moonjuice/kernel_arpi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

dma-buf/poll: Get a file reference for outstanding fence callbacks

Browse Source 
[ Upstream commit ff2d23843f7fb4f13055be5a4a9a20ddd04e6e9c ]

This makes sure we don't hit the

	BUG_ON(dmabuf->cb_in.active || dmabuf->cb_out.active);

in dma_buf_release, which could be triggered by user space closing the
dma-buf file description while there are outstanding fence callbacks
from dma_buf_poll.

Cc: stable@vger.kernel.org
Signed-off-by: Michel Dänzer <mdaenzer@redhat.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20210723075857.4065-1-michel@daenzer.net
Signed-off-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
Michel Dänzer
2021-07-23 09:58:57 +02:00
committed by Greg Kroah-Hartman
parent 1403952116
commit 3fb11d1322
1 changed files with 13 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
drivers/dma-buf/dma-buf.c
View File

@@ -67,12 +67,9 @@ static void dma_buf_release(struct dentry *dentry)
BUG_ON(dmabuf->vmapping_counter); BUG_ON(dmabuf->vmapping_counter);
/* /*
* Any fences that a dma-buf poll can wait on should be signaled * If you hit this BUG() it could mean:
* before releasing dma-buf. This is the responsibility of each * * There's a file reference imbalance in dma_buf_poll / dma_buf_poll_cb or somewhere else
* driver that uses the reservation objects. * * dmabuf->cb_in/out.active are non-0 despite no pending fence callback
*
* If you hit this BUG() it means someone dropped their ref to the
* dma-buf while still having pending operation to the buffer.
*/ */
BUG_ON(dmabuf->cb_in.active || dmabuf->cb_out.active); BUG_ON(dmabuf->cb_in.active || dmabuf->cb_out.active);
@@ -200,6 +197,7 @@ static loff_t dma_buf_llseek(struct file *file, loff_t offset, int whence)
static void dma_buf_poll_cb(struct dma_fence *fence, struct dma_fence_cb *cb) static void dma_buf_poll_cb(struct dma_fence *fence, struct dma_fence_cb *cb)
{ {
struct dma_buf_poll_cb_t *dcb = (struct dma_buf_poll_cb_t *)cb; struct dma_buf_poll_cb_t *dcb = (struct dma_buf_poll_cb_t *)cb;
struct dma_buf *dmabuf = container_of(dcb->poll, struct dma_buf, poll);
unsigned long flags; unsigned long flags;
spin_lock_irqsave(&dcb->poll->lock, flags); spin_lock_irqsave(&dcb->poll->lock, flags);
@@ -207,6 +205,8 @@ static void dma_buf_poll_cb(struct dma_fence *fence, struct dma_fence_cb *cb)
dcb->active = 0; dcb->active = 0;
spin_unlock_irqrestore(&dcb->poll->lock, flags); spin_unlock_irqrestore(&dcb->poll->lock, flags);
dma_fence_put(fence); dma_fence_put(fence);
/* Paired with get_file in dma_buf_poll */
fput(dmabuf->file);
} }
static bool dma_buf_poll_shared(struct dma_resv *resv, static bool dma_buf_poll_shared(struct dma_resv *resv,
@@ -282,8 +282,12 @@ static __poll_t dma_buf_poll(struct file *file, poll_table *poll)
spin_unlock_irq(&dmabuf->poll.lock); spin_unlock_irq(&dmabuf->poll.lock);
if (events & EPOLLOUT) { if (events & EPOLLOUT) {
/* Paired with fput in dma_buf_poll_cb */
get_file(dmabuf->file);
if (!dma_buf_poll_shared(resv, dcb) && if (!dma_buf_poll_shared(resv, dcb) &&
!dma_buf_poll_excl(resv, dcb)) !dma_buf_poll_excl(resv, dcb))
/* No callback queued, wake up any other waiters */ /* No callback queued, wake up any other waiters */
dma_buf_poll_cb(NULL, &dcb->cb); dma_buf_poll_cb(NULL, &dcb->cb);
else else
@@ -303,6 +307,9 @@ static __poll_t dma_buf_poll(struct file *file, poll_table *poll)
spin_unlock_irq(&dmabuf->poll.lock); spin_unlock_irq(&dmabuf->poll.lock);
if (events & EPOLLIN) { if (events & EPOLLIN) {
/* Paired with fput in dma_buf_poll_cb */
get_file(dmabuf->file);
if (!dma_buf_poll_excl(resv, dcb)) if (!dma_buf_poll_excl(resv, dcb))
/* No callback queued, wake up any other waiters */ /* No callback queued, wake up any other waiters */
dma_buf_poll_cb(NULL, &dcb->cb); dma_buf_poll_cb(NULL, &dcb->cb);