| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4cf94f59-f953-f5d7-9901-cfe5fd63bfbc@daenzer.net>
Date: Fri, 23 Jul 2021 10:19:49 +0200
From: Michel Dänzer <michel@...nzer.net>
To: Christian König <christian.koenig@....com>
Cc: linaro-mm-sig@...ts.linaro.org, linux-kernel@...r.kernel.org,
dri-devel@...ts.freedesktop.org, linux-media@...r.kernel.org
Subject: Re: [PATCH] dma-buf/poll: Get a file reference for outstanding fence
callbacks
On 2021-07-23 10:04 a.m., Christian König wrote:
> Am 23.07.21 um 09:58 schrieb Michel Dänzer:
>> From: Michel Dänzer <mdaenzer@...hat.com>
>>
>> This makes sure we don't hit the
>>
>> BUG_ON(dmabuf->cb_in.active || dmabuf->cb_out.active);
>>
>> in dma_buf_release, which could be triggered by user space closing the
>> dma-buf file description while there are outstanding fence callbacks
>> from dma_buf_poll.
>
> I was also wondering the same thing while working on this, but then thought that the poll interface would take care of this.
I was able to hit the BUG_ON with https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/1880 .
>> Cc: stable@...r.kernel.org
>> Signed-off-by: Michel Dänzer <mdaenzer@...hat.com>
>> ---
>> drivers/dma-buf/dma-buf.c | 18 ++++++++++++------
>> 1 file changed, 12 insertions(+), 6 deletions(-)
>>
>> diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
>> index 6c520c9bd93c..ec25498a971f 100644
>> --- a/drivers/dma-buf/dma-buf.c
>> +++ b/drivers/dma-buf/dma-buf.c
>> @@ -65,12 +65,9 @@ static void dma_buf_release(struct dentry *dentry)
>> BUG_ON(dmabuf->vmapping_counter);
>> /*
>> - * Any fences that a dma-buf poll can wait on should be signaled
>> - * before releasing dma-buf. This is the responsibility of each
>> - * driver that uses the reservation objects.
>> - *
>> - * If you hit this BUG() it means someone dropped their ref to the
>> - * dma-buf while still having pending operation to the buffer.
>> + * If you hit this BUG() it could mean:
>> + * * There's a file reference imbalance in dma_buf_poll / dma_buf_poll_cb or somewhere else
>> + * * dmabuf->cb_in/out.active are non-0 despite no pending fence callback
>> */
>> BUG_ON(dmabuf->cb_in.active || dmabuf->cb_out.active);
>> @@ -196,6 +193,7 @@ static loff_t dma_buf_llseek(struct file *file, loff_t offset, int whence)
>> static void dma_buf_poll_cb(struct dma_fence *fence, struct dma_fence_cb *cb)
>> {
>> struct dma_buf_poll_cb_t *dcb = (struct dma_buf_poll_cb_t *)cb;
>> + struct dma_buf *dmabuf = container_of(dcb->poll, struct dma_buf, poll);
>> unsigned long flags;
>> spin_lock_irqsave(&dcb->poll->lock, flags);
>> @@ -203,6 +201,8 @@ static void dma_buf_poll_cb(struct dma_fence *fence, struct dma_fence_cb *cb)
>> dcb->active = 0;
>> spin_unlock_irqrestore(&dcb->poll->lock, flags);
>> dma_fence_put(fence);
>> + /* Paired with get_file in dma_buf_poll */
>> + fput(dmabuf->file);
>
> Is calling fput() in interrupt context ok? IIRC that could potentially sleep.
Looks fine AFAICT: It has
if (likely(!in_interrupt() && !(task->flags & PF_KTHREAD))) {
and as a fallback for that, it adds the file to a lock-less delayed_fput_list which is processed by a workqueue.
--
Earthling Michel Dänzer | https://redhat.com
Libre software enthusiast | Mesa and X developer
Powered by blists - more mailing lists