dma-buf: fix stack corruption in dma_fence_chain_release
We can't free up the chain using recursion or we run into a stack overflow.
Manually free up the dangling chain nodes to avoid recursion.
Signed-off-by: Christian König <christian.koenig@amd.com>
Acked-by: Lionel Landwerlin <lionel.g.landwerlin@intel.com>
Fixes: 7bf60c52e0
("dma-buf: add new dma_fence_chain container v7")
Link: https://patchwork.freedesktop.org/patch/321612/
This commit is contained in:
parent
0dbd555a01
commit
92cb3e5980
|
@ -178,8 +178,30 @@ static bool dma_fence_chain_signaled(struct dma_fence *fence)
|
||||||
static void dma_fence_chain_release(struct dma_fence *fence)
|
static void dma_fence_chain_release(struct dma_fence *fence)
|
||||||
{
|
{
|
||||||
struct dma_fence_chain *chain = to_dma_fence_chain(fence);
|
struct dma_fence_chain *chain = to_dma_fence_chain(fence);
|
||||||
|
struct dma_fence *prev;
|
||||||
|
|
||||||
|
/* Manually unlink the chain as much as possible to avoid recursion
|
||||||
|
* and potential stack overflow.
|
||||||
|
*/
|
||||||
|
while ((prev = rcu_dereference_protected(chain->prev, true))) {
|
||||||
|
struct dma_fence_chain *prev_chain;
|
||||||
|
|
||||||
|
if (kref_read(&prev->refcount) > 1)
|
||||||
|
break;
|
||||||
|
|
||||||
|
prev_chain = to_dma_fence_chain(prev);
|
||||||
|
if (!prev_chain)
|
||||||
|
break;
|
||||||
|
|
||||||
|
/* No need for atomic operations since we hold the last
|
||||||
|
* reference to prev_chain.
|
||||||
|
*/
|
||||||
|
chain->prev = prev_chain->prev;
|
||||||
|
RCU_INIT_POINTER(prev_chain->prev, NULL);
|
||||||
|
dma_fence_put(prev);
|
||||||
|
}
|
||||||
|
dma_fence_put(prev);
|
||||||
|
|
||||||
dma_fence_put(rcu_dereference_protected(chain->prev, true));
|
|
||||||
dma_fence_put(chain->fence);
|
dma_fence_put(chain->fence);
|
||||||
dma_fence_free(fence);
|
dma_fence_free(fence);
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue