mali_kbase: Move epoll-consumed waitqueue to struct kbase_file

Storing the waitqueue in struct kbase_context leaves epoll holding a stale pointer to it, which it later attempts to deref and crashes the kernel in: [*][T15976] remove_wait_queue+0x64/0x190 [40350.510681][T15976] ep_unregister_pollwait+0x98/0xe8 Move this waitqueue to struct kbase_file to ensure that it lives long enough during process termination that the ep_unregister_pollwait access is valid (b/302281297). Bug: 300750575 Test: SST: b/302324090#comment4, repro: b/300750575#comment26 Change-Id: Ib161a7d7d4314bb6951bddbd87183a7dc71d5ac0 Signed-off-by: Varad Gautam <varadgautam@google.com>
author: Varad Gautam <varadgautam@google.com> 2023-09-27 13:34:16 +0000
committer: Varad Gautam <varadgautam@google.com> 2023-09-29 15:30:32 +0000
commit: 241a3cfc12f8b45de331964b5f1a26712b64f6f5 (patch)
tree: 6559501c3c2adce9d36fd2fbcc778463b19fb64c /mali_kbase/context
parent: f92aa3aad510c5a15d91e516f1ed8f45bfc40be0 (diff)
download: gpu-241a3cfc12f8b45de331964b5f1a26712b64f6f5.tar.gz
1 files changed, 0 insertions, 1 deletions
diff --git a/mali_kbase/context/mali_kbase_context.c b/mali_kbase/context/mali_kbase_context.c
index 70941ef..d227084 100644
--- a/mali_kbase/context/mali_kbase_context.c
+++ b/mali_kbase/context/mali_kbase_context.c
@@ -237,7 +237,6 @@ int kbase_context_common_init(struct kbase_context *kctx)
 	spin_lock_init(&kctx->waiting_soft_jobs_lock);
 	INIT_LIST_HEAD(&kctx->waiting_soft_jobs);
 
-	init_waitqueue_head(&kctx->event_queue);
 	atomic_set(&kctx->event_count, 0);
 
 #if !MALI_USE_CSF
author	Varad Gautam <varadgautam@google.com>	2023-09-27 13:34:16 +0000
committer	Varad Gautam <varadgautam@google.com>	2023-09-29 15:30:32 +0000
commit	241a3cfc12f8b45de331964b5f1a26712b64f6f5 (patch)
tree	6559501c3c2adce9d36fd2fbcc778463b19fb64c /mali_kbase/context
parent	f92aa3aad510c5a15d91e516f1ed8f45bfc40be0 (diff)
download	gpu-241a3cfc12f8b45de331964b5f1a26712b64f6f5.tar.gz