[PATCH] dma-buf: Precheck for a valid dma_fence before acquiring the reference

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



dma_fence_get_rcu() is used to acquire a reference to under a dma-fence
under racey conditions -- a perfect recipe for a disaster. As we know
the caller may be handling stale memory, use kasan to confirm the
dma-fence, or rather its memory block, is valid before attempting to
acquire a reference. This should help us to more quickly and clearly
identify lost races.

Signed-off-by: Chris Wilson <chris@xxxxxxxxxxxxxxxxxx>
Cc: Daniel Vetter <daniel.vetter@xxxxxxxx>
---
 include/linux/dma-fence.h | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/include/linux/dma-fence.h b/include/linux/dma-fence.h
index 3347c54f3a87..2805edd74738 100644
--- a/include/linux/dma-fence.h
+++ b/include/linux/dma-fence.h
@@ -301,6 +301,9 @@ static inline struct dma_fence *dma_fence_get(struct dma_fence *fence)
  */
 static inline struct dma_fence *dma_fence_get_rcu(struct dma_fence *fence)
 {
+	if (unlikely(!kasan_check_read(fence, sizeof(*fence))))
+		return NULL;
+
 	if (kref_get_unless_zero(&fence->refcount))
 		return fence;
 	else
-- 
2.25.1

_______________________________________________
dri-devel mailing list
dri-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/dri-devel



[Index of Archives]     [Linux DRI Users]     [Linux Intel Graphics]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [XFree86]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [XFree86]
  Powered by Linux