CHROMIUM: media/ipu6: fix kbuf double free
We cannot install new file handler into fds table when user-space
hits limit on open fds, which also implies that we cannot dma_buf_fd()
in such situations. This hurts us a little in ipu_psys_getbuf().
dma_buf_fd() error handling path does kfree() of ipu_psys_kbuffer.
The problem is that it's also kfree-d in ipu_dma_buf_release(), which
is called from dma_buf_put()->dma_buf_release(), triggering double
free.
kernel BUG at mm/slub.c:307!
CPU: 1 PID: 5573 Comm: ipu6_full_video
RIP: 0010:kfree+0x2dd/0x2e3
RSP: 0018:ffffb7c906153dc0 EFLAGS: 00010246
RAX: ffff9c81200b27e0 RBX: ffff9c81200b27e0 RCX: 452156f0b9cda4f0
RDX: 0000000000085c01 RSI: ffff9c82459da2b8 RDI: ffff9c81200b28a0
RBP: ffffb7c906153e10 R08: 0000000000000000 R09: 0000000000000000
R10: 000000000000042b R11: ffffffffc073e5b6 R12: ffff9c81200b27e0
R13: ffff9c827b401a00 R14: ffff9c81200b27e0 R15: ffffe2ab40802c80
FS: 00007feb394d3640(0000) GS:ffff9c827bf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000058325553f038 CR3: 000000011a860000 CR4: 0000000000342ee0
Call Trace:
? dma_buf_release+0x3e/0x8d
dma_buf_release+0x3e/0x8d
__dentry_kill+0xee/0x185
dput+0x160/0x23d
__fput+0x193/0x238
task_work_run+0x7f/0xa7
prepare_exit_to_usermode+0x12e/0x130
entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG=b:227117950
TEST=CTS on lalala
Signed-off-by: Sergey Senozhatsky <senozhatsky@chromium.org>
Change-Id: I14dab4f85d109b648755b865ccbdf855b5a70471
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/3595941
Reviewed-by: Ricardo Ribalda <ribalda@chromium.org>
Reviewed-by: Bingbu Cao <bingbu.cao@intel.com>
Reviewed-by: Tian Shu Qiu <tian.shu.qiu@intel.corp-partner.google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/3599916
Reviewed-by: Tomasz Figa <tfiga@chromium.org>
Commit-Queue: Tomasz Figa <tfiga@chromium.org>
1 file changed