mirror of
https://git.proxmox.com/git/mirror_ubuntu-kernels.git
synced 2025-11-14 08:42:08 +00:00
4ab59c3c63
Charan Teja reported a 'use-after-free' in dmabuffs_dname [1], which
happens if the dma_buf_release() is called while the userspace is
accessing the dma_buf pseudo fs's dmabuffs_dname() in another process,
and dma_buf_release() releases the dmabuf object when the last reference
to the struct file goes away.
I discussed with Arnd Bergmann, and he suggested that rather than tying
the dma_buf_release() to the file_operations' release(), we can tie it to
the dentry_operations' d_release(), which will be called when the last ref
to the dentry is removed.
The path exercised by __fput() calls f_op->release() first, and then calls
dput, which eventually calls d_op->d_release().
In the 'normal' case, when no userspace access is happening via dma_buf
pseudo fs, there should be exactly one fd, file, dentry and inode, so
closing the fd will kill of everything right away.
In the presented case, the dentry's d_release() will be called only when
the dentry's last ref is released.
Therefore, lets move dma_buf_release() from fops->release() to
d_ops->d_release()
Many thanks to Arnd for his FS insights :)
[1]: https://lore.kernel.org/patchwork/patch/1238278/
Fixes:
|
||
|---|---|---|
| .. | ||
| heaps | ||
| dma-buf.c | ||
| dma-fence-array.c | ||
| dma-fence-chain.c | ||
| dma-fence.c | ||
| dma-heap.c | ||
| dma-resv.c | ||
| Kconfig | ||
| Makefile | ||
| selftest.c | ||
| selftest.h | ||
| selftests.h | ||
| seqno-fence.c | ||
| st-dma-fence-chain.c | ||
| st-dma-fence.c | ||
| sw_sync.c | ||
| sync_debug.c | ||
| sync_debug.h | ||
| sync_file.c | ||
| sync_trace.h | ||
| udmabuf.c | ||