From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: "Chris Wilson" <chris@chris-wilson.co.uk>,
"Sumit Semwal" <sumit.semwal@linaro.org>,
"Sean Paul" <seanpaul@chromium.org>,
"Gustavo Padovan" <gustavo@padovan.org>,
"Christian König" <christian.koenig@amd.com>,
"Sasha Levin" <sashal@kernel.org>,
linux-media@vger.kernel.org, dri-devel@lists.freedesktop.org
Subject: [PATCH AUTOSEL 4.19 49/50] dma-buf/sw_sync: Synchronize signal vs syncpt free
Date: Tue, 24 Sep 2019 12:48:46 -0400 [thread overview]
Message-ID: <20190924164847.27780-49-sashal@kernel.org> (raw)
In-Reply-To: <20190924164847.27780-1-sashal@kernel.org>
From: Chris Wilson <chris@chris-wilson.co.uk>
[ Upstream commit d3c6dd1fb30d3853c2012549affe75c930f4a2f9 ]
During release of the syncpt, we remove it from the list of syncpt and
the tree, but only if it is not already been removed. However, during
signaling, we first remove the syncpt from the list. So, if we
concurrently free and signal the syncpt, the free may decide that it is
not part of the tree and immediately free itself -- meanwhile the
signaler goes on to use the now freed datastructure.
In particular, we get struck by commit 0e2f733addbf ("dma-buf: make
dma_fence structure a bit smaller v2") as the cb_list is immediately
clobbered by the kfree_rcu.
v2: Avoid calling into timeline_fence_release() from under the spinlock
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=111381
Fixes: d3862e44daa7 ("dma-buf/sw-sync: Fix locking around sync_timeline lists")
References: 0e2f733addbf ("dma-buf: make dma_fence structure a bit smaller v2")
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Sumit Semwal <sumit.semwal@linaro.org>
Cc: Sean Paul <seanpaul@chromium.org>
Cc: Gustavo Padovan <gustavo@padovan.org>
Cc: Christian König <christian.koenig@amd.com>
Cc: <stable@vger.kernel.org> # v4.14+
Acked-by: Christian König <christian.koenig@amd.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20190812154247.20508-1-chris@chris-wilson.co.uk
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma-buf/sw_sync.c | 16 +++++++---------
1 file changed, 7 insertions(+), 9 deletions(-)
diff --git a/drivers/dma-buf/sw_sync.c b/drivers/dma-buf/sw_sync.c
index 53c1d6d36a642..81ba4eb348909 100644
--- a/drivers/dma-buf/sw_sync.c
+++ b/drivers/dma-buf/sw_sync.c
@@ -141,17 +141,14 @@ static void timeline_fence_release(struct dma_fence *fence)
{
struct sync_pt *pt = dma_fence_to_sync_pt(fence);
struct sync_timeline *parent = dma_fence_parent(fence);
+ unsigned long flags;
+ spin_lock_irqsave(fence->lock, flags);
if (!list_empty(&pt->link)) {
- unsigned long flags;
-
- spin_lock_irqsave(fence->lock, flags);
- if (!list_empty(&pt->link)) {
- list_del(&pt->link);
- rb_erase(&pt->node, &parent->pt_tree);
- }
- spin_unlock_irqrestore(fence->lock, flags);
+ list_del(&pt->link);
+ rb_erase(&pt->node, &parent->pt_tree);
}
+ spin_unlock_irqrestore(fence->lock, flags);
sync_timeline_put(parent);
dma_fence_free(fence);
@@ -274,7 +271,8 @@ static struct sync_pt *sync_pt_create(struct sync_timeline *obj,
p = &parent->rb_left;
