Skip to content
Snippets Groups Projects
Commit dafc349a authored by Rob Clark's avatar Rob Clark Committed by Frieder Schrempf
Browse files

dma-buf/sw_sync: Avoid recursive lock during fence signal 

[ Upstream commit e531fdb5 ]

If a signal callback releases the sw_sync fence, that will trigger a
deadlock as the timeline_fence_release recurses onto the fence->lock
(used both for signaling and the the timeline tree).

To avoid that, temporarily hold an extra reference to the signalled
fences until after we drop the lock.

(This is an alternative implementation of https://patchwork.kernel.org/patch/11664717/


which avoids some potential UAF issues with the original patch.)

v2: Remove now obsolete comment, use list_move_tail() and
    list_del_init()

Reported-by: default avatarBas Nieuwenhuizen <bas@basnieuwenhuizen.nl>
Fixes: d3c6dd1f ("dma-buf/sw_sync: Synchronize signal vs syncpt free")
Signed-off-by: default avatarRob Clark <robdclark@chromium.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20230818145939.39697-1-robdclark@gmail.com


Reviewed-by: default avatarChristian König <christian.koenig@amd.com>
Signed-off-by: default avatarChristian König <christian.koenig@amd.com>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
parent 09360ee7
No related branches found
No related tags found
1 merge request!100🤖 Sync Bot: Update v6.1-ktn to Latest Stable Kernel (v6.1.52)
Hide whitespace changes
Inline Side-by-side
drivers/dma-buf/sw_sync.c
+ 9
9
View file @ dafc349a
...@@ -191,6 +191,7 @@ static const struct dma_fence_ops timeline_fence_ops = { ...@@ -191,6 +191,7 @@ static const struct dma_fence_ops timeline_fence_ops = {
*/ */
static void sync_timeline_signal(struct sync_timeline *obj, unsigned int inc) static void sync_timeline_signal(struct sync_timeline *obj, unsigned int inc)
{ {
LIST_HEAD(signalled);
struct sync_pt *pt, *next; struct sync_pt *pt, *next;
trace_sync_timeline(obj); trace_sync_timeline(obj);
...@@ -203,21 +204,20 @@ static void sync_timeline_signal(struct sync_timeline *obj, unsigned int inc) ...@@ -203,21 +204,20 @@ static void sync_timeline_signal(struct sync_timeline *obj, unsigned int inc)
if (!timeline_fence_signaled(&pt->base)) if (!timeline_fence_signaled(&pt->base))
break; break;
list_del_init(&pt->link); dma_fence_get(&pt->base);
list_move_tail(&pt->link, &signalled);
rb_erase(&pt->node, &obj->pt_tree); rb_erase(&pt->node, &obj->pt_tree);
/*
* A signal callback may release the last reference to this
* fence, causing it to be freed. That operation has to be
* last to avoid a use after free inside this loop, and must
* be after we remove the fence from the timeline in order to
* prevent deadlocking on timeline->lock inside
* timeline_fence_release().
*/
dma_fence_signal_locked(&pt->base); dma_fence_signal_locked(&pt->base);
} }
spin_unlock_irq(&obj->lock); spin_unlock_irq(&obj->lock);
list_for_each_entry_safe(pt, next, &signalled, link) {
list_del_init(&pt->link);
dma_fence_put(&pt->base);
}
} }
/** /**
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment