From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
"Bas Nieuwenhuizen" <bas@basnieuwenhuizen.nl>,
"Rob Clark" <robdclark@chromium.org>,
"Christian König" <christian.koenig@amd.com>,
"Sasha Levin" <sashal@kernel.org>
Subject: [PATCH 4.14 57/57] dma-buf/sw_sync: Avoid recursive lock during fence signal
Date: Mon, 28 Aug 2023 12:13:17 +0200 [thread overview]
Message-ID: <20230828101146.410338460@linuxfoundation.org> (raw)
In-Reply-To: <20230828101144.231099710@linuxfoundation.org>
4.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rob Clark <robdclark@chromium.org>
[ Upstream commit e531fdb5cd5ee2564b7fe10c8a9219e2b2fac61e ]
If a signal callback releases the sw_sync fence, that will trigger a
deadlock as the timeline_fence_release recurses onto the fence->lock
(used both for signaling and the the timeline tree).
To avoid that, temporarily hold an extra reference to the signalled
fences until after we drop the lock.
(This is an alternative implementation of https://patchwork.kernel.org/patch/11664717/
which avoids some potential UAF issues with the original patch.)
v2: Remove now obsolete comment, use list_move_tail() and
list_del_init()
Reported-by: Bas Nieuwenhuizen <bas@basnieuwenhuizen.nl>
Fixes: d3c6dd1fb30d ("dma-buf/sw_sync: Synchronize signal vs syncpt free")
Signed-off-by: Rob Clark <robdclark@chromium.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20230818145939.39697-1-robdclark@gmail.com
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma-buf/sw_sync.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/drivers/dma-buf/sw_sync.c b/drivers/dma-buf/sw_sync.c
index 114b36674af42..29a4e2bb61f03 100644
--- a/drivers/dma-buf/sw_sync.c
+++ b/drivers/dma-buf/sw_sync.c
@@ -201,6 +201,7 @@ static const struct dma_fence_ops timeline_fence_ops = {
*/
static void sync_timeline_signal(struct sync_timeline *obj, unsigned int inc)
{
+ LIST_HEAD(signalled);
struct sync_pt *pt, *next;
trace_sync_timeline(obj);
@@ -213,21 +214,20 @@ static void sync_timeline_signal(struct sync_timeline *obj, unsigned int inc)
if (!timeline_fence_signaled(&pt->base))
break;
- list_del_init(&pt->link);
+ dma_fence_get(&pt->base);
+
+ list_move_tail(&pt->link, &signalled);
rb_erase(&pt->node, &obj->pt_tree);
- /*
- * A signal callback may release the last reference to this
- * fence, causing it to be freed. That operation has to be
- * last to avoid a use after free inside this loop, and must
- * be after we remove the fence from the timeline in order to
- * prevent deadlocking on timeline->lock inside
- * timeline_fence_release().
