Hi,
I think I discovered an interesting issue with dma_buf.
I found out that dma_buf_fd does not increase reference
count for dma_buf::file. This leads to potential kernel
crash triggered by user space. Please, take a look on
the scenario below:
The applications spawns two thread. One of them is exporting DMABUF.
Thread I | Thread II | Comments
-----------------------+-------------------+-----------------------------------
dbuf = dma_buf_export | | dma_buf is creates, refcount is 1
fd = dma_buf_fd(dbuf) | | assume fd is set to 42, refcount is still 1
| close(42) | The file descriptor is closed asynchronously, dbuf's refcount drops to 0
| dma_buf_release | dbuf structure is freed, dbuf becomes a dangling pointer
int size = dbuf->size; | | the dbuf is dereferenced, causing a kernel crash
-----------------------+-------------------+-----------------------------------
I think that the problem could be fixed in two ways.
a) forcing driver developer to call get_dma_buf just before calling dma_buf_fd.
b) increasing dma_buf->file's reference count at dma_buf_fd
I prefer solution (b) because it prevents symmetry between dma_buf_fd and close.
I mean that dma_buf_fd increases reference count, close decreases it.
What is your opinion about the issue?
Regards,
Tomasz Stanislawski
On 03/16/2012 05:04 PM, Rob Clark wrote:
> From: Rob Clark <rob@xxxxxx>
>
> Works in a similar way to get_file(), and is needed in cases such as
> when the exporter needs to also keep a reference to the dmabuf (that
> is later released with a dma_buf_put()), and possibly other similar
> cases.
>
> Signed-off-by: Rob Clark <rob@xxxxxx>
> ---
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
