Re: [PATCH] dma-fence: Fix dma_fence_timeline_name() to call get_timeline_name()

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [Critical] Potential NULL pointer dereference in `dma_fence_timeline_name()` and `dma_fence_driver_name()` due to a missing `ops` NULL check when the fence is concurrently signaled without a read memory barrier.
--

commit 118120d707b8593d71c08a5c22b1149fdc6d4229
Author: Baineng Shou <shoubaineng@gmail.com>

dma-fence: Fix dma_fence_timeline_name() to call get_timeline_name()

This patch fixes a copy-paste error where dma_fence_timeline_name()
incorrectly invoked get_driver_name() instead of get_timeline_name().

> diff --git a/drivers/dma-buf/dma-fence.c b/drivers/dma-buf/dma-fence.c
> index b3bfa6943a8e1..5292d714419b1 100644
> --- a/drivers/dma-buf/dma-fence.c
> +++ b/drivers/dma-buf/dma-fence.c
> @@ -1202,7 +1202,7 @@ const char __rcu *dma_fence_timeline_name(struct dma_fence *fence)
>  	/* RCU protection is required for safe access to returned string */
>  	ops = rcu_dereference(fence->ops);
>  	if (!dma_fence_test_signaled_flag(fence))
> -		return (const char __rcu *)ops->get_driver_name(fence);
> +		return (const char __rcu *)ops->get_timeline_name(fence);

[Severity: Critical]
This is a pre-existing issue, but is it possible for ops to be NULL here
due to memory reordering?

If dma_fence_signal_timestamp_locked() runs concurrently, it sets
DMA_FENCE_FLAG_SIGNALED_BIT (which includes a full memory barrier via
test_and_set_bit()) and then sets fence->ops = NULL via RCU_INIT_POINTER().

Since rcu_dereference() and test_bit() inside dma_fence_test_signaled_flag()
are independent memory loads without an intervening read memory barrier,
could a reader on weakly-ordered architectures experience reordering?

Reader CPU:
  1. Loads fence->flags -> 0 (sees not signaled)
  2. Loads fence->ops -> NULL (sees new value)
  3. !dma_fence_test_signaled_flag(fence) evaluates to true
  4. ops->get_timeline_name(fence) dereferences NULL

Would adding a NULL check for ops, or an smp_rmb() between the reads,
be necessary to prevent a potential kernel panic if this is reachable via
concurrent ioctls like SYNC_IOC_FILE_INFO?

Does dma_fence_driver_name() also share this same structural vulnerability
when dereferencing ops->get_driver_name?

>  	else
>  		return (const char __rcu *)"signaled-timeline";
>  }

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260625141227.38931-1-shoubaineng@gmail.com?part=1