From: Dmitry Antipov <dmantipov@yandex.ru>
To: "Christian König" <christian.koenig@amd.com>,
"Sumit Semwal" <sumit.semwal@linaro.org>
Cc: linux-media@vger.kernel.org, dri-devel@lists.freedesktop.org,
lvc-project@linuxtesting.org,
syzbot+5d4cb6b4409edfd18646@syzkaller.appspotmail.com,
linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH] [RFC] dma-buf: fix race condition between poll and close
Date: Fri, 3 May 2024 10:07:11 +0300 [thread overview]
Message-ID: <d5866bd9-299c-45be-93ac-98960de1c91e@yandex.ru> (raw)
In-Reply-To: <72f5f1b8-ca5b-4207-9ac9-95b60c607f3a@amd.com>
On 4/24/24 2:28 PM, Christian König wrote:
> I don't fully understand how that happens either, it could be that there is some bug in the EPOLL_FD code. Maybe it's a race when the EPOLL file descriptor is closed or something like that.
IIUC the race condition looks like the following:
Thread 0 Thread 1
-> do_epoll_ctl()
f_count++, now 2
...
... -> vfs_poll(), f_count == 2
... ...
<- do_epoll_ctl() ...
f_count--, now 1 ...
-> filp_close(), f_count == 1 ...
... -> dma_buf_poll(), f_count == 1
-> fput() ... [*** race window ***]
f_count--, now 0 -> maybe get_file(), now ???
-> __fput() (delayed)
E.g. dma_buf_poll() may be entered in thread 1 with f->count == 1
and call to get_file() shortly later (and may even skip this if
there is nothing to EPOLLIN or EPOLLOUT). During this time window,
thread 0 may call fput() (on behalf of close() in this example)
and (since it sees f->count == 1) file is scheduled to delayed_fput().
Dmitry
next parent reply other threads:[~2024-05-03 7:07 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20240423191310.19437-1-dmantipov@yandex.ru>
[not found] ` <85b476cd-3afd-4781-9168-ecc88b6cc837@amd.com>
[not found] ` <3a7d0f38-13b9-4e98-a5fa-9a0d775bcf81@yandex.ru>
[not found] ` <72f5f1b8-ca5b-4207-9ac9-95b60c607f3a@amd.com>
2024-05-03 7:07 ` Dmitry Antipov [this message]
2024-05-03 8:18 ` [PATCH] [RFC] dma-buf: fix race condition between poll and close Christian König
2024-05-03 11:08 ` Dmitry Antipov
2024-05-06 6:52 ` [lvc-project] " Fedor Pchelkin
2024-05-07 9:58 ` Christian König
2024-05-07 10:40 ` Daniel Vetter
2024-05-07 15:02 ` Christian König
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d5866bd9-299c-45be-93ac-98960de1c91e@yandex.ru \
--to=dmantipov@yandex.ru \
--cc=christian.koenig@amd.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=lvc-project@linuxtesting.org \
--cc=sumit.semwal@linaro.org \
--cc=syzbot+5d4cb6b4409edfd18646@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).