LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
* [PATCH] drm/prime: fix a potential double put (release) bug
@ 2021-08-18 13:02 Wentao_Liang
  2021-08-18 13:25 ` Christian König
  0 siblings, 1 reply; 3+ messages in thread
From: Wentao_Liang @ 2021-08-18 13:02 UTC (permalink / raw)
  To: maarten.lankhorst
  Cc: mripard, tzimmermann, airlied, daniel, sumit.semwal,
	christian.koenig, dri-devel, linux-kernel, linux-media,
	linaro-mm-sig, Wentao_Liang

In line 317 (#1), drm_gem_prime_import() is called, it will call
drm_gem_prime_import_dev(). At the end of the function
drm_gem_prime_import_dev() (line 956, #2), "dma_buf_put(dma_buf);" puts
dma_buf->file and may cause it to be released. However, after
drm_gem_prime_import() returning, the dma_buf may be put again by the
same put function in lines 342, 351 and 358 (#3, #4, #5). Putting the
dma_buf improperly more than once can lead to an incorrect dma_buf-
>file put.

We believe that the put of the dma_buf in the function
drm_gem_prime_import() is unnecessary (#2). We can fix the above bug by
removing the redundant "dma_buf_put(dma_buf);" in line 956.

 314     if (dev->driver->gem_prime_import)
 315         obj = dev->driver->gem_prime_import(dev, dma_buf);
 316     else
 317         obj = drm_gem_prime_import(dev, dma_buf);
 				//#1 call to drm_gem_prime_import
				//   ->drm_gem_prime_import_dev
				//   ->dma_buf_put
 ...

 336     ret = drm_prime_add_buf_handle(&file_priv->prime,
 337             dma_buf, *handle);

 ...

 342     dma_buf_put(dma_buf);  //#3 put again
 343
 344     return 0;
 345
 346 fail:

 351     dma_buf_put(dma_buf); //#4 put again
 352     return ret;

 356 out_put:
 357     mutex_unlock(&file_priv->prime.lock);
 358     dma_buf_put(dma_buf);  //#5 put again
 359     return ret;
 360 }

 905 struct drm_gem_object *drm_gem_prime_import_dev
 							(struct drm_device *dev,
 906                         struct dma_buf *dma_buf,
 907                         struct device *attach_dev)
 908 {

 ...

 952 fail_unmap:
 953     dma_buf_unmap_attachment(attach, sgt, DMA_BIDIRECTIONAL);
 954 fail_detach:
 955     dma_buf_detach(dma_buf, attach);
 956     dma_buf_put(dma_buf);  //#2 the first put of dma_buf
								//	 (unnecessary)
 957
 958     return ERR_PTR(ret);
 959 }

Signed-off-by: Wentao_Liang <Wentao_Liang_g@163.com>
---
 drivers/gpu/drm/drm_prime.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/gpu/drm/drm_prime.c b/drivers/gpu/drm/drm_prime.c
index 2a54f86856af..cef03ad0d5cd 100644
--- a/drivers/gpu/drm/drm_prime.c
+++ b/drivers/gpu/drm/drm_prime.c
@@ -953,7 +953,6 @@ struct drm_gem_object *drm_gem_prime_import_dev(struct drm_device *dev,
 	dma_buf_unmap_attachment(attach, sgt, DMA_BIDIRECTIONAL);
 fail_detach:
 	dma_buf_detach(dma_buf, attach);
-	dma_buf_put(dma_buf);
 
 	return ERR_PTR(ret);
 }
-- 
2.25.1


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] drm/prime: fix a potential double put (release) bug
  2021-08-18 13:02 [PATCH] drm/prime: fix a potential double put (release) bug Wentao_Liang
@ 2021-08-18 13:25 ` Christian König
  2021-08-18 14:07   ` Daniel Vetter
  0 siblings, 1 reply; 3+ messages in thread
From: Christian König @ 2021-08-18 13:25 UTC (permalink / raw)
  To: Wentao_Liang, maarten.lankhorst
  Cc: mripard, tzimmermann, airlied, daniel, sumit.semwal, dri-devel,
	linux-kernel, linux-media, linaro-mm-sig

Am 18.08.21 um 15:02 schrieb Wentao_Liang:
> In line 317 (#1), drm_gem_prime_import() is called, it will call
> drm_gem_prime_import_dev(). At the end of the function
> drm_gem_prime_import_dev() (line 956, #2), "dma_buf_put(dma_buf);" puts
> dma_buf->file and may cause it to be released. However, after
> drm_gem_prime_import() returning, the dma_buf may be put again by the
> same put function in lines 342, 351 and 358 (#3, #4, #5). Putting the
> dma_buf improperly more than once can lead to an incorrect dma_buf-
>> file put.
> We believe that the put of the dma_buf in the function
> drm_gem_prime_import() is unnecessary (#2). We can fix the above bug by
> removing the redundant "dma_buf_put(dma_buf);" in line 956.

