From mboxrd@z Thu Jan  1 00:00:00 1970
From: Al Viro <viro@ZenIV.linux.org.uk>
Subject: [RFC] deadlock in "drm/exynos: fix wrong pointer access at vm close"
Date: Sun, 22 Sep 2013 22:29:11 +0100
Message-ID: <20130922212911.GU13318@ZenIV.linux.org.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <dri-devel-bounces+sf-dri-devel=m.gmane.org@lists.freedesktop.org>
Received: from ZenIV.linux.org.uk (zeniv.linux.org.uk [195.92.253.2])
	by gabe.freedesktop.org (Postfix) with ESMTP id B8DD5E612E
	for <dri-devel@lists.freedesktop.org>;
	Sun, 22 Sep 2013 15:30:44 -0700 (PDT)
Content-Disposition: inline
List-Unsubscribe: <http://lists.freedesktop.org/mailman/options/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <http://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <http://lists.freedesktop.org/mailman/listinfo/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
Sender: dri-devel-bounces+sf-dri-devel=m.gmane.org@lists.freedesktop.org
Errors-To: dri-devel-bounces+sf-dri-devel=m.gmane.org@lists.freedesktop.org
To: YoungJun Cho <yj44.cho@samsung.com>
Cc: dri-devel@lists.freedesktop.org
List-Id: dri-devel@lists.freedesktop.org

	You have drm_dev->struct_mutex grabbed before ->mmap_sem in
exynos_drm_gem_mmap_ioctl() and after - in exynos_drm_gem_fault()
(since ->fault() is always called with ->mmap_sem held).  Looks like
a garden-variety AB-BA deadlock...

	Incidentally, what should happen if another process shares the
same opened file (e.g. inherited over fork()) and does mmap() just
as we have ->f_op switched?