kernel / kernel-source

Clone
Source Code
GIT

Files

  1.   949810702a120c906756a9086192940bafae4a79
  2.   patches.suse
  3.   0005-dma-buf-fix-stack-corruption-in-dma_fence_chain_rele.patch
Blob Blame History Raw 
From 92cb3e5980638a37c56091e605aa837d0af05a9d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20K=C3=B6nig?= <christian.koenig@amd.com>
Date: Thu, 1 Aug 2019 15:11:14 +0200
Subject: dma-buf: fix stack corruption in dma_fence_chain_release
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: 92cb3e5980638a37c56091e605aa837d0af05a9d
Patch-mainline: v5.4-rc1
References: bsc#1152472

We can't free up the chain using recursion or we run into a stack overflow.

Manually free up the dangling chain nodes to avoid recursion.

Signed-off-by: Christian König <christian.koenig@amd.com>
Acked-by: Lionel Landwerlin <lionel.g.landwerlin@intel.com>
Fixes: 7bf60c52e093 ("dma-buf: add new dma_fence_chain container v7")
Link: https://patchwork.freedesktop.org/patch/321612/
Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
---
 drivers/dma-buf/dma-fence-chain.c | 24 +++++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/drivers/dma-buf/dma-fence-chain.c b/drivers/dma-buf/dma-fence-chain.c
index b5089f64be2a..44a741677d25 100644
--- a/drivers/dma-buf/dma-fence-chain.c
+++ b/drivers/dma-buf/dma-fence-chain.c
@@ -178,8 +178,30 @@ static bool dma_fence_chain_signaled(struct dma_fence *fence)
 static void dma_fence_chain_release(struct dma_fence *fence)
 {
 	struct dma_fence_chain *chain = to_dma_fence_chain(fence);
+	struct dma_fence *prev;
+
+	/* Manually unlink the chain as much as possible to avoid recursion
+	 * and potential stack overflow.
+	 */
+	while ((prev = rcu_dereference_protected(chain->prev, true))) {
+		struct dma_fence_chain *prev_chain;
+
+		if (kref_read(&prev->refcount) > 1)
+		       break;
+
+		prev_chain = to_dma_fence_chain(prev);
+		if (!prev_chain)
+			break;
+
+		/* No need for atomic operations since we hold the last
+		 * reference to prev_chain.
+		 */
+		chain->prev = prev_chain->prev;
+		RCU_INIT_POINTER(prev_chain->prev, NULL);
+		dma_fence_put(prev);
+	}
+	dma_fence_put(prev);
 
-	dma_fence_put(rcu_dereference_protected(chain->prev, true));
 	dma_fence_put(chain->fence);
 	dma_fence_free(fence);
 }
-- 
2.28.0
Powered by Pagure 5.13.3
DocumentationAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.