From patchwork Fri Feb 21 14:38:20 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chris Wilson X-Patchwork-Id: 11396743 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id CC6E01580 for ; Fri, 21 Feb 2020 14:38:32 +0000 (UTC) Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 861F424653 for ; Fri, 21 Feb 2020 14:38:32 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 861F424653 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=chris-wilson.co.uk Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=intel-gfx-bounces@lists.freedesktop.org Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 0226E6F45E; Fri, 21 Feb 2020 14:38:32 +0000 (UTC) X-Original-To: intel-gfx@lists.freedesktop.org Delivered-To: intel-gfx@lists.freedesktop.org Received: from fireflyinternet.com (unknown [77.68.26.236]) by gabe.freedesktop.org (Postfix) with ESMTPS id 29A7A6F45E; Fri, 21 Feb 2020 14:38:30 +0000 (UTC) X-Default-Received-SPF: pass (skip=forwardok (res=PASS)) x-ip-name=78.156.65.138; Received: from haswell.alporthouse.com (unverified [78.156.65.138]) by fireflyinternet.com (Firefly Internet (M1)) with ESMTP id 20303280-1500050 for multiple; Fri, 21 Feb 2020 14:38:21 +0000 From: Chris Wilson To: dri-devel@lists.freedesktop.org Date: Fri, 21 Feb 2020 14:38:20 +0000 Message-Id: <20200221143820.2795039-1-chris@chris-wilson.co.uk> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Subject: [Intel-gfx] [PATCH] dma-buf: Precheck for a valid dma_fence before acquiring the reference X-BeenThere: intel-gfx@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Intel graphics driver community testing & development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Daniel Vetter , intel-gfx@lists.freedesktop.org Errors-To: intel-gfx-bounces@lists.freedesktop.org Sender: "Intel-gfx" dma_fence_get_rcu() is used to acquire a reference to under a dma-fence under racey conditions -- a perfect recipe for a disaster. As we know the caller may be handling stale memory, use kasan to confirm the dma-fence, or rather its memory block, is valid before attempting to acquire a reference. This should help us to more quickly and clearly identify lost races. Signed-off-by: Chris Wilson Cc: Daniel Vetter --- include/linux/dma-fence.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/include/linux/dma-fence.h b/include/linux/dma-fence.h index 3347c54f3a87..2805edd74738 100644 --- a/include/linux/dma-fence.h +++ b/include/linux/dma-fence.h @@ -301,6 +301,9 @@ static inline struct dma_fence *dma_fence_get(struct dma_fence *fence) */ static inline struct dma_fence *dma_fence_get_rcu(struct dma_fence *fence) { + if (unlikely(!kasan_check_read(fence, sizeof(*fence)))) + return NULL; + if (kref_get_unless_zero(&fence->refcount)) return fence; else