On 26. 12. 24 19:29, Al Viro wrote:
[please, review and test] 1) uses of dma_buf_get() are racy - as soon as a reference has been inserted into descriptor table, it's fair game for dup2(), etc.; we can no longer count upon that descriptor resolving to the same file. get_dma_buf() should be used instead (and before the insertions into table, lest we get hit with use-after-free). 2) there's no cleanup possible past the successful dma_buf_fd() - again, once it's in descriptor table, that's it. Just do fd_install() when we are past all failure exits. As it is, failure in the second dma_buf_fd() leads to task->input->file reference moved into descriptor table *and* dropped by dma_buf_put() from snd_compr_task_free() after goto cleanup. I.e. a dangling pointer left in descriptor table. Frankly, dma_buf_fd() is an attractive nuisance - it's very easy to get wrong. Fixes: 04177158cf98 "ALSA: compress_offload: introduce accel operation mode" Signed-off-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
Hi, I already made almost similar patch: https://lore.kernel.org/linux-sound/20241217100726.732863-1-perex@xxxxxxxx/ Jaroslav -- Jaroslav Kysela <perex@xxxxxxxx> Linux Sound Maintainer; ALSA Project; Red Hat, Inc.
