| From ef3a6b70507a2add2cd2e01f5eb9b54d561bacb9 Mon Sep 17 00:00:00 2001 |
| From: Charan Teja Reddy <quic_charante@quicinc.com> |
| Date: Tue, 10 May 2022 01:19:57 +0530 |
| Subject: dma-buf: call dma_buf_stats_setup after dmabuf is in valid list |
| MIME-Version: 1.0 |
| Content-Type: text/plain; charset=UTF-8 |
| Content-Transfer-Encoding: 8bit |
| |
| From: Charan Teja Reddy <quic_charante@quicinc.com> |
| |
| commit ef3a6b70507a2add2cd2e01f5eb9b54d561bacb9 upstream. |
| |
| When dma_buf_stats_setup() fails, it closes the dmabuf file which |
| results into the calling of dma_buf_file_release() where it does |
| list_del(&dmabuf->list_node) with out first adding it to the proper |
| list. This is resulting into panic in the below path: |
| __list_del_entry_valid+0x38/0xac |
| dma_buf_file_release+0x74/0x158 |
| __fput+0xf4/0x428 |
| ____fput+0x14/0x24 |
| task_work_run+0x178/0x24c |
| do_notify_resume+0x194/0x264 |
| work_pending+0xc/0x5f0 |
| |
| Fix it by moving the dma_buf_stats_setup() after dmabuf is added to the |
| list. |
| |
| Fixes: bdb8d06dfefd ("dmabuf: Add the capability to expose DMA-BUF stats in sysfs") |
| Signed-off-by: Charan Teja Reddy <quic_charante@quicinc.com> |
| Tested-by: T.J. Mercier <tjmercier@google.com> |
| Acked-by: T.J. Mercier <tjmercier@google.com> |
| Cc: <stable@vger.kernel.org> # 5.15.x+ |
| Reviewed-by: Christian König <christian.koenig@amd.com> |
| Signed-off-by: Christian König <christian.koenig@amd.com> |
| Link: https://patchwork.freedesktop.org/patch/msgid/1652125797-2043-1-git-send-email-quic_charante@quicinc.com |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| drivers/dma-buf/dma-buf.c | 8 ++++---- |
| 1 file changed, 4 insertions(+), 4 deletions(-) |
| |
| --- a/drivers/dma-buf/dma-buf.c |
| +++ b/drivers/dma-buf/dma-buf.c |
| @@ -572,10 +572,6 @@ struct dma_buf *dma_buf_export(const str |
| file->f_mode |= FMODE_LSEEK; |
| dmabuf->file = file; |
| |
| - ret = dma_buf_stats_setup(dmabuf); |
| - if (ret) |
| - goto err_sysfs; |
| - |
| mutex_init(&dmabuf->lock); |
| INIT_LIST_HEAD(&dmabuf->attachments); |
| |
| @@ -583,6 +579,10 @@ struct dma_buf *dma_buf_export(const str |
| list_add(&dmabuf->list_node, &db_list.head); |
| mutex_unlock(&db_list.lock); |
| |
| + ret = dma_buf_stats_setup(dmabuf); |
| + if (ret) |
| + goto err_sysfs; |
| + |
| return dmabuf; |
| |
| err_sysfs: |