diff options
| author | Tvrtko Ursulin <tvrtko.ursulin@igalia.com> | 2026-04-15 09:32:07 +0100 |
|---|---|---|
| committer | Tvrtko Ursulin <tursulin@ursulin.net> | 2026-04-15 11:52:23 +0100 |
| commit | e94b9f01543cc6a83538c2c2cc645a424d3015ca (patch) | |
| tree | 43536073ab2c2167d9299910bc1b4d207f1f4312 /include/linux/timerqueue.h | |
| parent | c83ad8ea6b0a53f1ed61ae0b4b9606bdfe338b33 (diff) | |
dma-fence: Fix potential tracepoint null pointer dereferences
Trace_dma_fence_signaled, trace_dma_fence_wait_end and
trace_dma_fence_destroy can all currently dereference a null fence->ops
pointer after it has been reset on fence signalling.
Lets use the safe string getters for most tracepoints to avoid this class
of a problem, while for the signal tracepoint we move it to before ops are
cleared to avoid losing the driver and timeline name information. Apart
from moving it we also need to add a new tracepoint class to bypass the
safe name getters since the signaled bit is already set.
For dma_fence_init we also need to use the new tracepoint class since the
rcu read lock is not held there, and we can do the same for the enable
signaling since there we are certain the fence cannot be signaled while
we are holding the lock and have even validated the fence->ops.
Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
Fixes: 541c8f2468b9 ("dma-buf: detach fence ops on signal v3")
Cc: Christian König <christian.koenig@amd.com>
Cc: Philipp Stanner <phasta@kernel.org>
Cc: Boris Brezillon <boris.brezillon@collabora.com>
Cc: linux-media@vger.kernel.org
Cc: linaro-mm-sig@lists.linaro.org
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
Link: https://lore.kernel.org/r/20260415083207.40513-2-tvrtko.ursulin@igalia.com
Diffstat (limited to 'include/linux/timerqueue.h')
0 files changed, 0 insertions, 0 deletions
