Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp1159447pxv;
        Fri, 23 Jul 2021 01:00:07 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwgBZRwA8fXyLP0WtUtDyGqj/7OlUvk5DZLyxHyfwaumEm+aJEF1uaeUlgMXXqvKymkKjA2
X-Received: by 2002:a05:6e02:2188:: with SMTP id j8mr2756695ila.14.1627027207633;
        Fri, 23 Jul 2021 01:00:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1627027207; cv=none;
        d=google.com; s=arc-20160816;
        b=LeS9as5xV0dcuX7plm55/reNv9W1M1XfMVfYHGaCXgH2/7VT2qx8YYayj8bocw96Lv
         OCG0+GoHcyS7mHota708iTm1IeuqQ7jXWyoj2/5UZbjZTI/T5WoPw2ErXE1XfAglqfVG
         L+2oWvkqrdc6ImCQDWDnR6crs+3o+tzMgu0mHv1AUgkfFBHNg8iyLEvg8iuW7W1cupUH
         zuVh2kG98w8KyaAo1rCC1RxPA1PdgTU0V/kFhyxspk+mIGr/hFrxaISUiDnQQm8L7/f/
         85R/6JCb5U6gqAmOgWHxLHf5mWxC2GQ0HGCTw5f876fkrBb0DmssTjKgrTyLE8b1CBn4
         NO0w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from;
        bh=uFKlL8MLYSSPNe+j1vDS4tLdXrsalqU7AncR1cSC1ok=;
        b=L877/lu/YdkedkFhq5iZ7Gl3jkxdI4IqFwdRWHJ2orNwyCuTXq0MODj8FA0FScvCOW
         dLRqR+qXcQvVM1BNcFOnEMMzYyapFbwhiHb7hTXpeaNYLcYG+EDD/WOAYH/D4ZrVB1X7
         swxYsUsNaonz458tMqWuPPaaX9jByYGYJ4hnBUWsU18KrjpWQGZ823qJzPsJo0FuU21m
         vqpV6tMZPntDHb6SZQsD3nZeYJh2KqKH4fMNE3YDAe3F7tSxz/VLTQ3yYNdG3kBfHVsR
         Et1tsmPAx0I03Rx1l72tvdH/cAP9z08oxs3Fscnl6IcKaCiuB7fjkOycjioDZSjCSma2
         5wFA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id x7si21196056iol.77.2021.07.23.00.59.55;
        Fri, 23 Jul 2021 01:00:07 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S234202AbhGWHS1 (ORCPT <rfc822;linux.oss.ml@gmail.com>
        + 99 others); Fri, 23 Jul 2021 03:18:27 -0400
Received: from mail.netline.ch ([148.251.143.180]:36048 "EHLO
        netline-mail3.netline.ch" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S233291AbhGWHS0 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 23 Jul 2021 03:18:26 -0400
Received: from localhost (localhost [127.0.0.1])
        by netline-mail3.netline.ch (Postfix) with ESMTP id B409920201B;
        Fri, 23 Jul 2021 09:58:58 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at netline-mail3.netline.ch
Received: from netline-mail3.netline.ch ([127.0.0.1])
        by localhost (netline-mail3.netline.ch [127.0.0.1]) (amavisd-new, port 10024)
        with LMTP id QA7ph4I77QHY; Fri, 23 Jul 2021 09:58:58 +0200 (CEST)
Received: from kaveri (24.99.2.85.dynamic.wline.res.cust.swisscom.ch [85.2.99.24])
        by netline-mail3.netline.ch (Postfix) with ESMTPA id 6202F20201A;
        Fri, 23 Jul 2021 09:58:58 +0200 (CEST)
Received: from daenzer by kaveri with local (Exim 4.94.2)
        (envelope-from <michel@daenzer.net>)
        id 1m6q5B-00014N-F3; Fri, 23 Jul 2021 09:58:57 +0200
From:   =?UTF-8?q?Michel=20D=C3=A4nzer?= <michel@daenzer.net>
To:     =?UTF-8?q?Christian=20K=C3=B6nig?= <christian.koenig@amd.com>
Cc:     Sumit Semwal <sumit.semwal@linaro.org>,
        dri-devel@lists.freedesktop.org, linux-media@vger.kernel.org,
        linaro-mm-sig@lists.linaro.org, linux-kernel@vger.kernel.org
Subject: [PATCH] dma-buf/poll: Get a file reference for outstanding fence callbacks
Date:   Fri, 23 Jul 2021 09:58:57 +0200
Message-Id: <20210723075857.4065-1-michel@daenzer.net>
X-Mailer: git-send-email 2.32.0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Michel Dänzer <mdaenzer@redhat.com>