} else {
if (dma_fence_get_rcu(&other->base)) {
- dma_fence_put(&pt->base);
+ sync_timeline_put(obj);
+ kfree(pt);
pt = other;
goto unlock;
}
--
2.20.1
next prev parent reply other threads:[~2019-09-24 16:55 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-24 16:47 [PATCH AUTOSEL 4.19 01/50] drm/bridge: tc358767: Increase AUX transfer length limit Sasha Levin
2019-09-24 16:47 ` [PATCH AUTOSEL 4.19 02/50] drm/bridge: adv7511: Attach to DSI host at probe time Sasha Levin
2019-09-24 16:48 ` [PATCH AUTOSEL 4.19 03/50] drm/kms: Catch mode_object lifetime errors Sasha Levin
2019-09-24 16:48 ` [PATCH AUTOSEL 4.19 04/50] drm/panel: simple: fix AUO g185han01 horizontal blanking Sasha Levin
2019-09-24 16:48 ` [PATCH AUTOSEL 4.19 05/50] video: ssd1307fb: Start page range at page_offset Sasha Levin
2019-09-24 16:48 ` [PATCH AUTOSEL 4.19 06/50] drm/stm: attach gem fence to atomic state Sasha Levin
2019-09-24 16:48 ` [PATCH AUTOSEL 4.19 07/50] drm/panel: check failure cases in the probe func Sasha Levin
2019-09-24 16:48 ` [PATCH AUTOSEL 4.19 08/50] drm/rockchip: Check for fast link training before enabling psr Sasha Levin
2019-09-24 16:48 ` [PATCH AUTOSEL 4.19 09/50] drm/radeon: Fix EEH during kexec Sasha Levin
2019-09-24 16:48 ` [PATCH AUTOSEL 4.19 10/50] gpu: drm: radeon: Fix a possible null-pointer dereference in radeon_connector_set_property() Sasha Levin
2019-09-24 16:48 ` [PATCH AUTOSEL 4.19 11/50] PCI: rpaphp: Avoid a sometimes-uninitialized warning Sasha Levin
2019-09-24 16:48 ` [PATCH AUTOSEL 4.19 12/50] ipmi_si: Only schedule continuously in the thread in maintenance mode Sasha Levin
2019-09-24 16:48 ` [PATCH AUTOSEL 4.19 13/50] clk: qoriq: Fix -Wunused-const-variable Sasha Levin
2019-09-24 16:48 ` [PATCH AUTOSEL 4.19 14/50] clk: sunxi-ng: v3s: add missing clock slices for MMC2 module clocks Sasha Levin
2019-09-24 16:48 ` [PATCH AUTOSEL 4.19 15/50] drm/amd/display: fix issue where 252-255 values are clipped Sasha Levin
2019-09-24 16:48 ` [PATCH AUTOSEL 4.19 16/50] drm/amd/display: reprogram VM config when system resume Sasha Levin
2019-09-24 16:48 ` [PATCH AUTOSEL 4.19 17/50] powerpc/powernv/ioda2: Allocate TCE table levels on demand for default DMA window Sasha Levin
2019-09-24 16:48 ` [PATCH AUTOSEL 4.19 18/50] drm/amd/powerplay/smu7: enforce minimal VBITimeout (v2) Sasha Levin
2019-09-24 16:48 ` [PATCH AUTOSEL 4.19 19/50] clk: actions: Don't reference clk_init_data after registration Sasha Levin
2019-09-24 16:48 ` [PATCH AUTOSEL 4.19 20/50] clk: sirf: " Sasha Levin
2019-09-24 16:48 ` [PATCH AUTOSEL 4.19 21/50] clk: sprd: " Sasha Levin
2019-09-24 16:48 ` [PATCH AUTOSEL 4.19 22/50] clk: zx296718: " Sasha Levin
2019-09-24 16:48 ` [PATCH AUTOSEL 4.19 23/50] powerpc/xmon: Check for HV mode when dumping XIVE info from OPAL Sasha Levin
2019-09-24 16:48 ` [PATCH AUTOSEL 4.19 24/50] powerpc/rtas: use device model APIs and serialization during LPM Sasha Levin
2019-09-24 16:48 ` [PATCH AUTOSEL 4.19 25/50] powerpc/futex: Fix warning: 'oldval' may be used uninitialized in this function Sasha Levin
