dma-buf: fix stack corruption in dma_fence_chain_release

We can't free up the chain using recursion or we run into a stack overflow.

Manually free up the dangling chain nodes to avoid recursion.

Signed-off-by: Christian König <christian.koenig@amd.com>
Acked-by: Lionel Landwerlin <lionel.g.landwerlin@intel.com>
Fixes: 7bf60c52e093 ("dma-buf: add new dma_fence_chain container v7")
Link: https://patchwork.freedesktop.org/patch/321612/

diff --git a/drivers/dma-buf/dma-fence-chain.c b/drivers/dma-buf/dma-fence-chain.c
index b5089f64be2ae95bef692c66909c39facb61383f..44a741677d2524c88d6a3cc056903a4bb31487bc 100644 (file)
--- a/drivers/dma-buf/dma-fence-chain.c
+++ b/drivers/dma-buf/dma-fence-chain.c
@@ -178,8 +178,30 @@ static bool dma_fence_chain_signaled(struct dma_fence *fence)
 static void dma_fence_chain_release(struct dma_fence *fence)
 {
        struct dma_fence_chain *chain = to_dma_fence_chain(fence);
+       struct dma_fence *prev;
+
+       /* Manually unlink the chain as much as possible to avoid recursion
+        * and potential stack overflow.
+        */
+       while ((prev = rcu_dereference_protected(chain->prev, true))) {
+               struct dma_fence_chain *prev_chain;
+
+               if (kref_read(&prev->refcount) > 1)
+                      break;
+
+               prev_chain = to_dma_fence_chain(prev);
+               if (!prev_chain)
+                       break;
+
+               /* No need for atomic operations since we hold the last
+                * reference to prev_chain.
+                */
+               chain->prev = prev_chain->prev;
+               RCU_INIT_POINTER(prev_chain->prev, NULL);
+               dma_fence_put(prev);
+       }
+       dma_fence_put(prev);
 
-       dma_fence_put(rcu_dereference_protected(chain->prev, true));
        dma_fence_put(chain->fence);
        dma_fence_free(fence);
 }