On Thu, Dec 26, 2024 at 09:31:22PM +0000, Al Viro wrote: > On Thu, Dec 26, 2024 at 08:00:18PM +0100, Jaroslav Kysela wrote: > > > I already made almost similar patch: > > > > https://lore.kernel.org/linux-sound/20241217100726.732863-1-perex@xxxxxxxx/ > > Umm... The only problem with your variant is that dma_buf_get() > is wrong here - it should be get_dma_buf() on actual objects, > and it should be done before fd_install(). Incremental on top of what just got merged into mainline: Grab the references to dmabuf before moving them into descriptor table - trying to do that by descriptor afterwards might end up getting a different object, with a dangling reference left in task->{input,output} Signed-off-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx> --- diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c index edf5aadf38e5..543c7f525f84 100644 --- a/sound/core/compress_offload.c +++ b/sound/core/compress_offload.c @@ -1053,13 +1053,13 @@ static int snd_compr_task_new(struct snd_compr_stream *stream, struct snd_compr_ put_unused_fd(fd_i); goto cleanup; } + /* keep dmabuf reference until freed with task free ioctl */ + get_dma_buf(task->input); + get_dma_buf(task->output); fd_install(fd_i, task->input->file); fd_install(fd_o, task->output->file); utask->input_fd = fd_i; utask->output_fd = fd_o; - /* keep dmabuf reference until freed with task free ioctl */ - dma_buf_get(utask->input_fd); - dma_buf_get(utask->output_fd); list_add_tail(&task->list, &stream->runtime->tasks); stream->runtime->total_tasks++; return 0;