Guys I'm getting tired of NAKing those incorrect reference count analysis.

The dma_buf_put() in the error handling of drm_gem_prime_import_dev() 
function is balanced with the get_dma_buf() in the same function 
directly above.

This is for the creating a GEM object for a DMA-buf imported from other 
device use case and certainly correct.

The various dma_buf_put() in drm_gem_prime_fd_to_handle() is balanced 
with the dma_buf_get(prime_fd) at the beginning of the function.

This is for extracting the DMA-buf from the file descriptor and keeping 
a reference to it while we are busy importing it (e.g. to prevent a race 
when somebody changes the fd at the same time).

As far as I can see this is correct as well.

Regards,
Christian.

>
>   314     if (dev->driver->gem_prime_import)
>   315         obj = dev->driver->gem_prime_import(dev, dma_buf);
>   316     else
>   317         obj = drm_gem_prime_import(dev, dma_buf);
>   				//#1 call to drm_gem_prime_import
> 				//   ->drm_gem_prime_import_dev
> 				//   ->dma_buf_put
>   ...
>
>   336     ret = drm_prime_add_buf_handle(&file_priv->prime,
>   337             dma_buf, *handle);
>
>   ...
>
>   342     dma_buf_put(dma_buf);  //#3 put again
>   343
>   344     return 0;
>   345
>   346 fail:
>
>   351     dma_buf_put(dma_buf); //#4 put again
>   352     return ret;
>
>   356 out_put:
>   357     mutex_unlock(&file_priv->prime.lock);
>   358     dma_buf_put(dma_buf);  //#5 put again
>   359     return ret;
>   360 }
>
>   905 struct drm_gem_object *drm_gem_prime_import_dev
>   							(struct drm_device *dev,
>   906                         struct dma_buf *dma_buf,
>   907                         struct device *attach_dev)
>   908 {
>
>   ...
>
>   952 fail_unmap:
>   953     dma_buf_unmap_attachment(attach, sgt, DMA_BIDIRECTIONAL);
>   954 fail_detach:
>   955     dma_buf_detach(dma_buf, attach);
>   956     dma_buf_put(dma_buf);  //#2 the first put of dma_buf
> 								//	 (unnecessary)
>   957
>   958     return ERR_PTR(ret);
>   959 }
>
> Signed-off-by: Wentao_Liang <Wentao_Liang_g@163.com>
> ---
>   drivers/gpu/drm/drm_prime.c | 1 -
>   1 file changed, 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/drm_prime.c b/drivers/gpu/drm/drm_prime.c
> index 2a54f86856af..cef03ad0d5cd 100644
> --- a/drivers/gpu/drm/drm_prime.c
> +++ b/drivers/gpu/drm/drm_prime.c
> @@ -953,7 +953,6 @@ struct drm_gem_object *drm_gem_prime_import_dev(struct drm_device *dev,
>   	dma_buf_unmap_attachment(attach, sgt, DMA_BIDIRECTIONAL);
>   fail_detach:
>   	dma_buf_detach(dma_buf, attach);
> -	dma_buf_put(dma_buf);
>   
>   	return ERR_PTR(ret);
>   }


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] drm/prime: fix a potential double put (release) bug
  2021-08-18 13:25 ` Christian König
@ 2021-08-18 14:07   ` Daniel Vetter
  0 siblings, 0 replies; 3+ messages in thread
From: Daniel Vetter @ 2021-08-18 14:07 UTC (permalink / raw)
  To: Christian König
  Cc: Wentao_Liang, maarten.lankhorst, mripard, tzimmermann, airlied,
	daniel, sumit.semwal, dri-devel, linux-kernel, linux-media,
	linaro-mm-sig