This makes sure we don't hit the

	BUG_ON(dmabuf->cb_in.active || dmabuf->cb_out.active);

in dma_buf_release, which could be triggered by user space closing the
dma-buf file description while there are outstanding fence callbacks
from dma_buf_poll.

Cc: stable@vger.kernel.org
Signed-off-by: Michel Dänzer <mdaenzer@redhat.com>
---
 drivers/dma-buf/dma-buf.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
index 6c520c9bd93c..ec25498a971f 100644
--- a/drivers/dma-buf/dma-buf.c
+++ b/drivers/dma-buf/dma-buf.c
@@ -65,12 +65,9 @@ static void dma_buf_release(struct dentry *dentry)
 	BUG_ON(dmabuf->vmapping_counter);
 
 	/*
-	 * Any fences that a dma-buf poll can wait on should be signaled
-	 * before releasing dma-buf. This is the responsibility of each
-	 * driver that uses the reservation objects.
-	 *
-	 * If you hit this BUG() it means someone dropped their ref to the
-	 * dma-buf while still having pending operation to the buffer.
+	 * If you hit this BUG() it could mean:
+	 * * There's a file reference imbalance in dma_buf_poll / dma_buf_poll_cb or somewhere else
+	 * * dmabuf->cb_in/out.active are non-0 despite no pending fence callback
 	 */
 	BUG_ON(dmabuf->cb_in.active || dmabuf->cb_out.active);
 
@@ -196,6 +193,7 @@ static loff_t dma_buf_llseek(struct file *file, loff_t offset, int whence)
 static void dma_buf_poll_cb(struct dma_fence *fence, struct dma_fence_cb *cb)
 {
 	struct dma_buf_poll_cb_t *dcb = (struct dma_buf_poll_cb_t *)cb;
+	struct dma_buf *dmabuf = container_of(dcb->poll, struct dma_buf, poll);
 	unsigned long flags;
 
 	spin_lock_irqsave(&dcb->poll->lock, flags);
@@ -203,6 +201,8 @@ static void dma_buf_poll_cb(struct dma_fence *fence, struct dma_fence_cb *cb)
 	dcb->active = 0;
 	spin_unlock_irqrestore(&dcb->poll->lock, flags);
 	dma_fence_put(fence);
+	/* Paired with get_file in dma_buf_poll */
+	fput(dmabuf->file);
 }
 
 static bool dma_buf_poll_shared(struct dma_resv *resv,
@@ -278,6 +278,9 @@ static __poll_t dma_buf_poll(struct file *file, poll_table *poll)
 		spin_unlock_irq(&dmabuf->poll.lock);
 
 		if (events & EPOLLOUT) {
+			/* Paired with fput in dma_buf_poll_cb */
+			get_file(dmabuf->file);
+
 			if (!dma_buf_poll_shared(resv, dcb) &&
 			    !dma_buf_poll_excl(resv, dcb))
 				/* No callback queued, wake up any other waiters */
@@ -299,6 +302,9 @@ static __poll_t dma_buf_poll(struct file *file, poll_table *poll)
 		spin_unlock_irq(&dmabuf->poll.lock);
 
 		if (events & EPOLLIN) {
+			/* Paired with fput in dma_buf_poll_cb */
+			get_file(dmabuf->file);
+
 			if (!dma_buf_poll_excl(resv, dcb))
 				/* No callback queued, wake up any other waiters */
 				dma_buf_poll_cb(NULL, &dcb->cb);
-- 
2.32.0