From: Sasha Levin Date: Mon, 28 Aug 2023 01:51:26 +0000 (-0400) Subject: Fixes for 4.14 X-Git-Tag: v6.4.13~9^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f96a063a150ada8b2f329bd0aedb8a1cf9c1edac;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/dma-buf-sw_sync-avoid-recursive-lock-during-fence-si.patch b/queue-4.14/dma-buf-sw_sync-avoid-recursive-lock-during-fence-si.patch new file mode 100644 index 00000000000..af8eea237b1 --- /dev/null +++ b/queue-4.14/dma-buf-sw_sync-avoid-recursive-lock-during-fence-si.patch @@ -0,0 +1,81 @@ +From 6cdc39156039a4c8dbe4f5cb9b717503d54b5388 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Aug 2023 07:59:38 -0700 +Subject: dma-buf/sw_sync: Avoid recursive lock during fence signal +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rob Clark + +[ Upstream commit e531fdb5cd5ee2564b7fe10c8a9219e2b2fac61e ] + +If a signal callback releases the sw_sync fence, that will trigger a +deadlock as the timeline_fence_release recurses onto the fence->lock +(used both for signaling and the the timeline tree). + +To avoid that, temporarily hold an extra reference to the signalled +fences until after we drop the lock. + +(This is an alternative implementation of https://patchwork.kernel.org/patch/11664717/ +which avoids some potential UAF issues with the original patch.) + +v2: Remove now obsolete comment, use list_move_tail() and + list_del_init() + +Reported-by: Bas Nieuwenhuizen +Fixes: d3c6dd1fb30d ("dma-buf/sw_sync: Synchronize signal vs syncpt free") +Signed-off-by: Rob Clark +Link: https://patchwork.freedesktop.org/patch/msgid/20230818145939.39697-1-robdclark@gmail.com +Reviewed-by: Christian König +Signed-off-by: Christian König +Signed-off-by: Sasha Levin +--- + drivers/dma-buf/sw_sync.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/drivers/dma-buf/sw_sync.c b/drivers/dma-buf/sw_sync.c +index 114b36674af42..29a4e2bb61f03 100644 +--- a/drivers/dma-buf/sw_sync.c ++++ b/drivers/dma-buf/sw_sync.c +@@ -201,6 +201,7 @@ static const struct dma_fence_ops timeline_fence_ops = { + */ + static void sync_timeline_signal(struct sync_timeline *obj, unsigned int inc) + { ++ LIST_HEAD(signalled); + struct sync_pt *pt, *next; + + trace_sync_timeline(obj); +@@ -213,21 +214,20 @@ static void sync_timeline_signal(struct sync_timeline *obj, unsigned int inc) + if (!timeline_fence_signaled(&pt->base)) + break; + +- list_del_init(&pt->link); ++ dma_fence_get(&pt->base); ++ ++ list_move_tail(&pt->link, &signalled); + rb_erase(&pt->node, &obj->pt_tree); + +- /* +- * A signal callback may release the last reference to this +- * fence, causing it to be freed. That operation has to be +- * last to avoid a use after free inside this loop, and must +- * be after we remove the fence from the timeline in order to +- * prevent deadlocking on timeline->lock inside +- * timeline_fence_release(). +- */ + dma_fence_signal_locked(&pt->base); + } + + spin_unlock_irq(&obj->lock); ++ ++ list_for_each_entry_safe(pt, next, &signalled, link) { ++ list_del_init(&pt->link); ++ dma_fence_put(&pt->base); ++ } + } + + /** +-- +2.40.1 + diff --git a/queue-4.14/series b/queue-4.14/series index d4dc7623981..5c7627e046a 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -52,3 +52,4 @@ lib-clz_ctz.c-fix-__clzdi2-and-__ctzdi2-for-32-bit-kernels.patch media-vcodec-fix-potential-array-out-of-bounds-in-encoder-queue_setup.patch x86-fpu-set-x86_feature_osxsave-feature-after-enabling-osxsave-in-cr4.patch rtnetlink-reject-negative-ifindexes-in-rtm_newlink.patch +dma-buf-sw_sync-avoid-recursive-lock-during-fence-si.patch