From: "Christian König" <ckoenig.leichtzumerken@gmail.com>
To: akpm@linux-foundation.org, linux-mm@kvack.org,
linux-kernel@vger.kernel.org, linaro-mm-sig@lists.linaro.org,
dri-devel@lists.freedesktop.org, linux-media@vger.kernel.org,
chris@chris-wilson.co.uk, airlied@redhat.com, daniel@ffwll.ch,
sumit.semwal@linaro.org, willy@infradead.org,
jhubbard@nvidia.com, jgg@ziepe.ca, linmiaohe@huawei.com
Subject: [PATCH 1/2] mm: mmap: fix fput in error path v2
Date: Mon, 12 Oct 2020 10:52:02 +0200 [thread overview]
Message-ID: <20201012085203.56119-1-christian.koenig@amd.com> (raw)
Patch "495c10cc1c0c CHROMIUM: dma-buf: restore args..."
adds a workaround for a bug in mmap_region.
As the comment states ->mmap() callback can change
vma->vm_file and so we might call fput() on the wrong file.
Revert the workaround and proper fix this in mmap_region.
v2: drop the extra if in dma_buf_mmap as well
Signed-off-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
---
drivers/dma-buf/dma-buf.c | 20 +++-----------------
mm/mmap.c | 2 +-
2 files changed, 4 insertions(+), 18 deletions(-)
diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
index a6ba4d598f0e..08630d057cf2 100644
--- a/drivers/dma-buf/dma-buf.c
+++ b/drivers/dma-buf/dma-buf.c
@@ -1143,9 +1143,6 @@ EXPORT_SYMBOL_GPL(dma_buf_end_cpu_access);
int dma_buf_mmap(struct dma_buf *dmabuf, struct vm_area_struct *vma,
unsigned long pgoff)
{
- struct file *oldfile;
- int ret;
-
if (WARN_ON(!dmabuf || !vma))
return -EINVAL;
@@ -1163,22 +1160,11 @@ int dma_buf_mmap(struct dma_buf *dmabuf, struct vm_area_struct *vma,
return -EINVAL;
/* readjust the vma */
- get_file(dmabuf->file);
- oldfile = vma->vm_file;
- vma->vm_file = dmabuf->file;
+ fput(vma->vm_file);
+ vma->vm_file = get_file(dmabuf->file);
vma->vm_pgoff = pgoff;
- ret = dmabuf->ops->mmap(dmabuf, vma);
- if (ret) {
- /* restore old parameters on failure */
- vma->vm_file = oldfile;
- fput(dmabuf->file);
- } else {
- if (oldfile)
- fput(oldfile);
- }
- return ret;
-
+ return dmabuf->ops->mmap(dmabuf, vma);
}
EXPORT_SYMBOL_GPL(dma_buf_mmap);
diff --git a/mm/mmap.c b/mm/mmap.c
index 40248d84ad5f..3a2670d73355 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -1852,8 +1852,8 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
return addr;
unmap_and_free_vma:
+ fput(vma->vm_file);
vma->vm_file = NULL;
- fput(file);
/* Undo any partial mapping done by a device driver. */
unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
--
2.17.1
WARNING: multiple messages have this Message-ID (diff)
From: "Christian König" <ckoenig.leichtzumerken@gmail.com>
To: akpm@linux-foundation.org, linux-mm@kvack.org,
linux-kernel@vger.kernel.org, linaro-mm-sig@lists.linaro.org,
dri-devel@lists.freedesktop.org, linux-media@vger.kernel.org,
chris@chris-wilson.co.uk, airlied@redhat.com, daniel@ffwll.ch,
sumit.semwal@linaro.org, willy@infradead.org,
jhubbard@nvidia.com, jgg@ziepe.ca, linmiaohe@huawei.com
Subject: [PATCH 1/2] mm: mmap: fix fput in error path v2
Date: Mon, 12 Oct 2020 10:52:02 +0200 [thread overview]
Message-ID: <20201012085203.56119-1-christian.koenig@amd.com> (raw)
Patch "495c10cc1c0c CHROMIUM: dma-buf: restore args..."
adds a workaround for a bug in mmap_region.
As the comment states ->mmap() callback can change
vma->vm_file and so we might call fput() on the wrong file.
