mirror of
https://github.com/torvalds/linux.git
synced 2026-03-08 03:24:45 +01:00
506aa8b02a
Dma-fence objects currently suffer from a potential use after free problem where fences exported to userspace and other drivers can outlive the exporting driver, or the associated data structures. The discussion on how to address this concluded that adding reference counting to all the involved objects is not desirable, since it would need to be very wide reaching and could cause unloadable drivers if another entity would be holding onto a signaled fence reference potentially indefinitely. This patch enables the safe access by introducing and documenting a contract between fence exporters and users. It documents a set of contraints and adds helpers which a) drivers with potential to suffer from the use after free must use and b) users of the dma-fence API must use as well. Premise of the design has multiple sides: 1. Drivers (fence exporters) MUST ensure a RCU grace period between signalling a fence and freeing the driver private data associated with it. The grace period does not have to follow the signalling immediately but HAS to happen before data is freed. 2. Users of the dma-fence API marked with such requirement MUST contain the complete access to the data within a single code block guarded by rcu_read_lock() and rcu_read_unlock(). The combination of the two ensures that whoever sees the DMA_FENCE_FLAG_SIGNALED_BIT not set is guaranteed to have access to a valid fence->lock and valid data potentially accessed by the fence->ops virtual functions, until the call to rcu_read_unlock(). 3. Module unload (fence->ops) disappearing is for now explicitly not handled. That would required a more complex protection, possibly needing SRCU instead of RCU to handle callers such as dma_fence_release() and dma_fence_wait_timeout(), where race between dma_fence_enable_sw_signaling, signalling, and dereference of fence->ops->wait() would need a sleeping SRCU context. Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@igalia.com> Reviewed-by: Christian König <christian.koenig@amd.com> Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net> Link: https://lore.kernel.org/r/20250610164226.10817-4-tvrtko.ursulin@igalia.com |
||
|---|---|---|
| .. | ||
| heaps | ||
| dma-buf-sysfs-stats.c | ||
| dma-buf-sysfs-stats.h | ||
| dma-buf.c | ||
| dma-fence-array.c | ||
| dma-fence-chain.c | ||
| dma-fence-unwrap.c | ||
| dma-fence.c | ||
| dma-heap.c | ||
| dma-resv.c | ||
| Kconfig | ||
| Makefile | ||
| selftest.c | ||
| selftest.h | ||
| selftests.h | ||
| st-dma-fence-chain.c | ||
| st-dma-fence-unwrap.c | ||
| st-dma-fence.c | ||
| st-dma-resv.c | ||
| sw_sync.c | ||
| sync_debug.c | ||
| sync_debug.h | ||
| sync_file.c | ||
| sync_trace.h | ||
| udmabuf.c | ||