[PATCH] dma-buf: Fix possible UAF in dma_buf_export

[PATCH] dma-buf: Fix possible UAF in dma_buf_export

[Gaosheng Cui]

Smatch report warning as follows:

drivers/dma-buf/dma-buf.c:681 dma_buf_export() warn:
  '&dmabuf->list_node' not removed from list

If dma_buf_stats_setup() fails in dma_buf_export(), goto err_sysfs
and dmabuf will be freed, but dmabuf->list_node will not be removed
from db_list.head, then list traversal may cause UAF.

Fix by removeing it from db_list.head before free().

Fixes: ef3a6b70507a ("dma-buf: call dma_buf_stats_setup after dmabuf is in valid list")
Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
---
 drivers/dma-buf/dma-buf.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
index b809513b03fe..6848f50226d5 100644
--- a/drivers/dma-buf/dma-buf.c
+++ b/drivers/dma-buf/dma-buf.c
@@ -675,6 +675,9 @@ struct dma_buf *dma_buf_export(const struct dma_buf_export_info *exp_info)
 	return dmabuf;
 
 err_sysfs:
+	mutex_lock(&db_list.lock);
+	list_del(&dmabuf->list_node);
+	mutex_unlock(&db_list.lock);
 	/*
 	 * Set file->f_path.dentry->d_fsdata to NULL so that when
 	 * dma_buf_release() gets invoked by dentry_ops, it exits
-- 
2.25.1

[PATCH] dma-buf: Fix possible UAF in dma_buf_export

[Gaosheng Cui]

Smatch report warning as follows:

drivers/dma-buf/dma-buf.c:681 dma_buf_export() warn:
  '&dmabuf->list_node' not removed from list

If dma_buf_stats_setup() fails in dma_buf_export(), goto err_sysfs
and dmabuf will be freed, but dmabuf->list_node will not be removed
from db_list.head, then list traversal may cause UAF.

Fix by removeing it from db_list.head before free().

Fixes: ef3a6b70507a ("dma-buf: call dma_buf_stats_setup after dmabuf is in valid list")
Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
---
 drivers/dma-buf/dma-buf.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
index b809513b03fe..6848f50226d5 100644
--- a/drivers/dma-buf/dma-buf.c
+++ b/drivers/dma-buf/dma-buf.c
@@ -675,6 +675,9 @@ struct dma_buf *dma_buf_export(const struct dma_buf_export_info *exp_info)
 	return dmabuf;
 
 err_sysfs:
+	mutex_lock(&db_list.lock);
+	list_del(&dmabuf->list_node);
+	mutex_unlock(&db_list.lock);
 	/*
 	 * Set file->f_path.dentry->d_fsdata to NULL so that when
 	 * dma_buf_release() gets invoked by dentry_ops, it exits
-- 
2.25.1

Re: [PATCH] dma-buf: Fix possible UAF in dma_buf_export

[Charan Teja Kalla]

Sometime back Dan also reported the same issue[1] where I do mentioned
that fput()-->dma_buf_file_release() will remove it from the list.

But it seems that I failed to notice fput() here calls the
dma_buf_file_release() asynchronously i.e. dmabuf that is accessed in
the close path is already freed. Am I wrong here?

Should we have the __fput_sync(file) here instead of just fput(file)
which can solve this problem?

