Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp1023659yba; Thu, 4 Apr 2019 02:39:49 -0700 (PDT) X-Google-Smtp-Source: APXvYqywtvZDENuh/2lg5UKn+zCtK6f2MPoD2O7uKO2UOMCCO+qSW1DjCItlpCA9WvlLl81JOQRv X-Received: by 2002:a17:902:2bc9:: with SMTP id l67mr5482246plb.102.1554370789680; Thu, 04 Apr 2019 02:39:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1554370789; cv=none; d=google.com; s=arc-20160816; b=Emu0Fo3pYHA1DEv7Ypph70wvFiUjBA4XZwQ522enXLSTyg9AI6WMo0omdPCtIAW3yD XuyQaqJME83BoUst8VMqRlUdY3LHzijJqY6chx9XAFYBnBvn9gU3ccVKV6PKjwl37N5h QrzTphosG25Ioi0ZmnjULSyOc8nyseemw0pTwC1TPbFExQxXvh1pJhDpJHxd9TcZzBOw 5gK+7eL9G2s9NLglq01PyVrK8hw0kNaNn0J/ZErMejNaYp5ctWnxVNc2UDYxNzC4HNQr mZO/FFrGtYND+ndRCeNpyvkCVBPFCLf8Wz0qdStWKhzWgoQB9KpdFXoXgr57w+KEy2fc J2lg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=TGZG5BZOww1vMdPPBf/fCVp5N157hieMF7Q1nK/0xL0=; b=emIjJY49wJgFRlU4G6mb2QBTrBCffIrlaTyx5GOhl21eJSRbj+t9+NLKwkxZCofl+F hNP8mJUa0AUwjiyxBlmU/od+kWWx/pcQhtWhQ+hgiiV1wDT1oCaq+AzVFKNz0XdeXvEV mEC+4/LkWvrBf4R3QQG18uwc88tRSHpDvSjo4FsEl8rV5hy2ZcazqAc4B9g6U+Elfddq jJ4TXNgTt/sDn4ssN5gz7LFTzSwtK/M5b9L2BoJ9zXRMuQf/1RcQ6yZVFu2ad8cGL2AO ZrkULmBh/5zunPiuAxw14ST/ctHDwOog4dGmmg61OingBsp1Si715K+5m1Vgain5VS2U ng5Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=CnDQ55CQ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c142si17030201pfb.32.2019.04.04.02.39.34; Thu, 04 Apr 2019 02:39:49 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=CnDQ55CQ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731860AbfDDJDt (ORCPT + 99 others); Thu, 4 Apr 2019 05:03:49 -0400 Received: from mail.kernel.org ([198.145.29.99]:41464 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731851AbfDDJDp (ORCPT ); Thu, 4 Apr 2019 05:03:45 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id BCA4721850; Thu, 4 Apr 2019 09:03:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1554368624; bh=dpdyESBbhPeqfPGG4buXc17mFskxugdils7vT/kw+j8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=CnDQ55CQxug1VA2UPN9Bi4PR8yD81xhE9OnmUIeFjegCNS607FK7m8agqAwzOxml9 t4cw/0jOEQTBTafoI6C3tM0+PIl+/ENU5jOmlFu9xd6bJ78PiKgPb+o93NkgEUZ8zJ gcgidlkzPSh51lZKSt48Riv4ssKAuojrCmsYmFTY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Oleksandr Andrushchenko , Juergen Gross , Sasha Levin Subject: [PATCH 4.19 092/187] xen/gntdev: Do not destroy context while dma-bufs are in use Date: Thu, 4 Apr 2019 10:47:09 +0200 Message-Id: <20190404084607.463631596@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190404084603.119654039@linuxfoundation.org> References: <20190404084603.119654039@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.19-stable review patch. If anyone has any objections, please let me know. ------------------ [ Upstream commit fa13e665e02874c0a5f4d06d6967ae34a6cb3d6a ] If there are exported DMA buffers which are still in use and grant device is closed by either normal user-space close or by a signal this leads to the grant device context to be destroyed, thus making it not possible to correctly destroy those exported buffers when they are returned back to gntdev and