On 26. 12. 24 19:29, Al Viro wrote:
[please, review and test]
1) uses of dma_buf_get() are racy - as soon as a reference has been inserted
into descriptor table, it's fair game for dup2(), etc.; we can no longer
count upon that descriptor resolving to the same file. get_dma_buf() should
be used instead (and before the insertions into table, lest we get hit with
use-after-free).
2) there's no cleanup possible past the successful dma_buf_fd() - again,
once it's in descriptor table, that's it. Just do fd_install() when
we are past all failure exits. As it is, failure in the second
dma_buf_fd() leads to task->input->file reference moved into
descriptor table *and* dropped by dma_buf_put() from snd_compr_task_free()
after goto cleanup. I.e. a dangling pointer left in descriptor table.
Frankly, dma_buf_fd() is an attractive nuisance - it's very easy to get
wrong.
Fixes: 04177158cf98 "ALSA: compress_offload: introduce accel operation mode"
Signed-off-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
Hi,
I already made almost similar patch:
https://lore.kernel.org/linux-sound/20241217100726.732863-1-perex@xxxxxxxx/
Jaroslav
--
Jaroslav Kysela <perex@xxxxxxxx>
Linux Sound Maintainer; ALSA Project; Red Hat, Inc.
[Index of Archives]
[Pulseaudio]
[Linux Audio Users]
[ALSA Devel]
[Fedora Desktop]
[Fedora SELinux]
[Big List of Linux Books]
[Yosemite News]
[KDE Users]