- */
dma_fence_signal_locked(&pt->base);
}
spin_unlock_irq(&obj->lock);
+
+ list_for_each_entry_safe(pt, next, &signalled, link) {
+ list_del_init(&pt->link);
+ dma_fence_put(&pt->base);
+ }
}
/**
--
2.40.1
next prev parent reply other threads:[~2023-08-28 10:17 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-28 10:12 [PATCH 4.14 00/57] 4.14.324-rc1 review Greg Kroah-Hartman
2023-08-28 10:12 ` [PATCH 4.14 01/57] lib/mpi: Eliminate unused umul_ppmm definitions for MIPS Greg Kroah-Hartman
2023-08-28 10:12 ` [PATCH 4.14 02/57] drm/radeon: Fix integer overflow in radeon_cs_parser_init Greg Kroah-Hartman
2023-08-28 10:12 ` [PATCH 4.14 03/57] ALSA: emu10k1: roll up loops in DSP setup code for Audigy Greg Kroah-Hartman
2023-08-28 10:12 ` [PATCH 4.14 04/57] quota: Properly disable quotas when add_dquot_ref() fails Greg Kroah-Hartman
2023-08-28 10:12 ` [PATCH 4.14 05/57] quota: fix warning in dqgrab() Greg Kroah-Hartman
2023-08-28 10:12 ` [PATCH 4.14 06/57] udf: Fix uninitialized array access for some pathnames Greg Kroah-Hartman
2023-08-28 10:12 ` [PATCH 4.14 07/57] fs: jfs: Fix UBSAN: array-index-out-of-bounds in dbAllocDmapLev Greg Kroah-Hartman
2023-08-28 10:12 ` [PATCH 4.14 08/57] MIPS: dec: prom: Address -Warray-bounds warning Greg Kroah-Hartman
2023-08-28 10:12 ` [PATCH 4.14 09/57] FS: JFS: Fix null-ptr-deref Read in txBegin Greg Kroah-Hartman
2023-08-28 10:12 ` [PATCH 4.14 10/57] FS: JFS: Check for read-only mounted filesystem " Greg Kroah-Hartman
2023-08-28 10:12 ` [PATCH 4.14 11/57] media: v4l2-mem2mem: add lock to protect parameter num_rdy Greg Kroah-Hartman
2023-08-28 10:12 ` [PATCH 4.14 12/57] media: platform: mediatek: vpu: fix NULL ptr dereference Greg Kroah-Hartman
2023-08-28 10:12 ` [PATCH 4.14 13/57] gfs2: Fix possible data races in gfs2_show_options() Greg Kroah-Hartman
2023-08-28 10:12 ` [PATCH 4.14 14/57] pcmcia: rsrc_nonstatic: Fix memory leak in nonstatic_release_resource_db() Greg Kroah-Hartman
2023-08-28 10:12 ` [PATCH 4.14 15/57] Bluetooth: L2CAP: Fix use-after-free Greg Kroah-Hartman
2023-08-28 10:12 ` [PATCH 4.14 16/57] drm/amdgpu: Fix potential fence use-after-free v2 Greg Kroah-Hartman
2023-08-28 10:12 ` [PATCH 4.14 17/57] fbdev: mmp: fix value check in mmphw_probe() Greg Kroah-Hartman
2023-08-28 10:12 ` [PATCH 4.14 18/57] powerpc/rtas_flash: allow user copy to flash block cache objects Greg Kroah-Hartman
2023-08-28 10:12 ` [PATCH 4.14 19/57] net: xfrm: Fix xfrm_address_filter OOB read Greg Kroah-Hartman
2023-08-28 10:12 ` [PATCH 4.14 20/57] net: af_key: fix sadb_x_filter validation Greg Kroah-Hartman
2023-08-28 10:12 ` [PATCH 4.14 21/57] ip6_vti: fix slab-use-after-free in decode_session6 Greg Kroah-Hartman
2023-08-28 10:12 ` [PATCH 4.14 22/57] ip_vti: fix potential " Greg Kroah-Hartman
2023-08-28 10:12 ` [PATCH 4.14 23/57] xfrm: add NULL check in xfrm_update_ae_params Greg Kroah-Hartman
2023-08-28 10:12 ` [PATCH 4.14 24/57] netfilter: nft_dynset: disallow object maps Greg Kroah-Hartman
2023-08-28 10:12 ` [PATCH 4.14 25/57] team: Fix incorrect deletion of ETH_P_8021AD protocol vid from slaves Greg Kroah-Hartman
2023-08-28 10:12 ` [PATCH 4.14 26/57] i40e: fix misleading debug logs Greg Kroah-Hartman
2023-08-28 10:12 ` [PATCH 4.14 27/57] sock: Fix misuse of sk_under_memory_pressure() Greg Kroah-Hartman
2023-08-28 10:12 ` [PATCH 4.14 28/57] net: do not allow gso_size to be set to GSO_BY_FRAGS Greg Kroah-Hartman
2023-08-28 10:12 ` [PATCH 4.14 29/57] ALSA: usb-audio: Add support for Mythware XA001AU capture and playback interfaces Greg Kroah-Hartman
2023-08-28 10:12 ` [PATCH 4.14 30/57] cifs: Release folio lock on fscache read hit Greg Kroah-Hartman
