From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: "Chris Wilson" <chris@chris-wilson.co.uk>,
"Sumit Semwal" <sumit.semwal@linaro.org>,
"Sean Paul" <seanpaul@chromium.org>,
"Gustavo Padovan" <gustavo@padovan.org>,
"Christian König" <christian.koenig@amd.com>,
"Sasha Levin" <sashal@kernel.org>,
linux-media@vger.kernel.org, dri-devel@lists.freedesktop.org
Subject: [PATCH AUTOSEL 4.14 28/28] dma-buf/sw_sync: Synchronize signal vs syncpt free
Date: Tue, 24 Sep 2019 12:50:31 -0400 [thread overview]
Message-ID: <20190924165031.28292-28-sashal@kernel.org> (raw)
In-Reply-To: <20190924165031.28292-1-sashal@kernel.org>
From: Chris Wilson <chris@chris-wilson.co.uk>
[ Upstream commit d3c6dd1fb30d3853c2012549affe75c930f4a2f9 ]
During release of the syncpt, we remove it from the list of syncpt and
the tree, but only if it is not already been removed. However, during
signaling, we first remove the syncpt from the list. So, if we
concurrently free and signal the syncpt, the free may decide that it is
not part of the tree and immediately free itself -- meanwhile the
signaler goes on to use the now freed datastructure.
In particular, we get struck by commit 0e2f733addbf ("dma-buf: make
dma_fence structure a bit smaller v2") as the cb_list is immediately
clobbered by the kfree_rcu.
v2: Avoid calling into timeline_fence_release() from under the spinlock
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=111381
Fixes: d3862e44daa7 ("dma-buf/sw-sync: Fix locking around sync_timeline lists")
References: 0e2f733addbf ("dma-buf: make dma_fence structure a bit smaller v2")
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Sumit Semwal <sumit.semwal@linaro.org>
Cc: Sean Paul <seanpaul@chromium.org>
Cc: Gustavo Padovan <gustavo@padovan.org>
Cc: Christian König <christian.koenig@amd.com>
Cc: <stable@vger.kernel.org> # v4.14+
Acked-by: Christian König <christian.koenig@amd.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20190812154247.20508-1-chris@chris-wilson.co.uk
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma-buf/sw_sync.c | 16 +++++++---------
1 file changed, 7 insertions(+), 9 deletions(-)
diff --git a/drivers/dma-buf/sw_sync.c b/drivers/dma-buf/sw_sync.c
index 24f83f9eeaedc..114b36674af42 100644
--- a/drivers/dma-buf/sw_sync.c
+++ b/drivers/dma-buf/sw_sync.c
@@ -141,17 +141,14 @@ static void timeline_fence_release(struct dma_fence *fence)
{
struct sync_pt *pt = dma_fence_to_sync_pt(fence);
struct sync_timeline *parent = dma_fence_parent(fence);
+ unsigned long flags;
+ spin_lock_irqsave(fence->lock, flags);
if (!list_empty(&pt->link)) {
- unsigned long flags;
-
- spin_lock_irqsave(fence->lock, flags);
- if (!list_empty(&pt->link)) {
- list_del(&pt->link);
- rb_erase(&pt->node, &parent->pt_tree);
- }
- spin_unlock_irqrestore(fence->lock, flags);
+ list_del(&pt->link);
+ rb_erase(&pt->node, &parent->pt_tree);
}
+ spin_unlock_irqrestore(fence->lock, flags);
sync_timeline_put(parent);
dma_fence_free(fence);
@@ -275,7 +272,8 @@ static struct sync_pt *sync_pt_create(struct sync_timeline *obj,
p = &parent->rb_left;
} else {
if (dma_fence_get_rcu(&other->base)) {
- dma_fence_put(&pt->base);
+ sync_timeline_put(obj);
+ kfree(pt);
pt = other;
goto unlock;
}
--
2.20.1
prev parent reply other threads:[~2019-09-24 16:52 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-24 16:50 [PATCH AUTOSEL 4.14 01/28] drm/bridge: tc358767: Increase AUX transfer length limit Sasha Levin
