Commit 4c0cfbca authored Aug 18, 2024 by Erico Nunes Committed by Cheng Yu Aug 18, 2024

drm/lima: fix shared irq handling on driver remove

stable inclusion
from stable-v6.1.98
commit 0a487e977cb8897ae4c51ecd34bbaa2b005266c9
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGRYV
CVE: CVE-2024-42127

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=0a487e977cb8897ae4c51ecd34bbaa2b005266c9



--------------------------------

[ Upstream commit a6683c690bbfd1f371510cb051e8fa49507f3f5e ]

lima uses a shared interrupt, so the interrupt handlers must be prepared
to be called at any time. At driver removal time, the clocks are
disabled early and the interrupts stay registered until the very end of
the remove process due to the devm usage.
This is potentially a bug as the interrupts access device registers
which assumes clocks are enabled. A crash can be triggered by removing
the driver in a kernel with CONFIG_DEBUG_SHIRQ enabled.
This patch frees the interrupts at each lima device finishing callback
so that the handlers are already unregistered by the time we fully
disable clocks.

Signed-off-by: Erico Nunes <nunes.erico@gmail.com>
Signed-off-by: Qiang Yu <yuq825@gmail.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20240401224329.1228468-2-nunes.erico@gmail.com


Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Cheng Yu <serein.chengyu@huawei.com>

parent 9560420d

drivers/gpu/drm/lima/lima_gp.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -324,7 +324,9 @@ int lima_gp_init(struct lima_ip *ip)

		void lima_gp_fini(struct lima_ip *ip)
		{
		struct lima_device *dev = ip->dev;

		devm_free_irq(dev->dev, ip->irq, ip);
		}

		int lima_gp_pipe_init(struct lima_device *dev)

drivers/gpu/drm/lima/lima_mmu.c

+5 −0

Original line number	Diff line number	Diff line
		@@ -118,7 +118,12 @@ int lima_mmu_init(struct lima_ip *ip)

		void lima_mmu_fini(struct lima_ip *ip)
		{
		struct lima_device *dev = ip->dev;

		if (ip->id == lima_ip_ppmmu_bcast)
		return;

		devm_free_irq(dev->dev, ip->irq, ip);
		}

		void lima_mmu_flush_tlb(struct lima_ip *ip)

drivers/gpu/drm/lima/lima_pp.c

+4 −0

Original line number	Diff line number	Diff line
		@@ -266,7 +266,9 @@ int lima_pp_init(struct lima_ip *ip)

		void lima_pp_fini(struct lima_ip *ip)
		{
		struct lima_device *dev = ip->dev;

		devm_free_irq(dev->dev, ip->irq, ip);
		}

		int lima_pp_bcast_resume(struct lima_ip *ip)
		@@ -299,7 +301,9 @@ int lima_pp_bcast_init(struct lima_ip *ip)

		void lima_pp_bcast_fini(struct lima_ip *ip)
		{
		struct lima_device *dev = ip->dev;

		devm_free_irq(dev->dev, ip->irq, ip);
		}

		static int lima_pp_task_validate(struct lima_sched_pipe *pipe,