[1]https://lore.kernel.org/all/20220516084704.GG29930@kadam/

Thanks,
Charan
On 11/17/2022 11:51 AM, Gaosheng Cui wrote:
> Smatch report warning as follows:
> 
> drivers/dma-buf/dma-buf.c:681 dma_buf_export() warn:
>   '&dmabuf->list_node' not removed from list
> 
> If dma_buf_stats_setup() fails in dma_buf_export(), goto err_sysfs
> and dmabuf will be freed, but dmabuf->list_node will not be removed
> from db_list.head, then list traversal may cause UAF.
> 
> Fix by removeing it from db_list.head before free().
> 
> Fixes: ef3a6b70507a ("dma-buf: call dma_buf_stats_setup after dmabuf is in valid list")
> Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
> ---
>  drivers/dma-buf/dma-buf.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
> index b809513b03fe..6848f50226d5 100644
> --- a/drivers/dma-buf/dma-buf.c
> +++ b/drivers/dma-buf/dma-buf.c
> @@ -675,6 +675,9 @@ struct dma_buf *dma_buf_export(const struct dma_buf_export_info *exp_info)
>  	return dmabuf;
>  
>  err_sysfs:
> +	mutex_lock(&db_list.lock);
> +	list_del(&dmabuf->list_node);
> +	mutex_unlock(&db_list.lock);
>  	/*
>  	 * Set file->f_path.dentry->d_fsdata to NULL so that when
>  	 * dma_buf_release() gets invoked by dentry_ops, it exits

Re: [PATCH] dma-buf: Fix possible UAF in dma_buf_export

[Charan Teja Kalla]

Sometime back Dan also reported the same issue[1] where I do mentioned
that fput()-->dma_buf_file_release() will remove it from the list.

But it seems that I failed to notice fput() here calls the
dma_buf_file_release() asynchronously i.e. dmabuf that is accessed in
the close path is already freed. Am I wrong here?

Should we have the __fput_sync(file) here instead of just fput(file)
which can solve this problem?

[1]https://lore.kernel.org/all/20220516084704.GG29930@kadam/

Thanks,
Charan
On 11/17/2022 11:51 AM, Gaosheng Cui wrote:
> Smatch report warning as follows:
> 
> drivers/dma-buf/dma-buf.c:681 dma_buf_export() warn:
>   '&dmabuf->list_node' not removed from list
> 
> If dma_buf_stats_setup() fails in dma_buf_export(), goto err_sysfs
> and dmabuf will be freed, but dmabuf->list_node will not be removed
> from db_list.head, then list traversal may cause UAF.
> 
> Fix by removeing it from db_list.head before free().
> 
> Fixes: ef3a6b70507a ("dma-buf: call dma_buf_stats_setup after dmabuf is in valid list")
> Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
> ---
>  drivers/dma-buf/dma-buf.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
> index b809513b03fe..6848f50226d5 100644
> --- a/drivers/dma-buf/dma-buf.c
> +++ b/drivers/dma-buf/dma-buf.c
> @@ -675,6 +675,9 @@ struct dma_buf *dma_buf_export(const struct dma_buf_export_info *exp_info)
>  	return dmabuf;
>  
>  err_sysfs:
> +	mutex_lock(&db_list.lock);
> +	list_del(&dmabuf->list_node);
> +	mutex_unlock(&db_list.lock);
>  	/*
>  	 * Set file->f_path.dentry->d_fsdata to NULL so that when
>  	 * dma_buf_release() gets invoked by dentry_ops, it exits

Re: [PATCH] dma-buf: Fix possible UAF in dma_buf_export

[Christian König]

Am 17.11.22 um 08:48 schrieb Charan Teja Kalla:
> Sometime back Dan also reported the same issue[1] where I do mentioned
> that fput()-->dma_buf_file_release() will remove it from the list.
>
> But it seems that I failed to notice fput() here calls the
> dma_buf_file_release() asynchronously i.e. dmabuf that is accessed in
> the close path is already freed. Am I wrong here?
>
> Should we have the __fput_sync(file) here instead of just fput(file)
> which can solve this problem?
>
> [1]https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flore.kernel.org%2Fall%2F20220516084704.GG29930%40kadam%2F&data=05%7C01%7Cchristian.koenig%40amd.com%7C115292dd7a874278b3ed08dac8701320%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C638042680960627756%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=NYNIAJjt%2FSUXoc3wCz2vPvo%2Be%2FIVcABEA2JYZ8%2F2q04%3D&reserved=0

That doesn't look like the right solution to me either.