makes the module crash: [ 339.617540] [] dmabuf_exp_ops_release+0x40/0xa8 [ 339.617560] [] dma_buf_release+0x60/0x190 [ 339.617577] [] __fput+0x88/0x1d0 [ 339.617589] [] ____fput+0xc/0x18 [ 339.617607] [] task_work_run+0x9c/0xc0 [ 339.617622] [] do_notify_resume+0xfc/0x108 Fix this by referencing gntdev on each DMA buffer export and unreferencing on buffer release. Signed-off-by: Oleksandr Andrushchenko Reviewed-by: Boris Ostrovsky@oracle.com> Signed-off-by: Juergen Gross Signed-off-by: Sasha Levin --- drivers/xen/gntdev-dmabuf.c | 12 +++++++++++- drivers/xen/gntdev-dmabuf.h | 2 +- drivers/xen/gntdev.c | 2 +- 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/drivers/xen/gntdev-dmabuf.c b/drivers/xen/gntdev-dmabuf.c index cba6b586bfbd..d97fcfc5e558 100644 --- a/drivers/xen/gntdev-dmabuf.c +++ b/drivers/xen/gntdev-dmabuf.c @@ -80,6 +80,12 @@ struct gntdev_dmabuf_priv { struct list_head imp_list; /* This is the lock which protects dma_buf_xxx lists. */ struct mutex lock; + /* + * We reference this file while exporting dma-bufs, so + * the grant device context is not destroyed while there are + * external users alive. + */ + struct file *filp; }; /* DMA buffer export support. */ @@ -311,6 +317,7 @@ static void dmabuf_exp_release(struct kref *kref) dmabuf_exp_wait_obj_signal(gntdev_dmabuf->priv, gntdev_dmabuf); list_del(&gntdev_dmabuf->next); + fput(gntdev_dmabuf->priv->filp); kfree(gntdev_dmabuf); } @@ -423,6 +430,7 @@ static int dmabuf_exp_from_pages(struct gntdev_dmabuf_export_args *args) mutex_lock(&args->dmabuf_priv->lock); list_add(&gntdev_dmabuf->next, &args->dmabuf_priv->exp_list); mutex_unlock(&args->dmabuf_priv->lock); + get_file(gntdev_dmabuf->priv->filp); return 0; fail: @@ -834,7 +842,7 @@ long gntdev_ioctl_dmabuf_imp_release(struct gntdev_priv *priv, return dmabuf_imp_release(priv->dmabuf_priv, op.fd); } -struct gntdev_dmabuf_priv *gntdev_dmabuf_init(void) +struct gntdev_dmabuf_priv *gntdev_dmabuf_init(struct file *filp) { struct gntdev_dmabuf_priv *priv; @@ -847,6 +855,8 @@ struct gntdev_dmabuf_priv *gntdev_dmabuf_init(void) INIT_LIST_HEAD(&priv->exp_wait_list); INIT_LIST_HEAD(&priv->imp_list); + priv->filp = filp; + return priv; } diff --git a/drivers/xen/gntdev-dmabuf.h b/drivers/xen/gntdev-dmabuf.h index 7220a53d0fc5..3d9b9cf9d5a1 100644 --- a/drivers/xen/gntdev-dmabuf.h +++ b/drivers/xen/gntdev-dmabuf.h @@ -14,7 +14,7 @@ struct gntdev_dmabuf_priv; struct gntdev_priv; -struct gntdev_dmabuf_priv *gntdev_dmabuf_init(void); +struct gntdev_dmabuf_priv *gntdev_dmabuf_init(struct file *filp); void gntdev_dmabuf_fini(struct gntdev_dmabuf_priv *priv); diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c index b0b02a501167..9d8e02cfd480 100644 --- a/drivers/xen/gntdev.c +++ b/drivers/xen/gntdev.c @@ -600,7 +600,7 @@ static int gntdev_open(struct inode *inode, struct file *flip) mutex_init(&priv->lock); #ifdef CONFIG_XEN_GNTDEV_DMABUF - priv->dmabuf_priv = gntdev_dmabuf_init(); + priv->dmabuf_priv = gntdev_dmabuf_init(flip); if (IS_ERR(priv->dmabuf_priv)) { ret = PTR_ERR(priv->dmabuf_priv); kfree(priv); -- 2.19.1