drm/xe: Fix possible UAF in guc_exec_queue_process_msg

Store xe_device ahead of processing message as message can be free'd in
some cases.

v2:
 - Including missing local changes
v3:
 - Resend for CI

Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Closes: https://lore.kernel.org/r/202407231445.rpisd1vA-lkp@intel.com/
Fixes: 55ea73aacfb9 ("drm/xe: Build PM into GuC CT layer")
Signed-off-by: Matthew Brost <matthew.brost@intel.com>
Reviewed-by: Himal Prasad Ghimiray <himal.prasad.ghimiray@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20240724164341.1848954-1-matthew.brost@intel.com
(cherry picked from commit 1a394b4f504f33eac8c38b6f42ba025105c7e869)
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>

diff --git a/drivers/gpu/drm/xe/xe_guc_submit.c b/drivers/gpu/drm/xe/xe_guc_submit.c
index 77b0f0d8f7297ee3a3323b57b8ff65627d90b63e..59b36c7998c243582e775ff911b6ab106668b6d9 100644 (file)
--- a/drivers/gpu/drm/xe/xe_guc_submit.c
+++ b/drivers/gpu/drm/xe/xe_guc_submit.c
@@ -1375,6 +1375,8 @@ static void __guc_exec_queue_process_msg_resume(struct xe_sched_msg *msg)
 
 static void guc_exec_queue_process_msg(struct xe_sched_msg *msg)
 {
+       struct xe_device *xe = guc_to_xe(exec_queue_to_guc(msg->private_data));
+
        trace_xe_sched_msg_recv(msg);
 
        switch (msg->opcode) {
@@ -1394,7 +1396,7 @@ static void guc_exec_queue_process_msg(struct xe_sched_msg *msg)
                XE_WARN_ON("Unknown message type");
        }
 
-       xe_pm_runtime_put(guc_to_xe(exec_queue_to_guc(msg->private_data)));
+       xe_pm_runtime_put(xe);
 }
 
 static const struct drm_sched_backend_ops drm_sched_ops = {