[PATCH] dma-buf: fix stack corruption in dma_fence_chain_release

Lionel Landwerlin lionel.g.landwerlin at intel.com
Mon Aug 5 12:03:50 UTC 2019


By any change, did you run into this with a CTS test whose name ends 
with ".chain" ? :)

-Lionel

On 05/08/2019 10:36, Christian König wrote:
> We can't free up the chain using recursion or we run into a stack overflow.
>
> Manually free up the dangling chain nodes to avoid recursion.
>
> Signed-off-by: Christian König <christian.koenig at amd.com>
> ---
>   drivers/dma-buf/dma-fence-chain.c | 24 +++++++++++++++++++++++-
>   1 file changed, 23 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/dma-buf/dma-fence-chain.c b/drivers/dma-buf/dma-fence-chain.c
> index b5089f64be2a..44a741677d25 100644
> --- a/drivers/dma-buf/dma-fence-chain.c
> +++ b/drivers/dma-buf/dma-fence-chain.c
> @@ -178,8 +178,30 @@ static bool dma_fence_chain_signaled(struct dma_fence *fence)
>   static void dma_fence_chain_release(struct dma_fence *fence)
>   {
>   	struct dma_fence_chain *chain = to_dma_fence_chain(fence);
> +	struct dma_fence *prev;
> +
> +	/* Manually unlink the chain as much as possible to avoid recursion
> +	 * and potential stack overflow.
> +	 */
> +	while ((prev = rcu_dereference_protected(chain->prev, true))) {
> +		struct dma_fence_chain *prev_chain;
> +
> +		if (kref_read(&prev->refcount) > 1)
> +		       break;
> +
> +		prev_chain = to_dma_fence_chain(prev);
> +		if (!prev_chain)
> +			break;
> +
> +		/* No need for atomic operations since we hold the last
> +		 * reference to prev_chain.
> +		 */
> +		chain->prev = prev_chain->prev;
> +		RCU_INIT_POINTER(prev_chain->prev, NULL);
> +		dma_fence_put(prev);
> +	}
> +	dma_fence_put(prev);
>   
> -	dma_fence_put(rcu_dereference_protected(chain->prev, true));
>   	dma_fence_put(chain->fence);
>   	dma_fence_free(fence);
>   }




More information about the dri-devel mailing list