[PATCH] drm/prime: fix a potential double put (release) bug
Daniel Vetter
daniel at ffwll.ch
Wed Aug 18 14:07:09 UTC 2021
On Wed, Aug 18, 2021 at 03:25:59PM +0200, Christian König wrote:
> Am 18.08.21 um 15:02 schrieb Wentao_Liang:
> > In line 317 (#1), drm_gem_prime_import() is called, it will call
> > drm_gem_prime_import_dev(). At the end of the function
> > drm_gem_prime_import_dev() (line 956, #2), "dma_buf_put(dma_buf);" puts
> > dma_buf->file and may cause it to be released. However, after
> > drm_gem_prime_import() returning, the dma_buf may be put again by the
> > same put function in lines 342, 351 and 358 (#3, #4, #5). Putting the
> > dma_buf improperly more than once can lead to an incorrect dma_buf-
> > > file put.
> > We believe that the put of the dma_buf in the function
> > drm_gem_prime_import() is unnecessary (#2). We can fix the above bug by
> > removing the redundant "dma_buf_put(dma_buf);" in line 956.
>
> Guys I'm getting tired of NAKing those incorrect reference count analysis.
>
> The dma_buf_put() in the error handling of drm_gem_prime_import_dev()
> function is balanced with the get_dma_buf() in the same function directly
> above.
>
> This is for the creating a GEM object for a DMA-buf imported from other
> device use case and certainly correct.
>
> The various dma_buf_put() in drm_gem_prime_fd_to_handle() is balanced with
> the dma_buf_get(prime_fd) at the beginning of the function.
>
> This is for extracting the DMA-buf from the file descriptor and keeping a
> reference to it while we are busy importing it (e.g. to prevent a race when
> somebody changes the fd at the same time).
>
> As far as I can see this is correct as well.
Yeah the analysis is just high-grade nonsense. The current code looks
correct, the analysis presented here, not.
-Daniel
>
> Regards,
> Christian.
>
> >
> > 314 if (dev->driver->gem_prime_import)
> > 315 obj = dev->driver->gem_prime_import(dev, dma_buf);
> > 316 else
> > 317 obj = drm_gem_prime_import(dev, dma_buf);
> > //#1 call to drm_gem_prime_import
> > // ->drm_gem_prime_import_dev
> > // ->dma_buf_put
> > ...
> >
> > 336 ret = drm_prime_add_buf_handle(&file_priv->prime,
> > 337 dma_buf, *handle);
> >
> > ...
> >
> > 342 dma_buf_put(dma_buf); //#3 put again
> > 343
> > 344 return 0;
> > 345
> > 346 fail:
> >
> > 351 dma_buf_put(dma_buf); //#4 put again
> > 352 return ret;
> >
> > 356 out_put:
> > 357 mutex_unlock(&file_priv->prime.lock);
> > 358 dma_buf_put(dma_buf); //#5 put again
> > 359 return ret;
> > 360 }
> >
> > 905 struct drm_gem_object *drm_gem_prime_import_dev
> > (struct drm_device *dev,
> > 906 struct dma_buf *dma_buf,
> > 907 struct device *attach_dev)
> > 908 {
> >
> > ...
> >
> > 952 fail_unmap:
> > 953 dma_buf_unmap_attachment(attach, sgt, DMA_BIDIRECTIONAL);
> > 954 fail_detach:
> > 955 dma_buf_detach(dma_buf, attach);
> > 956 dma_buf_put(dma_buf); //#2 the first put of dma_buf
> > // (unnecessary)
> > 957
> > 958 return ERR_PTR(ret);
> > 959 }
> >
> > Signed-off-by: Wentao_Liang <Wentao_Liang_g at 163.com>
> > ---
> > drivers/gpu/drm/drm_prime.c | 1 -
> > 1 file changed, 1 deletion(-)
> >
> > diff --git a/drivers/gpu/drm/drm_prime.c b/drivers/gpu/drm/drm_prime.c
> > index 2a54f86856af..cef03ad0d5cd 100644
> > --- a/drivers/gpu/drm/drm_prime.c
> > +++ b/drivers/gpu/drm/drm_prime.c
> > @@ -953,7 +953,6 @@ struct drm_gem_object *drm_gem_prime_import_dev(struct drm_device *dev,
> > dma_buf_unmap_attachment(attach, sgt, DMA_BIDIRECTIONAL);
> > fail_detach:
> > dma_buf_detach(dma_buf, attach);
> > - dma_buf_put(dma_buf);
> > return ERR_PTR(ret);
> > }
>
--
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch
More information about the dri-devel
mailing list