Commit 0e916da8 authored Aug 18, 2023 by Rob Clark Committed by sanglipeng Feb 23, 2024

dma-buf/sw_sync: Avoid recursive lock during fence signal

stable inclusion
from stable-v5.10.193
commit 0df5eaab03ed6370b2e348ce77f79191162c8496
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I9399M

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=0df5eaab03ed6370b2e348ce77f79191162c8496

--------------------------------

[ Upstream commit e531fdb5 ]

If a signal callback releases the sw_sync fence, that will trigger a
deadlock as the timeline_fence_release recurses onto the fence->lock
(used both for signaling and the the timeline tree).

To avoid that, temporarily hold an extra reference to the signalled
fences until after we drop the lock.

(This is an alternative implementation of https://patchwork.kernel.org/patch/11664717/


which avoids some potential UAF issues with the original patch.)

v2: Remove now obsolete comment, use list_move_tail() and
    list_del_init()

Reported-by: Bas Nieuwenhuizen <bas@basnieuwenhuizen.nl>
Fixes: d3c6dd1f ("dma-buf/sw_sync: Synchronize signal vs syncpt free")
Signed-off-by: Rob Clark <robdclark@chromium.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20230818145939.39697-1-robdclark@gmail.com


Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: sanglipeng <sanglipeng1@jd.com>

parent e198fe17

drivers/dma-buf/sw_sync.c

+9 −9

Original line number	Diff line number	Diff line
		@@ -191,6 +191,7 @@ static const struct dma_fence_ops timeline_fence_ops = {
		*/
		static void sync_timeline_signal(struct sync_timeline *obj, unsigned int inc)
		{
		LIST_HEAD(signalled);
		struct sync_pt pt, next;

		trace_sync_timeline(obj);
		@@ -203,21 +204,20 @@ static void sync_timeline_signal(struct sync_timeline *obj, unsigned int inc)
		if (!timeline_fence_signaled(&pt->base))
		break;

		list_del_init(&pt->link);
		dma_fence_get(&pt->base);

		list_move_tail(&pt->link, &signalled);
		rb_erase(&pt->node, &obj->pt_tree);

		/*
		* A signal callback may release the last reference to this
		* fence, causing it to be freed. That operation has to be
		* last to avoid a use after free inside this loop, and must
		* be after we remove the fence from the timeline in order to
		* prevent deadlocking on timeline->lock inside
		* timeline_fence_release().
		*/
		dma_fence_signal_locked(&pt->base);
		}

		spin_unlock_irq(&obj->lock);

		list_for_each_entry_safe(pt, next, &signalled, link) {
		list_del_init(&pt->link);
		dma_fence_put(&pt->base);
		}
		}

		/**