tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

sync_file: Protect access to driver and timeline name

Protect the access to driver and timeline name which otherwise could be
freed as dma-fence exported is signalling fences.

This prepares the code for incoming dma-fence API changes which will start
asserting these accesses are done from a RCU locked section.

Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
Link: https://lore.kernel.org/r/20250610164226.10817-2-tvrtko.ursulin@igalia.com

authored by

Tvrtko Ursulin and committed by
Tvrtko Ursulin ad10976d a979a541

+20 -4
+20 -4
drivers/dma-buf/sync_file.c
··· 135 135 strscpy(buf, sync_file->user_name, len); 136 136 } else { 137 137 struct dma_fence *fence = sync_file->fence; 138 + const char __rcu *timeline; 139 + const char __rcu *driver; 138 140 141 + rcu_read_lock(); 142 + driver = dma_fence_driver_name(fence); 143 + timeline = dma_fence_timeline_name(fence); 139 144 snprintf(buf, len, "%s-%s%llu-%lld", 140 - dma_fence_driver_name(fence), 141 - dma_fence_timeline_name(fence), 145 + rcu_dereference(driver), 146 + rcu_dereference(timeline), 142 147 fence->context, 143 148 fence->seqno); 149 + rcu_read_unlock(); 144 150 } 145 151 146 152 return buf; ··· 268 262 static int sync_fill_fence_info(struct dma_fence *fence, 269 263 struct sync_fence_info *info) 270 264 { 271 - strscpy(info->obj_name, dma_fence_timeline_name(fence), 265 + const char __rcu *timeline; 266 + const char __rcu *driver; 267 + 268 + rcu_read_lock(); 269 + 270 + driver = dma_fence_driver_name(fence); 271 + timeline = dma_fence_timeline_name(fence); 272 + 273 + strscpy(info->obj_name, rcu_dereference(timeline), 272 274 sizeof(info->obj_name)); 273 - strscpy(info->driver_name, dma_fence_driver_name(fence), 275 + strscpy(info->driver_name, rcu_dereference(driver), 274 276 sizeof(info->driver_name)); 275 277 276 278 info->status = dma_fence_get_status(fence); ··· 286 272 dma_fence_is_signaled(fence) ? 287 273 ktime_to_ns(dma_fence_timestamp(fence)) : 288 274 ktime_set(0, 0); 275 + 276 + rcu_read_unlock(); 289 277 290 278 return info->status; 291 279 }