dma_buf_put() may drop the final file reference via fput(), which can free the dma-buf. The new tracepoint invocation was added after fput(), and DMA_BUF_TRACE() dereferences dmabuf and takes dmabuf->name_lock.
This leads to a use-after-free on the final put, visible for example as a spinlock bad magic fault on a poisoned 0x6b6b6b... lock.
Move the dma_buf_put tracepoint before fput().
Reported-by: Janusz Krzysztofik janusz.krzysztofik@linux.intel.com Fixes: 281a22631423 ("dma-buf: add some tracepoints to debug.") Signed-off-by: Andi Shyti andi.shyti@linux.intel.com Cc: Xiang Gao gaoxiang17@xiaomi.com Cc: Christian König christian.koenig@amd.com --- Hi,
I believe this patch fixes the issue reported by Janusz, I haven't tested it. Perhaps we can add some more checks in DMA_BUF_TRACE.
Thanks, Andi
drivers/dma-buf/dma-buf.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c index a202a308c079..b72932c57cb9 100644 --- a/drivers/dma-buf/dma-buf.c +++ b/drivers/dma-buf/dma-buf.c @@ -845,9 +845,8 @@ void dma_buf_put(struct dma_buf *dmabuf) if (WARN_ON(!dmabuf || !dmabuf->file)) return;
- fput(dmabuf->file); - DMA_BUF_TRACE(trace_dma_buf_put, dmabuf); + fput(dmabuf->file); } EXPORT_SYMBOL_NS_GPL(dma_buf_put, "DMA_BUF");
dma_buf_put() may drop the final file reference via fput(), which can free the dma-buf. The new tracepoint invocation was added after fput(), and DMA_BUF_TRACE() dereferences dmabuf and takes dmabuf->name_lock.
This leads to a use-after-free on the final put, visible for example as a spinlock bad magic fault on a poisoned 0x6b6b6b... lock.
Move the dma_buf_put tracepoint before fput().
Reported-by: Janusz Krzysztofik janusz.krzysztofik@linux.intel.com Fixes: 281a22631423 ("dma-buf: add some tracepoints to debug.") Signed-off-by: Andi Shyti andi.shyti@linux.intel.com Cc: Xiang Gao gaoxiang17@xiaomi.com Cc: Christian König christian.koenig@amd.com --- Hi,
I believe this patch fixes the issue reported by Janusz, I haven't tested it. Perhaps we can add some more checks in DMA_BUF_TRACE.
Thanks, Andi
drivers/dma-buf/dma-buf.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c index a202a308c079..b72932c57cb9 100644 --- a/drivers/dma-buf/dma-buf.c +++ b/drivers/dma-buf/dma-buf.c @@ -845,9 +845,8 @@ void dma_buf_put(struct dma_buf *dmabuf) if (WARN_ON(!dmabuf || !dmabuf->file)) return;
- fput(dmabuf->file); - DMA_BUF_TRACE(trace_dma_buf_put, dmabuf); + fput(dmabuf->file); } EXPORT_SYMBOL_NS_GPL(dma_buf_put, "DMA_BUF");
linaro-mm-sig@lists.linaro.org
-
Andi Shyti