[PATCH] dma-buf: Precheck for a valid dma_fence before acquiring the reference

[Chris Wilson]

dma_fence_get_rcu() is used to acquire a reference to under a dma-fence
under racey conditions -- a perfect recipe for a disaster. As we know
the caller may be handling stale memory, use kasan to confirm the
dma-fence, or rather its memory block, is valid before attempting to
acquire a reference. This should help us to more quickly and clearly
identify lost races.

Signed-off-by: Chris Wilson <chris at chris-wilson.co.uk>
Cc: Daniel Vetter <daniel.vetter at ffwll.ch>
---
 include/linux/dma-fence.h | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/include/linux/dma-fence.h b/include/linux/dma-fence.h
index 3347c54f3a87..2805edd74738 100644
--- a/include/linux/dma-fence.h
+++ b/include/linux/dma-fence.h
@@ -301,6 +301,9 @@ static inline struct dma_fence *dma_fence_get(struct dma_fence *fence)
  */
 static inline struct dma_fence *dma_fence_get_rcu(struct dma_fence *fence)
 {
+	if (unlikely(!kasan_check_read(fence, sizeof(*fence))))
+		return NULL;
+
 	if (kref_get_unless_zero(&fence->refcount))
 		return fence;
 	else
-- 
2.25.1