On Wed, Aug 18, 2021 at 03:25:59PM +0200, Christian König wrote:
> Am 18.08.21 um 15:02 schrieb Wentao_Liang:
> > In line 317 (#1), drm_gem_prime_import() is called, it will call
> > drm_gem_prime_import_dev(). At the end of the function
> > drm_gem_prime_import_dev() (line 956, #2), "dma_buf_put(dma_buf);" puts
> > dma_buf->file and may cause it to be released. However, after
> > drm_gem_prime_import() returning, the dma_buf may be put again by the
> > same put function in lines 342, 351 and 358 (#3, #4, #5). Putting the
> > dma_buf improperly more than once can lead to an incorrect dma_buf-
> > > file put.
> > We believe that the put of the dma_buf in the function
> > drm_gem_prime_import() is unnecessary (#2). We can fix the above bug by
> > removing the redundant "dma_buf_put(dma_buf);" in line 956.
> 
> Guys I'm getting tired of NAKing those incorrect reference count analysis.
> 
> The dma_buf_put() in the error handling of drm_gem_prime_import_dev()
> function is balanced with the get_dma_buf() in the same function directly
> above.
> 
> This is for the creating a GEM object for a DMA-buf imported from other
> device use case and certainly correct.
> 
> The various dma_buf_put() in drm_gem_prime_fd_to_handle() is balanced with
> the dma_buf_get(prime_fd) at the beginning of the function.
> 
> This is for extracting the DMA-buf from the file descriptor and keeping a
> reference to it while we are busy importing it (e.g. to prevent a race when
> somebody changes the fd at the same time).
> 
> As far as I can see this is correct as well.

Yeah the analysis is just high-grade nonsense. The current code looks
correct, the analysis presented here, not.
-Daniel


> 
> Regards,
> Christian.
> 
> > 
> >   314     if (dev->driver->gem_prime_import)
> >   315         obj = dev->driver->gem_prime_import(dev, dma_buf);
> >   316     else
> >   317         obj = drm_gem_prime_import(dev, dma_buf);
> >   				//#1 call to drm_gem_prime_import
> > 				//   ->drm_gem_prime_import_dev
> > 				//   ->dma_buf_put
> >   ...
> > 
> >   336     ret = drm_prime_add_buf_handle(&file_priv->prime,
> >   337             dma_buf, *handle);
> > 
> >   ...
> > 
> >   342     dma_buf_put(dma_buf);  //#3 put again
> >   343
> >   344     return 0;
> >   345
> >   346 fail:
> > 
> >   351     dma_buf_put(dma_buf); //#4 put again
> >   352     return ret;
> > 
> >   356 out_put:
> >   357     mutex_unlock(&file_priv->prime.lock);
> >   358     dma_buf_put(dma_buf);  //#5 put again
> >   359     return ret;
> >   360 }
> > 
> >   905 struct drm_gem_object *drm_gem_prime_import_dev
> >   							(struct drm_device *dev,
> >   906                         struct dma_buf *dma_buf,
> >   907                         struct device *attach_dev)
> >   908 {
> > 
> >   ...
> > 
> >   952 fail_unmap:
> >   953     dma_buf_unmap_attachment(attach, sgt, DMA_BIDIRECTIONAL);
> >   954 fail_detach:
> >   955     dma_buf_detach(dma_buf, attach);
> >   956     dma_buf_put(dma_buf);  //#2 the first put of dma_buf
> > 								//	 (unnecessary)
> >   957
> >   958     return ERR_PTR(ret);
> >   959 }
> > 
> > Signed-off-by: Wentao_Liang <Wentao_Liang_g@163.com>
> > ---
> >   drivers/gpu/drm/drm_prime.c | 1 -
> >   1 file changed, 1 deletion(-)
> > 
> > diff --git a/drivers/gpu/drm/drm_prime.c b/drivers/gpu/drm/drm_prime.c
> > index 2a54f86856af..cef03ad0d5cd 100644
> > --- a/drivers/gpu/drm/drm_prime.c
> > +++ b/drivers/gpu/drm/drm_prime.c
> > @@ -953,7 +953,6 @@ struct drm_gem_object *drm_gem_prime_import_dev(struct drm_device *dev,
> >   	dma_buf_unmap_attachment(attach, sgt, DMA_BIDIRECTIONAL);
> >   fail_detach:
> >   	dma_buf_detach(dma_buf, attach);
> > -	dma_buf_put(dma_buf);
> >   	return ERR_PTR(ret);
> >   }
> 

-- 
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2021-08-18 14:07 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-18 13:02 [PATCH] drm/prime: fix a potential double put (release) bug Wentao_Liang
2021-08-18 13:25 ` Christian König
2021-08-18 14:07   ` Daniel Vetter

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).