From patchwork Thu Feb  7 00:03:02 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: John Sheu <sheu@google.com>
X-Patchwork-Id: 2109051
Return-Path: <linux-media-owner@vger.kernel.org>
X-Original-To: patchwork-linux-media@patchwork.kernel.org
Delivered-To: patchwork-process-083081@patchwork2.kernel.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by patchwork2.kernel.org (Postfix) with ESMTP id 5E258E00C6
	for <patchwork-linux-media@patchwork.kernel.org>;
	Thu,  7 Feb 2013 00:03:53 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1758553Ab3BGADv (ORCPT
	<rfc822;patchwork-linux-media@patchwork.kernel.org>);
	Wed, 6 Feb 2013 19:03:51 -0500
Received: from mail-oa0-f74.google.com ([209.85.219.74]:60275 "EHLO
	mail-oa0-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1758536Ab3BGADr (ORCPT
	<rfc822; linux-media@vger.kernel.org>); Wed, 6 Feb 2013 19:03:47 -0500
Received: by mail-oa0-f74.google.com with SMTP id k14so387565oag.5
	for <linux-media@vger.kernel.org>;
	Wed, 06 Feb 2013 16:03:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20120113;
	h=x-received:from:to:cc:subject:date:message-id:x-mailer:in-reply-to
	:references; bh=JYnKd2ViRmXMvpfro/36vTvWyE786PXNE+ZYhgdlaX8=;
	b=bOVavtAsaLQ7IGH5b+qb9w7bN3uDN6bjKGuoxrF4VijWoXGZ426+G9iZJ8foYgtIsJ
	iV9R5t5PdEhF/Jra8LWWojBQfCd7ttNPFhbPOQaKzDW+2TfEWGwzJtka4TXUIgdZlII6
	/SiVRPul1g91vMdJ/enprcCbUc//VLrEwQ5YZd0Gu3vET5ocTuxKuV5u9kBKGT/h4aLS
	NcZLLWAFkdhmipV7Vx4tA2oHHPJJVxJyggm8N0juw7N2zuLO7zN/k3nJtqZ2YMUjzbRo
	BD4whXI//1vseqxf1epvn9ptNHfeo3APXJKO0Q9FMqXDufuBwgB7PnJitP+Tjkur8NnS
	l7YQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20120113;
	h=x-received:from:to:cc:subject:date:message-id:x-mailer:in-reply-to
	:references:x-gm-message-state;
	bh=JYnKd2ViRmXMvpfro/36vTvWyE786PXNE+ZYhgdlaX8=;
	b=EKcM7YdF4o1GJ+WYeV0C8Zkx8bAqiZwDKnbVo5PAg2XJ7ufy471hT6NAooXNsHg9ZM
	KfBiFRPJLQSvSDypLEEHSzed8mr7vlo/aDRcgy6+vODgYZ/DyHchRduS5OTxcVa+Fh8F
	VaUoZAyILpkRlfk4n/8uslatJ7X5aR8rSuao4yae5huo1QrbiJuilqR6Rtd08AArlLYA
	9R/ISQRHOY6FC2WLcYRCY9MZWJgHowAm1BZi9CWDvlcmS1e82zn9/vqIZZNjY7J3dXFz
	0pxBzkjJz3xFKojGEILJFzmB7xQjFKosv/Bhj1+vUJAbXQwAVY9+Y616b0N9Bj5oJ/q/
	44ow==
X-Received: by 10.50.87.133 with SMTP id ay5mr4078194igb.6.1360195426576;
	Wed, 06 Feb 2013 16:03:46 -0800 (PST)
Received: from corp2gmr1-1.hot.corp.google.com
	(corp2gmr1-1.hot.corp.google.com [172.24.189.92])
	by gmr-mx.google.com with ESMTPS id
	j7si334485igc.3.2013.02.06.16.03.46
	(version=TLSv1.1 cipher=AES128-SHA bits=128/128);
	Wed, 06 Feb 2013 16:03:46 -0800 (PST)
Received: from shortskirt.mtv.corp.google.com
	(shortskirt.mtv.corp.google.com [172.22.70.255])
	by corp2gmr1-1.hot.corp.google.com (Postfix) with ESMTP id
	0342431C15E; Wed,  6 Feb 2013 16:03:46 -0800 (PST)
Received: by shortskirt.mtv.corp.google.com (Postfix, from userid 157237)
	id A87FEC0651; Wed,  6 Feb 2013 16:03:45 -0800 (PST)
From: John Sheu <sheu@google.com>
To: linux-media@vger.kernel.org
Cc: John Sheu <sheu@chromium.org>, John Sheu <sheu@google.com>
Subject: [PATCH 3/3] dma-buf: restore args on failure of dma_buf_mmap
Date: Wed,  6 Feb 2013 16:03:02 -0800
Message-Id: <1360195382-32317-3-git-send-email-sheu@google.com>
X-Mailer: git-send-email 1.8.1
In-Reply-To: <1360195382-32317-1-git-send-email-sheu@google.com>
References: <1360195382-32317-1-git-send-email-sheu@google.com>
X-Gm-Message-State: 
 ALoCoQnhbQgMKFphf6aS8ZmVq3XyUwKe7vs3sXnKbpO1m4hw4LWhXj4zFAH3/9JmBNozG9KvX4hgpnhbWgHdc5AXXQdOs7qUpwbP/hVJYR2I5ChJGwkMf7zLaxR/iQUXhIWXffF0BU4MrHldmvdehfnEPqvcnEfqeUIrVInBzc4Psj/WpHOiAoCGCP8A67OlS9gSRFBziArEfmKfhO2ZGaCBzb4aW9+E0g==
Sender: linux-media-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-media.vger.kernel.org>
X-Mailing-List: linux-media@vger.kernel.org

From: John Sheu <sheu@chromium.org>

Callers to dma_buf_mmap expect to fput() the vma struct's vm_file
themselves on failure.  Not restoring the struct's data on failure
causes a double-decrement of the vm_file's refcount.

Signed-off-by: John Sheu <sheu@google.com>
---
 drivers/base/dma-buf.c | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/drivers/base/dma-buf.c b/drivers/base/dma-buf.c
index a3f79c4..01daf9c 100644
--- a/drivers/base/dma-buf.c
+++ b/drivers/base/dma-buf.c
@@ -446,6 +446,9 @@ EXPORT_SYMBOL_GPL(dma_buf_kunmap);
 int dma_buf_mmap(struct dma_buf *dmabuf, struct vm_area_struct *vma,
 		 unsigned long pgoff)
 {
+	struct file *oldfile;
+	int ret;
+
 	if (WARN_ON(!dmabuf || !vma))
 		return -EINVAL;
 
@@ -459,14 +462,21 @@ int dma_buf_mmap(struct dma_buf *dmabuf, struct vm_area_struct *vma,
 		return -EINVAL;
 
 	/* readjust the vma */
-	if (vma->vm_file)
-		fput(vma->vm_file);
-
+	oldfile = vma->vm_file;
 	vma->vm_file = get_file(dmabuf->file);
 
 	vma->vm_pgoff = pgoff;
 
-	return dmabuf->ops->mmap(dmabuf, vma);
+	ret = dmabuf->ops->mmap(dmabuf, vma);
+	if (ret) {
+		/* restore old parameters on failure */
+		vma->vm_file = oldfile;
+		fput(dmabuf->file);
+	} else {
+		if (oldfile)
+			fput(oldfile);
+	}
+	return ret;
 }
 EXPORT_SYMBOL_GPL(dma_buf_mmap);