| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <884050b3-5e7d-c00b-5467-290cfc57e0ea@gmail.com>
Date: Fri, 23 Jul 2021 10:22:34 +0200
From: Christian König <ckoenig.leichtzumerken@...il.com>
To: Michel Dänzer <michel@...nzer.net>,
Christian König <christian.koenig@....com>
Cc: linaro-mm-sig@...ts.linaro.org, linux-kernel@...r.kernel.org,
dri-devel@...ts.freedesktop.org, linux-media@...r.kernel.org
Subject: Re: [Linaro-mm-sig] [PATCH] dma-buf/poll: Get a file reference for
outstanding fence callbacks
Am 23.07.21 um 10:19 schrieb Michel Dänzer:
> On 2021-07-23 10:04 a.m., Christian König wrote:
>> Am 23.07.21 um 09:58 schrieb Michel Dänzer:
>>> From: Michel Dänzer <mdaenzer@...hat.com>
>>>
>>> This makes sure we don't hit the
>>>
>>> BUG_ON(dmabuf->cb_in.active || dmabuf->cb_out.active);
>>>
>>> in dma_buf_release, which could be triggered by user space closing the
>>> dma-buf file description while there are outstanding fence callbacks
>>> from dma_buf_poll.
>> I was also wondering the same thing while working on this, but then thought that the poll interface would take care of this.
> I was able to hit the BUG_ON with https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/1880 .
>
>
>>> Cc: stable@...r.kernel.org
>>> Signed-off-by: Michel Dänzer <mdaenzer@...hat.com>
>>> ---
>>> drivers/dma-buf/dma-buf.c | 18 ++++++++++++------
>>> 1 file changed, 12 insertions(+), 6 deletions(-)
>>>
>>> diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
>>> index 6c520c9bd93c..ec25498a971f 100644
>>> --- a/drivers/dma-buf/dma-buf.c
>>> +++ b/drivers/dma-buf/dma-buf.c
>>> @@ -65,12 +65,9 @@ static void dma_buf_release(struct dentry *dentry)
>>> BUG_ON(dmabuf->vmapping_counter);
>>> /*
>>> - * Any fences that a dma-buf poll can wait on should be signaled
>>> - * before releasing dma-buf. This is the responsibility of each
>>> - * driver that uses the reservation objects.
>>> - *
>>> - * If you hit this BUG() it means someone dropped their ref to the
>>> - * dma-buf while still having pending operation to the buffer.
>>> + * If you hit this BUG() it could mean:
>>> + * * There's a file reference imbalance in dma_buf_poll / dma_buf_poll_cb or somewhere else
>>> + * * dmabuf->cb_in/out.active are non-0 despite no pending fence callback
>>> */
>>> BUG_ON(dmabuf->cb_in.active || dmabuf->cb_out.active);
>>> @@ -196,6 +193,7 @@ static loff_t dma_buf_llseek(struct file *file, loff_t offset, int whence)
>>> static void dma_buf_poll_cb(struct dma_fence *fence, struct dma_fence_cb *cb)
>>> {
>>> struct dma_buf_poll_cb_t *dcb = (struct dma_buf_poll_cb_t *)cb;
>>> + struct dma_buf *dmabuf = container_of(dcb->poll, struct dma_buf, poll);
>>> unsigned long flags;
>>> spin_lock_irqsave(&dcb->poll->lock, flags);
>>> @@ -203,6 +201,8 @@ static void dma_buf_poll_cb(struct dma_fence *fence, struct dma_fence_cb *cb)
>>> dcb->active = 0;
>>> spin_unlock_irqrestore(&dcb->poll->lock, flags);
>>> dma_fence_put(fence);
>>> + /* Paired with get_file in dma_buf_poll */
>>> + fput(dmabuf->file);
>> Is calling fput() in interrupt context ok? IIRC that could potentially sleep.
> Looks fine AFAICT: It has
>
> if (likely(!in_interrupt() && !(task->flags & PF_KTHREAD))) {
>
> and as a fallback for that, it adds the file to a lock-less delayed_fput_list which is processed by a workqueue.
Ah, yes that makes sense.
Fell free to add Reviewed-by: Christian König <christian.koenig@....com>
Thanks,
Christian.
Powered by blists - more mailing lists