[PATCH] dmabuf: fix dmabuf file poll uaf issue
Christian König
christian.koenig at amd.com
Tue May 7 10:10:07 UTC 2024
Am 06.05.24 um 21:04 schrieb T.J. Mercier:
> On Mon, May 6, 2024 at 2:30 AM Charan Teja Kalla
> <quic_charante at quicinc.com> wrote:
>> Hi TJ,
>>
>> Seems I have got answers from [1], where it is agreed upon epoll() is
>> the source of issue.
>>
>> Thanks a lot for the discussion.
>>
>> [1] https://lore.kernel.org/lkml/0000000000002d631f0615918f1e@google.com/
>>
>> Thanks
>> Charan
> Oh man, quite a set of threads on this over the weekend. Thanks for the link.
Yeah and it also has some interesting side conclusion: We should
probably tell people to stop using DMA-buf with epoll.
The background is that the mutex approach epoll uses to make files
disappear from the interest list on close results in the fact that each
file can only be part of a single epoll at a time.
Now since DMA-buf is build around the idea that we share the buffer
representation as file between processes it means that only one process
at a time can use epoll with each DMA-buf.
So for example if a window manager uses epoll everything is fine. If a
client is using epoll everything is fine as well. But if *both* use
epoll at the same time it won't work.
This can lead to rather funny and hard to debug combinations of failures
and I think we need to document this limitation and explicitly point it out.
Regards,
Christian.
More information about the dri-devel
mailing list