Re: [PATCH v2] dma-buf: dma-fence: Fix potential NULL pointer dereference

Next message: Wolfram Sang: "Re: [PATCH v2 3/4] hwspinlock: annotate slot pointer as RCU sensitive"
Previous message: Philipp Stanner: "Re: [PATCH] dma-fence: Make dma_fence_dedup_array() robust against 0-count input"
In reply to: Christian K&#xF6;nig: "Re: [PATCH v2] dma-buf: dma-fence: Fix potential NULL pointer dereference"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Danilo Krummrich

Date: Mon Jun 29 2026 - 05:11:33 EST

On 6/29/26 9:56 AM, Philipp Stanner wrote:
> The commit mentioned in the fixes tag below introduced a mechanism
> through which fence producers can fully decouple from fence consumers.
> This, desirable, mechanism is based on the fence's signaled-bit as the
> "decoupling point".
>
> A sophisticated interaction between RCU and atomic instructions attempts
> to ensure that fence consumers can still interact with fence producers
> through the dma_fence_ops (callback pointers into the producer).
>
> This is the desired behavior: to check for decoupling, the signaled-bit
> is first checked. If it's not yet signaled, RCU ensures that the ops
> pointer cannot yet be NULL.
>
> Hereby, dma_fence_signal_timestamp_locked() first sets the signaled-bit,
> and then sets the ops pointer to NULL. Readers first load the ops
> pointer, and then check through the signaled-bit whether the pointer can
> legally be accessed.
>
> These set and load operations could occur out of order on weakly ordered
> platforms. This problem can be solved very elegantly by using the ops
> pointer itself as the synchronization point. The pointer is either NULL,
> or cannot become NULL while it is being used thanks to RCU.
>
> Replace the signaled-bit check in dma_fence_timeline_name() and
> dma_fence_driver_name().
>
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: f4cc3ab824d6 ("dma-buf: protected fence ops by RCU v8")
> Signed-off-by: Philipp Stanner <phasta@xxxxxxxxxx>
Reviewed-by: Danilo Krummrich <dakr@xxxxxxxxxx>