2019-09-24 16:48 ` [PATCH AUTOSEL 4.19 26/50] powerpc/64s/radix: Remove redundant pfn_pte bitop, add VM_BUG_ON Sasha Levin
2019-09-24 16:48 ` [PATCH AUTOSEL 4.19 27/50] powerpc/pseries/mobility: use cond_resched when updating device tree Sasha Levin
2019-09-24 16:48 ` [PATCH AUTOSEL 4.19 28/50] pinctrl: tegra: Fix write barrier placement in pmx_writel Sasha Levin
2019-09-24 16:48 ` [PATCH AUTOSEL 4.19 29/50] powerpc/eeh: Clear stale EEH_DEV_NO_HANDLER flag Sasha Levin
2019-09-24 16:48 ` [PATCH AUTOSEL 4.19 30/50] vfio_pci: Restore original state on release Sasha Levin
2019-09-24 16:48 ` [PATCH AUTOSEL 4.19 31/50] drm/nouveau/volt: Fix for some cards having 0 maximum voltage Sasha Levin
2019-09-24 16:48 ` [PATCH AUTOSEL 4.19 32/50] pinctrl: amd: disable spurious-firing GPIO IRQs Sasha Levin
2019-09-24 16:48 ` [PATCH AUTOSEL 4.19 33/50] clk: renesas: mstp: Set GENPD_FLAG_ALWAYS_ON for clock domain Sasha Levin
2019-09-24 16:48 ` [PATCH AUTOSEL 4.19 34/50] clk: renesas: cpg-mssr: " Sasha Levin
2019-09-24 16:48 ` [PATCH AUTOSEL 4.19 35/50] drm/amd/display: support spdif Sasha Levin
2019-09-24 16:48 ` [PATCH AUTOSEL 4.19 36/50] drm/amdgpu/si: fix ASIC tests Sasha Levin
2019-09-24 16:48 ` [PATCH AUTOSEL 4.19 37/50] powerpc/64s/exception: machine check use correct cfar for late handler Sasha Levin
2019-09-24 16:48 ` [PATCH AUTOSEL 4.19 38/50] pstore: fs superblock limits Sasha Levin
2019-09-24 16:48 ` [PATCH AUTOSEL 4.19 39/50] powerpc/imc: Dont create debugfs files for cpu-less nodes Sasha Levin
2019-09-24 16:48 ` [PATCH AUTOSEL 4.19 40/50] clk: qcom: gcc-sdm845: Use floor ops for sdcc clks Sasha Levin
2019-09-24 16:48 ` [PATCH AUTOSEL 4.19 41/50] powerpc/pseries: correctly track irq state in default idle Sasha Levin
2019-09-24 16:48 ` [PATCH AUTOSEL 4.19 42/50] pinctrl: meson-gxbb: Fix wrong pinning definition for uart_c Sasha Levin
2019-09-24 16:48 ` [PATCH AUTOSEL 4.19 43/50] arm64: fix unreachable code issue with cmpxchg Sasha Levin
2019-09-24 16:48 ` [PATCH AUTOSEL 4.19 44/50] clk: at91: select parent if main oscillator or bypass is enabled Sasha Levin
2019-09-24 16:48 ` [PATCH AUTOSEL 4.19 45/50] powerpc: dump kernel log before carrying out fadump or kdump Sasha Levin
2019-09-24 16:48 ` [PATCH AUTOSEL 4.19 46/50] mbox: qcom: add APCS child device for QCS404 Sasha Levin
2019-09-24 16:48 ` [PATCH AUTOSEL 4.19 47/50] clk: sprd: add missing kfree Sasha Levin
2019-09-24 16:48 ` [PATCH AUTOSEL 4.19 48/50] scsi: core: Reduce memory required for SCSI logging Sasha Levin
2019-09-24 16:48 ` Sasha Levin [this message]
2019-09-24 16:48 ` [PATCH AUTOSEL 4.19 50/50] ext4: fix potential use after free after remounting with noblock_validity Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190924164847.27780-49-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=chris@chris-wilson.co.uk \
--cc=christian.koenig@amd.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=gustavo@padovan.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=seanpaul@chromium.org \
--cc=stable@vger.kernel.org \
--cc=sumit.semwal@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).