summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian König <christian.koenig@amd.com>2019-08-01 16:11:14 +0300
committerChristian König <christian.koenig@amd.com>2019-08-05 18:32:33 +0300
commit92cb3e5980638a37c56091e605aa837d0af05a9d (patch)
tree497f1d420890fefadb79a621d135a6bd468b619a
parent0dbd555a011c2d096a7b7e40c83c5776a7df367c (diff)
downloadlinux-92cb3e5980638a37c56091e605aa837d0af05a9d.tar.xz
dma-buf: fix stack corruption in dma_fence_chain_release
We can't free up the chain using recursion or we run into a stack overflow. Manually free up the dangling chain nodes to avoid recursion. Signed-off-by: Christian König <christian.koenig@amd.com> Acked-by: Lionel Landwerlin <lionel.g.landwerlin@intel.com> Fixes: 7bf60c52e093 ("dma-buf: add new dma_fence_chain container v7") Link: https://patchwork.freedesktop.org/patch/321612/
-rw-r--r--drivers/dma-buf/dma-fence-chain.c24
1 files changed, 23 insertions, 1 deletions
diff --git a/drivers/dma-buf/dma-fence-chain.c b/drivers/dma-buf/dma-fence-chain.c
index b5089f64be2a..44a741677d25 100644
--- a/drivers/dma-buf/dma-fence-chain.c
+++ b/drivers/dma-buf/dma-fence-chain.c
@@ -178,8 +178,30 @@ static bool dma_fence_chain_signaled(struct dma_fence *fence)
static void dma_fence_chain_release(struct dma_fence *fence)
{
struct dma_fence_chain *chain = to_dma_fence_chain(fence);
+ struct dma_fence *prev;
+
+ /* Manually unlink the chain as much as possible to avoid recursion
+ * and potential stack overflow.
+ */
+ while ((prev = rcu_dereference_protected(chain->prev, true))) {
+ struct dma_fence_chain *prev_chain;
+
+ if (kref_read(&prev->refcount) > 1)
+ break;
+
+ prev_chain = to_dma_fence_chain(prev);
+ if (!prev_chain)
+ break;
+
+ /* No need for atomic operations since we hold the last
+ * reference to prev_chain.
+ */
+ chain->prev = prev_chain->prev;
+ RCU_INIT_POINTER(prev_chain->prev, NULL);
+ dma_fence_put(prev);
+ }
+ dma_fence_put(prev);
- dma_fence_put(rcu_dereference_protected(chain->prev, true));
dma_fence_put(chain->fence);
dma_fence_free(fence);
}