Revert the workaround and proper fix this in mmap_region.
v2: drop the extra if in dma_buf_mmap as well
Signed-off-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
---
drivers/dma-buf/dma-buf.c | 20 +++-----------------
mm/mmap.c | 2 +-
2 files changed, 4 insertions(+), 18 deletions(-)
diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
index a6ba4d598f0e..08630d057cf2 100644
--- a/drivers/dma-buf/dma-buf.c
+++ b/drivers/dma-buf/dma-buf.c
@@ -1143,9 +1143,6 @@ EXPORT_SYMBOL_GPL(dma_buf_end_cpu_access);
int dma_buf_mmap(struct dma_buf *dmabuf, struct vm_area_struct *vma,
unsigned long pgoff)
{
- struct file *oldfile;
- int ret;
-
if (WARN_ON(!dmabuf || !vma))
return -EINVAL;
@@ -1163,22 +1160,11 @@ int dma_buf_mmap(struct dma_buf *dmabuf, struct vm_area_struct *vma,
return -EINVAL;
/* readjust the vma */
- get_file(dmabuf->file);
- oldfile = vma->vm_file;
- vma->vm_file = dmabuf->file;
+ fput(vma->vm_file);
+ vma->vm_file = get_file(dmabuf->file);
vma->vm_pgoff = pgoff;
- ret = dmabuf->ops->mmap(dmabuf, vma);
- if (ret) {
- /* restore old parameters on failure */
- vma->vm_file = oldfile;
- fput(dmabuf->file);
- } else {
- if (oldfile)
- fput(oldfile);
- }
- return ret;
-
+ return dmabuf->ops->mmap(dmabuf, vma);
}
EXPORT_SYMBOL_GPL(dma_buf_mmap);
diff --git a/mm/mmap.c b/mm/mmap.c
index 40248d84ad5f..3a2670d73355 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -1852,8 +1852,8 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
return addr;
unmap_and_free_vma:
+ fput(vma->vm_file);
vma->vm_file = NULL;
- fput(file);
/* Undo any partial mapping done by a device driver. */
unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
--
2.17.1
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
next reply other threads:[~2020-10-12 8:52 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-12 8:52 Christian König [this message]
2020-10-12 8:52 ` [PATCH 1/2] mm: mmap: fix fput in error path v2 Christian König
2020-10-12 8:52 ` [PATCH 2/2] mm: introduce vma_set_file function v4 Christian König
2020-10-12 8:52 ` Christian König
2020-10-12 12:15 ` kernel test robot
2020-10-12 12:15 ` kernel test robot
2020-10-12 12:15 ` kernel test robot
2020-10-12 14:08 ` kernel test robot
2020-10-12 14:08 ` kernel test robot
2020-10-12 14:08 ` kernel test robot
2020-10-12 14:22 ` kernel test robot
2020-10-12 14:22 ` kernel test robot
2020-10-12 14:22 ` kernel test robot
2020-10-16 16:13 ` Jason Gunthorpe
2020-10-16 16:13 ` Jason Gunthorpe
2020-10-16 16:13 ` [PATCH 1/2] mm: mmap: fix fput in error path v2 Jason Gunthorpe
2020-10-16 16:13 ` Jason Gunthorpe
2020-11-04 8:03 ` Christian König
2020-11-04 8:03 ` Christian König
2020-11-06 11:48 cleanup a fix and add the vma_set_file function Christian König
2020-11-06 11:48 ` [PATCH 1/2] mm: mmap: fix fput in error path v2 Christian König
2020-11-06 11:48 ` Christian König
2020-11-06 22:48 ` Andrew Morton
2020-11-06 22:48 ` Andrew Morton
2020-11-18 10:57 ` Christian König
2020-11-18 10:57 ` Christian König
2020-11-18 22:27 ` Andrew Morton
2020-11-18 22:27 ` Andrew Morton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201012085203.56119-1-christian.koenig@amd.com \
--to=ckoenig.leichtzumerken@gmail.com \
--cc=airlied@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=chris@chris-wilson.co.uk \
--cc=daniel@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=jgg@ziepe.ca \
--cc=jhubbard@nvidia.com \
--cc=linaro-mm-sig@lists.linaro.org \
--cc=linmiaohe@huawei.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=sumit.semwal@linaro.org \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.