diff options
author | Christian König <christian.koenig@amd.com> | 2019-08-01 15:11:14 +0200 |
---|---|---|
committer | Christian König <christian.koenig@amd.com> | 2019-08-05 17:32:33 +0200 |
commit | 92cb3e5980638a37c56091e605aa837d0af05a9d (patch) | |
tree | 497f1d420890fefadb79a621d135a6bd468b619a | |
parent | 0dbd555a011c2d096a7b7e40c83c5776a7df367c (diff) |
dma-buf: fix stack corruption in dma_fence_chain_release
We can't free up the chain using recursion or we run into a stack overflow.
Manually free up the dangling chain nodes to avoid recursion.
Signed-off-by: Christian König <christian.koenig@amd.com>
Acked-by: Lionel Landwerlin <lionel.g.landwerlin@intel.com>
Fixes: 7bf60c52e093 ("dma-buf: add new dma_fence_chain container v7")
Link: https://patchwork.freedesktop.org/patch/321612/
-rw-r--r-- | drivers/dma-buf/dma-fence-chain.c | 24 |
1 files changed, 23 insertions, 1 deletions
diff --git a/drivers/dma-buf/dma-fence-chain.c b/drivers/dma-buf/dma-fence-chain.c index b5089f64be2a..44a741677d25 100644 --- a/drivers/dma-buf/dma-fence-chain.c +++ b/drivers/dma-buf/dma-fence-chain.c @@ -178,8 +178,30 @@ static bool dma_fence_chain_signaled(struct dma_fence *fence) static void dma_fence_chain_release(struct dma_fence *fence) { struct dma_fence_chain *chain = to_dma_fence_chain(fence); + struct dma_fence *prev; + + /* Manually unlink the chain as much as possible to avoid recursion + * and potential stack overflow. + */ + while ((prev = rcu_dereference_protected(chain->prev, true))) { + struct dma_fence_chain *prev_chain; + + if (kref_read(&prev->refcount) > 1) + break; + + prev_chain = to_dma_fence_chain(prev); + if (!prev_chain) + break; + + /* No need for atomic operations since we hold the last + * reference to prev_chain. + */ + chain->prev = prev_chain->prev; + RCU_INIT_POINTER(prev_chain->prev, NULL); + dma_fence_put(prev); + } + dma_fence_put(prev); - dma_fence_put(rcu_dereference_protected(chain->prev, true)); dma_fence_put(chain->fence); dma_fence_free(fence); } |