[RFC] deadlock in "drm/exynos: fix wrong pointer access at vm close"

Inki Dae inki.dae at samsung.com
Mon Sep 23 00:49:30 PDT 2013


> -----Original Message-----
> From: Al Viro [mailto:viro at ftp.linux.org.uk] On Behalf Of Al Viro
> Sent: Monday, September 23, 2013 6:29 AM
> To: YoungJun Cho
> Cc: dri-devel at lists.freedesktop.org; Inki Dae
> Subject: [RFC] deadlock in "drm/exynos: fix wrong pointer access at vm
> close"
> 	You have drm_dev->struct_mutex grabbed before ->mmap_sem in
> exynos_drm_gem_mmap_ioctl() and after - in exynos_drm_gem_fault()
> (since ->fault() is always called with ->mmap_sem held).  Looks like
> a garden-variety AB-BA deadlock...

Right, if mmap system call is requested by another process between ->f_op
pointer changing and restoring, the deadlock can be incurred.

For this, I think we can resolve this issue like below,

At exynos_drm_gem_mmap_ioctl()
	addr = security_mmap_file(...);
	if (!addr) {
		unsigned long populate;

		addr = do_mmap_pgoff(...);
		if (populate)

The point above is to call down_write(&mm->mmap_sem) before do_mmap_pgoff,
and then to call up_write(...) after do_mmap_pg_off so that when another
process called mmap system call, the process can wait for up_write(...)
until the ->f_op pointer is restored.

I will post this patch soon. other opinions?

Inki Dae

> 	Incidentally, what should happen if another process shares the
> same opened file (e.g. inherited over fork()) and does mmap() just
> as we have ->f_op switched?

More information about the dri-devel mailing list