On Wed, Aug 10, 2022 at 12:26 PM Christian König <
ckoenig.leichtzumer...@gmail.com> wrote:
> Previously when we added a fence to a dma_resv object we always
> assumed the the newer than all the existing fences.
>
> With Jason's work to add an UAPI to explicit export/import that's not
> necessary the case any more. So without this check we would allow
> userspace to force the kernel into an use after free error.
>
> Since the change is very small and defensive it's probably a good
> idea to backport this to stable kernels as well just in case others
> are using the dma_resv object in the same way.
>
Especially in the new world of dma_resv being a "bag of fences", I think
this makes a lot of sense.
Reviewed-by: Jason Ekstrand <jason.ekstr...@collabora.com>
>
> Signed-off-by: Christian König <christian.koe...@amd.com>
> ---
> drivers/dma-buf/dma-resv.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/dma-buf/dma-resv.c b/drivers/dma-buf/dma-resv.c
> index 205acb2c744d..e3885c90a3ac 100644
> --- a/drivers/dma-buf/dma-resv.c
> +++ b/drivers/dma-buf/dma-resv.c
> @@ -295,7 +295,8 @@ void dma_resv_add_fence(struct dma_resv *obj, struct
> dma_fence *fence,
> enum dma_resv_usage old_usage;
>
> dma_resv_list_entry(fobj, i, obj, &old, &old_usage);
> - if ((old->context == fence->context && old_usage >= usage)
> ||
> + if ((old->context == fence->context && old_usage >= usage
> &&
> + dma_fence_is_later(fence, old)) ||
> dma_fence_is_signaled(old)) {
> dma_resv_list_set(fobj, i, fence, usage);
> dma_fence_put(old);
> --
> 2.25.1
>
>
