Fixes for 4.14

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-4.14/dma-buf-sw_sync-avoid-recursive-lock-during-fence-si.patch b/queue-4.14/dma-buf-sw_sync-avoid-recursive-lock-during-fence-si.patch
new file mode 100644 (file)
index 0000000..af8eea2
--- /dev/null
+++ b/queue-4.14/dma-buf-sw_sync-avoid-recursive-lock-during-fence-si.patch
@@ -0,0 +1,81 @@
+From 6cdc39156039a4c8dbe4f5cb9b717503d54b5388 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Aug 2023 07:59:38 -0700
+Subject: dma-buf/sw_sync: Avoid recursive lock during fence signal
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rob Clark <robdclark@chromium.org>
+
+[ Upstream commit e531fdb5cd5ee2564b7fe10c8a9219e2b2fac61e ]
+
+If a signal callback releases the sw_sync fence, that will trigger a
+deadlock as the timeline_fence_release recurses onto the fence->lock
+(used both for signaling and the the timeline tree).
+
+To avoid that, temporarily hold an extra reference to the signalled
+fences until after we drop the lock.
+
+(This is an alternative implementation of https://patchwork.kernel.org/patch/11664717/
+which avoids some potential UAF issues with the original patch.)
+
+v2: Remove now obsolete comment, use list_move_tail() and
+    list_del_init()
+
+Reported-by: Bas Nieuwenhuizen <bas@basnieuwenhuizen.nl>
+Fixes: d3c6dd1fb30d ("dma-buf/sw_sync: Synchronize signal vs syncpt free")
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230818145939.39697-1-robdclark@gmail.com
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma-buf/sw_sync.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/dma-buf/sw_sync.c b/drivers/dma-buf/sw_sync.c
+index 114b36674af42..29a4e2bb61f03 100644
+--- a/drivers/dma-buf/sw_sync.c
++++ b/drivers/dma-buf/sw_sync.c
+@@ -201,6 +201,7 @@ static const struct dma_fence_ops timeline_fence_ops = {
+  */
+ static void sync_timeline_signal(struct sync_timeline *obj, unsigned int inc)
+ {
++      LIST_HEAD(signalled);
+       struct sync_pt *pt, *next;
+ 
+       trace_sync_timeline(obj);
+@@ -213,21 +214,20 @@ static void sync_timeline_signal(struct sync_timeline *obj, unsigned int inc)
+               if (!timeline_fence_signaled(&pt->base))
+                       break;
+ 
+-              list_del_init(&pt->link);
++              dma_fence_get(&pt->base);
++
++              list_move_tail(&pt->link, &signalled);
+               rb_erase(&pt->node, &obj->pt_tree);
+ 
+-              /*
+-               * A signal callback may release the last reference to this
+-               * fence, causing it to be freed. That operation has to be
+-               * last to avoid a use after free inside this loop, and must
+-               * be after we remove the fence from the timeline in order to
+-               * prevent deadlocking on timeline->lock inside
+-               * timeline_fence_release().
+-               */
+               dma_fence_signal_locked(&pt->base);
+       }
+ 
+       spin_unlock_irq(&obj->lock);
++
++      list_for_each_entry_safe(pt, next, &signalled, link) {
++              list_del_init(&pt->link);
++              dma_fence_put(&pt->base);
++      }
+ }
+ 
+ /**
+-- 
+2.40.1
+

diff --git a/queue-4.14/series b/queue-4.14/series
index d4dc7623981189644428dba33abbe3887d06a185..5c7627e046a67ecc0bbc36be4b6ee7014357c52a 100644 (file)
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -52,3 +52,4 @@ lib-clz_ctz.c-fix-__clzdi2-and-__ctzdi2-for-32-bit-kernels.patch
 media-vcodec-fix-potential-array-out-of-bounds-in-encoder-queue_setup.patch
 x86-fpu-set-x86_feature_osxsave-feature-after-enabling-osxsave-in-cr4.patch
 rtnetlink-reject-negative-ifindexes-in-rtm_newlink.patch
+dma-buf-sw_sync-avoid-recursive-lock-during-fence-si.patch