From patchwork Wed Jun 28 15:51:11 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sean Paul X-Patchwork-Id: 9814771 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 17E7C603F3 for ; Wed, 28 Jun 2017 15:51:32 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0A61F285FC for ; Wed, 28 Jun 2017 15:51:32 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id F31D72860C; Wed, 28 Jun 2017 15:51:31 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4ADDC28602 for ; Wed, 28 Jun 2017 15:51:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751782AbdF1Pv1 (ORCPT ); Wed, 28 Jun 2017 11:51:27 -0400 Received: from mail-qt0-f174.google.com ([209.85.216.174]:36856 "EHLO mail-qt0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751739AbdF1PvR (ORCPT ); Wed, 28 Jun 2017 11:51:17 -0400 Received: by mail-qt0-f174.google.com with SMTP id i2so52886901qta.3 for ; Wed, 28 Jun 2017 08:51:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id; bh=4iiT6IM8Y5zdH23VzWdPG6/SWUMHusDLMGC8oZ1EEzg=; b=hXUUpT4zXwmKOnWhZAxVLrx6w5+xav/6rGMG9Din4WLxpuRGuCSkiPLl1h0KfrC0gr gn8xCkuFAC8dJkQcuPomiVo8Ald4FrNHfzIsH9z/UrNOKYzanO6BYp9U4Ih6av2hLsvL KUuhdjkEYWMs49szK73nCYz50Im+aFgsYocgI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=4iiT6IM8Y5zdH23VzWdPG6/SWUMHusDLMGC8oZ1EEzg=; b=bqRC8+pxkGb6F8zhfm3wDjS5bNdZ+ZrM4vUQjvSLBzeDdNqrVaSz5/9meOzP934e0q N0MOPLua8nLXRoufwaglKPAoMHXj00HDLTw8m8glTrhvcWdh5JNAbIvv2L4Bn1b4hxoK xvHUVxDCE0D3e2ldoy99SY8hnZeBswhakG/yfaWxJhIJmd6h5/i0qAhiufH+vC1kOSvJ g0W/sdLVrvV3JPWs6tTzBdHH5fFLco21hCLx+D2EafpLUTghTWVZ2i44Mr51tHvhFAaT DrmiIS4kIPxW9qUyWTf+hhslIX5p09AinKWmy0+AYC6mCwnQLVsVziQ2Op2pE7VnY0YN tSHw== X-Gm-Message-State: AKS2vOw0vXcbJvYNMPDp9sbcB59LnJJQeNx3gj6zMI2nBVhRqzPOKrGf u/fQcrV4aFMS6AB3 X-Received: by 10.237.62.58 with SMTP id l55mr13434915qtf.20.1498665076957; Wed, 28 Jun 2017 08:51:16 -0700 (PDT) Received: from localhost.localdomain (99-45-70-16.lightspeed.rlghnc.sbcglobal.net. [99.45.70.16]) by smtp.gmail.com with ESMTPSA id c143sm1811107qkg.64.2017.06.28.08.51.15 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 28 Jun 2017 08:51:16 -0700 (PDT) From: Sean Paul To: dri-devel@lists.freedesktop.org Cc: dbehr@chromium.org, marcheu@chromium.org, Sean Paul , Sumit Semwal , Gustavo Padovan , linux-media@vger.kernel.org Subject: [PATCH] dma-buf/sw_sync: Fix timeline/pt overflow cases Date: Wed, 28 Jun 2017 11:51:11 -0400 Message-Id: <20170628155117.3558-1-seanpaul@chromium.org> X-Mailer: git-send-email 2.13.2.725.g09c95d1e9-goog Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Protect against long-running processes from overflowing the timeline and creating fences that go back in time. While we're at it, avoid overflowing while we're incrementing the timeline. Signed-off-by: Sean Paul --- drivers/dma-buf/sw_sync.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/dma-buf/sw_sync.c b/drivers/dma-buf/sw_sync.c index 69c5ff36e2f9..40934619ed88 100644 --- a/drivers/dma-buf/sw_sync.c +++ b/drivers/dma-buf/sw_sync.c @@ -142,7 +142,7 @@ static void sync_timeline_signal(struct sync_timeline *obj, unsigned int inc) spin_lock_irqsave(&obj->child_list_lock, flags); - obj->value += inc; + obj->value += min(inc, ~0x0U - obj->value); list_for_each_entry_safe(pt, next, &obj->active_list_head, active_list) { @@ -178,6 +178,11 @@ static struct sync_pt *sync_pt_create(struct sync_timeline *obj, int size, return NULL; spin_lock_irqsave(&obj->child_list_lock, flags); + if (value < obj->value) { + spin_unlock_irqrestore(&obj->child_list_lock, flags); + return NULL; + } + sync_timeline_get(obj); dma_fence_init(&pt->base, &timeline_fence_ops, &obj->child_list_lock, obj->context, value);