2(rq->execution_mask) &&
+	if (is_power_of_2(rq->execution_mask) &&
 	    !cmpxchg(&rq->engine->request_pool, NULL, rq))
 		return;