2019-09-24 16:50 ` [PATCH AUTOSEL 4.14 02/28] drm/kms: Catch mode_object lifetime errors Sasha Levin
2019-09-24 16:50 ` [PATCH AUTOSEL 4.14 03/28] drm/panel: simple: fix AUO g185han01 horizontal blanking Sasha Levin
2019-09-24 16:50 ` [PATCH AUTOSEL 4.14 04/28] video: ssd1307fb: Start page range at page_offset Sasha Levin
2019-09-24 16:50 ` [PATCH AUTOSEL 4.14 05/28] drm/stm: attach gem fence to atomic state Sasha Levin
2019-09-24 16:50 ` [PATCH AUTOSEL 4.14 06/28] drm/radeon: Fix EEH during kexec Sasha Levin
2019-09-24 16:50 ` [PATCH AUTOSEL 4.14 07/28] gpu: drm: radeon: Fix a possible null-pointer dereference in radeon_connector_set_property() Sasha Levin
2019-09-24 16:50 ` [PATCH AUTOSEL 4.14 08/28] ipmi_si: Only schedule continuously in the thread in maintenance mode Sasha Levin
2019-09-24 16:50 ` [PATCH AUTOSEL 4.14 09/28] clk: qoriq: Fix -Wunused-const-variable Sasha Levin
2019-09-24 16:50 ` [PATCH AUTOSEL 4.14 10/28] clk: sunxi-ng: v3s: add missing clock slices for MMC2 module clocks Sasha Levin
2019-09-24 16:50 ` [PATCH AUTOSEL 4.14 11/28] drm/amd/powerplay/smu7: enforce minimal VBITimeout (v2) Sasha Levin
2019-09-24 16:50 ` [PATCH AUTOSEL 4.14 12/28] clk: sirf: Don't reference clk_init_data after registration Sasha Levin
2019-09-24 16:50 ` [PATCH AUTOSEL 4.14 13/28] clk: zx296718: " Sasha Levin
2019-09-24 16:50 ` [PATCH AUTOSEL 4.14 14/28] powerpc/xmon: Check for HV mode when dumping XIVE info from OPAL Sasha Levin
2019-09-24 16:50 ` [PATCH AUTOSEL 4.14 15/28] powerpc/rtas: use device model APIs and serialization during LPM Sasha Levin
2019-09-24 16:50 ` [PATCH AUTOSEL 4.14 16/28] powerpc/futex: Fix warning: 'oldval' may be used uninitialized in this function Sasha Levin
2019-09-24 16:50 ` [PATCH AUTOSEL 4.14 17/28] powerpc/64s/radix: Remove redundant pfn_pte bitop, add VM_BUG_ON Sasha Levin
2019-09-24 16:50 ` [PATCH AUTOSEL 4.14 18/28] powerpc/pseries/mobility: use cond_resched when updating device tree Sasha Levin
2019-09-24 16:50 ` [PATCH AUTOSEL 4.14 19/28] pinctrl: tegra: Fix write barrier placement in pmx_writel Sasha Levin
2019-09-24 16:50 ` [PATCH AUTOSEL 4.14 20/28] vfio_pci: Restore original state on release Sasha Levin
2019-09-24 16:50 ` [PATCH AUTOSEL 4.14 21/28] drm/nouveau/volt: Fix for some cards having 0 maximum voltage Sasha Levin
2019-09-24 16:50 ` [PATCH AUTOSEL 4.14 22/28] drm/amdgpu/si: fix ASIC tests Sasha Levin
2019-09-24 16:50 ` [PATCH AUTOSEL 4.14 23/28] powerpc/64s/exception: machine check use correct cfar for late handler Sasha Levin
2019-09-24 16:50 ` [PATCH AUTOSEL 4.14 24/28] powerpc/pseries: correctly track irq state in default idle Sasha Levin
2019-09-24 16:50 ` [PATCH AUTOSEL 4.14 25/28] arm64: fix unreachable code issue with cmpxchg Sasha Levin
2019-09-24 16:50 ` [PATCH AUTOSEL 4.14 26/28] clk: at91: select parent if main oscillator or bypass is enabled Sasha Levin
2019-09-24 16:50 ` [PATCH AUTOSEL 4.14 27/28] scsi: core: Reduce memory required for SCSI logging Sasha Levin
2019-09-24 16:50 ` Sasha Levin [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190924165031.28292-28-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=chris@chris-wilson.co.uk \
--cc=christian.koenig@amd.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=gustavo@padovan.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=seanpaul@chromium.org \
--cc=stable@vger.kernel.org \
--cc=sumit.semwal@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox