dma_fence_get_rcu() is used to acquire a reference to under a dma-fence under racey conditions -- a perfect recipe for a disaster. As we know the caller may be handling stale memory, use kasan to confirm the dma-fence, or rather its memory block, is valid before attempting to acquire a reference. This should help us to more quickly and clearly identify lost races. Signed-off-by: Chris Wilson <chris@xxxxxxxxxxxxxxxxxx> Cc: Daniel Vetter <daniel.vetter@xxxxxxxx> --- include/linux/dma-fence.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/include/linux/dma-fence.h b/include/linux/dma-fence.h index 3347c54f3a87..2805edd74738 100644 --- a/include/linux/dma-fence.h +++ b/include/linux/dma-fence.h @@ -301,6 +301,9 @@ static inline struct dma_fence *dma_fence_get(struct dma_fence *fence) */ static inline struct dma_fence *dma_fence_get_rcu(struct dma_fence *fence) { + if (unlikely(!kasan_check_read(fence, sizeof(*fence)))) + return NULL; + if (kref_get_unless_zero(&fence->refcount)) return fence; else -- 2.25.1 _______________________________________________ Intel-gfx mailing list Intel-gfx@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/intel-gfx