linux/include
Daniel Vetter d0b2c5334f drm/prime: Always add exported buffers to the handle cache
... not only when the dma-buf is freshly created. In contrived
examples someone else could have exported/imported the dma-buf already
and handed us the gem object with a flink name. If such on object gets
reexported as a dma_buf we won't have it in the handle cache already,
which breaks the guarantee that for dma-buf imports we always hand
back an existing handle if there is one.

This is exercised by igt/prime_self_import/with_one_bo_two_files

Now if we extend the locked sections just a notch more we can also
plug th racy buf/handle cache setup in handle_to_fd:

If evil userspace races a concurrent gem close against a prime export
operation we can end up tearing down the gem handle before the dma buf
handle cache is set up. When handle_to_fd gets around to adding the
handle to the cache there will be no one left to clean it up,
effectily leaking the bo (and the dma-buf, since the handle cache
holds a ref on the dma-buf):

Thread A			Thread B

handle_to_fd:

lookup gem object from handle
creates new dma_buf

				gem_close on the same handle
				obj->dma_buf is set, but file priv buf
				handle cache has no entry

				obj->handle_count drops to 0

drm_prime_add_buf_handle sets up the handle cache

-> We have a dma-buf reference in the handle cache, but since the
handle_count of the gem object already dropped to 0 no on will clean
it up. When closing the drm device fd we'll hit the WARN_ON in
drm_prime_destroy_file_private.

The important change is to extend the critical section of the
filp->prime.lock to cover the gem handle lookup. This serializes with
a concurrent gem handle close.

This leak is exercised by igt/prime_self_import/export-vs-gem_close-race

Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2013-08-21 13:05:03 +10:00
..
acpi Revert "ACPI / video / i915: No ACPI backlight if firmware expects Windows 8" 2013-07-26 14:59:20 +02:00
asm-generic Merge branch 'cpuinit-delete' of git://git.kernel.org/pub/scm/linux/kernel/git/paulg/linux 2013-07-07 11:01:19 -07:00
clocksource clocksource: arch_timer: use virtual counters 2013-06-07 10:20:28 +01:00
crypto
drm drm/prime: Always add exported buffers to the handle cache 2013-08-21 13:05:03 +10:00
dt-bindings Pin control fixes for the v3.11 series: 2013-07-28 18:19:27 -07:00
keys
kvm ARM: KVM: Allow host virt timer irq to be different from guest timer virt irq 2013-06-26 10:50:02 -07:00
linux Merge tag 'drm-intel-next-2013-08-09' of git://people.freedesktop.org/~danvet/drm-intel into drm-next 2013-08-21 12:48:59 +10:00
math-emu
media [media] exynos4-is: Correct colorspace handling at FIMC-LITE 2013-06-28 15:33:27 -03:00
memory
misc
net Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2013-07-13 17:42:22 -07:00
pcmcia
ras
rdma Merge branches 'af_ib', 'cxgb4', 'misc', 'mlx5', 'ocrdma', 'qib' and 'srp' into for-next 2013-07-08 11:22:11 -07:00
rxrpc
scsi [SCSI] libiscsi: Added new boot entries in the session sysfs 2013-06-26 18:04:11 -07:00
sound ASoC: More updates for v3.11 2013-06-28 13:36:22 +02:00
target target: make queue_tm_rsp() return void 2013-07-07 18:36:53 -07:00
trace This contains fixes, optimizations and some clean ups 2013-07-22 19:07:24 -07:00
uapi Merge remote-tracking branch 'pfdo/drm-rcar-for-v3.12' into drm-next 2013-08-19 09:24:13 +10:00
video Merge branch 'drm-next' of git://people.freedesktop.org/~airlied/linux 2013-07-09 16:04:31 -07:00
xen Merge branch 'for-3.11/drivers' of git://git.kernel.dk/linux-block 2013-07-22 19:02:52 -07:00
Kbuild