2023-08-28 10:12 ` [PATCH 4.14 31/57] mmc: wbsd: fix double mmc_free_host() in wbsd_init() Greg Kroah-Hartman
2023-08-28 10:12 ` [PATCH 4.14 32/57] serial: 8250: Fix oops for port->pm on uart_change_pm() Greg Kroah-Hartman
2023-08-28 10:12 ` [PATCH 4.14 33/57] binder: fix memory leak in binder_init() Greg Kroah-Hartman
2023-08-28 10:12 ` [PATCH 4.14 34/57] test_firmware: prevent race conditions by a correct implementation of locking Greg Kroah-Hartman
2023-08-28 10:12 ` [PATCH 4.14 35/57] netfilter: set default timeout to 3 secs for sctp shutdown send and recv state Greg Kroah-Hartman
2023-08-28 10:12 ` [PATCH 4.14 36/57] ASoC: rt5665: add missed regulator_bulk_disable Greg Kroah-Hartman
2023-08-28 10:12 ` [PATCH 4.14 37/57] af_unix: Fix null-ptr-deref in unix_stream_sendpage() Greg Kroah-Hartman
2023-08-28 10:12 ` [PATCH 4.14 38/57] net: fix the RTO timer retransmitting skb every 1ms if linear option is enabled Greg Kroah-Hartman
2023-08-28 10:12 ` [PATCH 4.14 39/57] net: xfrm: Amend XFRMA_SEC_CTX nla_policy structure Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 4.14 40/57] net: phy: broadcom: stub c45 read/write for 54810 Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 4.14 41/57] tracing: Fix memleak due to race between current_tracer and trace Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 4.14 42/57] sock: annotate data-races around prot->memory_pressure Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 4.14 43/57] igb: Avoid starting unnecessary workqueues Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 4.14 44/57] ipvs: Improve robustness to the ipvs sysctl Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 4.14 45/57] ipvs: fix racy memcpy in proc_do_sync_threshold Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 4.14 46/57] ibmveth: Use dcbf rather than dcbfl Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 4.14 47/57] batman-adv: Trigger events for auto adjusted MTU Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 4.14 48/57] batman-adv: Do not get eth header before batadv_check_management_packet Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 4.14 49/57] batman-adv: Fix TT global entry leak when client roamed back Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 4.14 50/57] batman-adv: Fix batadv_v_ogm_aggr_send memory leak Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 4.14 51/57] lib/clz_ctz.c: Fix __clzdi2() and __ctzdi2() for 32-bit kernels Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 4.14 52/57] media: vcodec: Fix potential array out-of-bounds in encoder queue_setup Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 4.14 53/57] x86/fpu: Set X86_FEATURE_OSXSAVE feature after enabling OSXSAVE in CR4 Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 4.14 54/57] rtnetlink: Reject negative ifindexes in RTM_NEWLINK Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 4.14 55/57] scsi: snic: Fix double free in snic_tgt_create() Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 4.14 56/57] scsi: core: raid_class: Remove raid_component_add() Greg Kroah-Hartman
2023-08-28 10:13 ` Greg Kroah-Hartman [this message]
2023-08-29 3:01 ` [PATCH 4.14 00/57] 4.14.324-rc1 review Daniel Díaz
2023-08-29 11:57 ` Nathan Lynch
2023-08-30 12:32 ` Greg Kroah-Hartman
2023-08-30 1:56 ` Guenter Roeck
2023-08-30 12:33 ` Greg Kroah-Hartman
2023-08-30 10:24 ` Jon Hunter
2023-08-30 11:31 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230828101146.410338460@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=bas@basnieuwenhuizen.nl \
--cc=christian.koenig@amd.com \
--cc=patches@lists.linux.dev \
--cc=robdclark@chromium.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).