From: Laura Abbott <labbott@redhat.com>
To: Colin Cross <ccross@android.com>
Cc: "Shawn Lin" <shawn.lin@rock-chips.com>,
"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Arve Hjønnevåg" <arve@android.com>,
"Riley Andrews" <riandrews@android.com>,
"John Stultz" <john.stultz@linaro.org>,
lkml <linux-kernel@vger.kernel.org>,
"devel@driverdev.osuosl.org" <devel@driverdev.osuosl.org>
Subject: Re: [PATCH] staging: ion: fix corruption of ion_import_dma_buf
Date: Thu, 10 Sep 2015 09:44:28 -0700 [thread overview]
Message-ID: <55F1B36C.1050605@redhat.com> (raw)
In-Reply-To: <CAMbhsRSC9t303es=5h9OjgKwbETGqZHp9RtFediASC+FNdDTHQ@mail.gmail.com>
On 09/09/2015 10:41 PM, Colin Cross wrote:
> On Wed, Sep 9, 2015 at 10:19 AM, Laura Abbott <labbott@redhat.com> wrote:
>> (adding Colin and John)
>>
>>
>> On 09/09/2015 12:41 AM, Shawn Lin wrote:
>>>
>>> we found this issue but still exit in lastest kernel. Simply
>>> keep ion_handle_create under mutex_lock to avoid this race.
>>>
>>> WARNING: CPU: 2 PID: 2648 at drivers/staging/android/ion/ion.c:512
>>> ion_handle_add+0xb4/0xc0()
>>> ion_handle_add: buffer already found.
>>> Modules linked in: iwlmvm iwlwifi mac80211 cfg80211 compat
>>> CPU: 2 PID: 2648 Comm: TimedEventQueue Tainted: G W 3.14.0 #7
>>> 00000000 00000000 9a3efd2c 80faf273 9a3efd6c 9a3efd5c 80935dc9 811d7fd3
>>> 9a3efd88 00000a58 812208a0 00000200 80e128d4 80e128d4 8d4ae00c a8cd8600
>>> a8cd8094 9a3efd74 80935e0e 00000009 9a3efd6c 811d7fd3 9a3efd88 9a3efd9c
>>> Call Trace:
>>> [<80faf273>] dump_stack+0x48/0x69
>>> [<80935dc9>] warn_slowpath_common+0x79/0x90
>>> [<80e128d4>] ? ion_handle_add+0xb4/0xc0
>>> [<80e128d4>] ? ion_handle_add+0xb4/0xc0
>>> [<80935e0e>] warn_slowpath_fmt+0x2e/0x30
>>> [<80e128d4>] ion_handle_add+0xb4/0xc0
>>> [<80e144cc>] ion_import_dma_buf+0x8c/0x110
>>> [<80c517c4>] reg_init+0x364/0x7d0
>>> [<80993363>] ? futex_wait+0x123/0x210
>>> [<80992e0e>] ? get_futex_key+0x16e/0x1e0
>>> [<8099308f>] ? futex_wake+0x5f/0x120
>>> [<80c51e19>] vpu_service_ioctl+0x1e9/0x500
>>> [<80994aec>] ? do_futex+0xec/0x8e0
>>> [<80971080>] ? prepare_to_wait_event+0xc0/0xc0
>>> [<80c51c30>] ? reg_init+0x7d0/0x7d0
>>> [<80a22562>] do_vfs_ioctl+0x2d2/0x4c0
>>> [<80b198ad>] ? inode_has_perm.isra.41+0x2d/0x40
>>> [<80b199cf>] ? file_has_perm+0x7f/0x90
>>> [<80b1a5f7>] ? selinux_file_ioctl+0x47/0xf0
>>> [<80a227a8>] SyS_ioctl+0x58/0x80
>>> [<80fb45e8>] syscall_call+0x7/0x7
>>> [<80fb0000>] ? mmc_do_calc_max_discard+0xab/0xe4
>>>
>>> Fixes: 83271f626 ("ion: hold reference to handle...")
>>> Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
>>> ---
>>>
>>> drivers/staging/android/ion/ion.c | 6 +++---
>>> 1 file changed, 3 insertions(+), 3 deletions(-)
>>>
>>> diff --git a/drivers/staging/android/ion/ion.c
>>> b/drivers/staging/android/ion/ion.c
>>> index eec878e..32e7b5c 100644
>>> --- a/drivers/staging/android/ion/ion.c
>>> +++ b/drivers/staging/android/ion/ion.c
>>> @@ -1179,13 +1179,13 @@ struct ion_handle *ion_import_dma_buf(struct
>>> ion_client *client, int fd)
>>> mutex_unlock(&client->lock);
>>> goto end;
>>> }
>>> - mutex_unlock(&client->lock);
>>>
>>> handle = ion_handle_create(client, buffer);
>>> - if (IS_ERR(handle))
>>> + if (IS_ERR(handle)) {
>>> + mutex_unlock(&client->lock);
>>> goto end;
>>> + }
>>>
>>> - mutex_lock(&client->lock);
>>> ret = ion_handle_add(client, handle);
>>> mutex_unlock(&client->lock);
>>> if (ret) {
>>>
>>
>> So the patch looks correct but the locking change there seems like it was
>> added
>> deliberately. Colin/John, do you remember why the locking for
>> ion_import_dma_buf
>> changed? Was there a deadlock condition somewhere?
>>
>> Thanks,
>> Laura
>
> I can't see any reason to not hold the mutex across ion_handle_create.
> The patch that introduced the bug
> (83271f6262c91a49df325c52bec8f00f4de294ca, ion: hold reference to
> handle after ion_uhandle_get) required that the mutex not be held
> around the call to ion_handle_put, but didn't affect
> ion_handle_create.
Thanks for confirming. With that,
Reviewed-by: Laura Abbott <labbott@redhat.com>
next prev parent reply other threads:[~2015-09-10 16:44 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-09 7:41 [PATCH] staging: ion: fix corruption of ion_import_dma_buf Shawn Lin
2015-09-09 17:19 ` Laura Abbott
2015-09-10 5:41 ` Colin Cross
2015-09-10 16:44 ` Laura Abbott [this message]
2015-09-10 23:51 ` Shawn Lin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55F1B36C.1050605@redhat.com \
--to=labbott@redhat.com \
--cc=arve@android.com \
--cc=ccross@android.com \
--cc=devel@driverdev.osuosl.org \
--cc=gregkh@linuxfoundation.org \
--cc=john.stultz@linaro.org \
--cc=linux-kernel@vger.kernel.org \
--cc=riandrews@android.com \
--cc=shawn.lin@rock-chips.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.