Protect against long-running processes from overflowing the timeline
and creating fences that go back in time. While we're at it, avoid
overflowing while we're incrementing the timeline.
Signed-off-by: Sean Paul <seanpaul@xxxxxxxxxxxx>
---
drivers/dma-buf/sw_sync.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/dma-buf/sw_sync.c b/drivers/dma-buf/sw_sync.c
index 69c5ff36e2f9..40934619ed88 100644
--- a/drivers/dma-buf/sw_sync.c
+++ b/drivers/dma-buf/sw_sync.c
@@ -142,7 +142,7 @@ static void sync_timeline_signal(struct sync_timeline *obj, unsigned int inc)
spin_lock_irqsave(&obj->child_list_lock, flags);
- obj->value += inc;
+ obj->value += min(inc, ~0x0U - obj->value);
list_for_each_entry_safe(pt, next, &obj->active_list_head,
active_list) {
@@ -178,6 +178,11 @@ static struct sync_pt *sync_pt_create(struct sync_timeline *obj, int size,
return NULL;
spin_lock_irqsave(&obj->child_list_lock, flags);
+ if (value < obj->value) {
+ spin_unlock_irqrestore(&obj->child_list_lock, flags);
+ return NULL;
+ }
+
sync_timeline_get(obj);
dma_fence_init(&pt->base, &timeline_fence_ops, &obj->child_list_lock,
obj->context, value);
--
2.13.2.725.g09c95d1e9-goog