Essentially we have two separate tear down methods for the dma_buf 
object here:

1. It's not completely initialized and we can call kfree()+module_put() 
to clean up.
     There is actually a dma_resv_fini() here. That should probably be 
fixed.

2. The dma_buf object is fully initialized, but creating the sysfs stats 
file failed.
     In this case we should *not* clean it up like we currently do, but 
rather call fput().

So the right thing to do is a) fix the missing dma_resv_fini() call and 
b) drop the setting d_fsdata=NULL hack and properly return after the fput().

Regards,
Christian.

>
> Thanks,
> Charan
> On 11/17/2022 11:51 AM, Gaosheng Cui wrote:
>> Smatch report warning as follows:
>>
>> drivers/dma-buf/dma-buf.c:681 dma_buf_export() warn:
>>    '&dmabuf->list_node' not removed from list
>>
>> If dma_buf_stats_setup() fails in dma_buf_export(), goto err_sysfs
>> and dmabuf will be freed, but dmabuf->list_node will not be removed
>> from db_list.head, then list traversal may cause UAF.
>>
>> Fix by removeing it from db_list.head before free().
>>
>> Fixes: ef3a6b70507a ("dma-buf: call dma_buf_stats_setup after dmabuf is in valid list")
>> Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
>> ---
>>   drivers/dma-buf/dma-buf.c | 3 +++
>>   1 file changed, 3 insertions(+)
>>
>> diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
>> index b809513b03fe..6848f50226d5 100644
>> --- a/drivers/dma-buf/dma-buf.c
>> +++ b/drivers/dma-buf/dma-buf.c
>> @@ -675,6 +675,9 @@ struct dma_buf *dma_buf_export(const struct dma_buf_export_info *exp_info)
>>   	return dmabuf;
>>   
>>   err_sysfs:
>> +	mutex_lock(&db_list.lock);
>> +	list_del(&dmabuf->list_node);
>> +	mutex_unlock(&db_list.lock);
>>   	/*
>>   	 * Set file->f_path.dentry->d_fsdata to NULL so that when
>>   	 * dma_buf_release() gets invoked by dentry_ops, it exits

Re: [PATCH] dma-buf: Fix possible UAF in dma_buf_export

[Christian König]

Am 17.11.22 um 08:48 schrieb Charan Teja Kalla:
> Sometime back Dan also reported the same issue[1] where I do mentioned
> that fput()-->dma_buf_file_release() will remove it from the list.
>
> But it seems that I failed to notice fput() here calls the
> dma_buf_file_release() asynchronously i.e. dmabuf that is accessed in
> the close path is already freed. Am I wrong here?
>
> Should we have the __fput_sync(file) here instead of just fput(file)
> which can solve this problem?
>
> [1]https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flore.kernel.org%2Fall%2F20220516084704.GG29930%40kadam%2F&data=05%7C01%7Cchristian.koenig%40amd.com%7C115292dd7a874278b3ed08dac8701320%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C638042680960627756%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=NYNIAJjt%2FSUXoc3wCz2vPvo%2Be%2FIVcABEA2JYZ8%2F2q04%3D&reserved=0

That doesn't look like the right solution to me either.

Essentially we have two separate tear down methods for the dma_buf 
object here:

1. It's not completely initialized and we can call kfree()+module_put() 
to clean up.
     There is actually a dma_resv_fini() here. That should probably be 
fixed.

2. The dma_buf object is fully initialized, but creating the sysfs stats 
file failed.
     In this case we should *not* clean it up like we currently do, but 
rather call fput().

So the right thing to do is a) fix the missing dma_resv_fini() call and 
b) drop the setting d_fsdata=NULL hack and properly return after the fput().

Regards,
Christian.

>
> Thanks,
> Charan
> On 11/17/2022 11:51 AM, Gaosheng Cui wrote:
>> Smatch report warning as follows:
>>
>> drivers/dma-buf/dma-buf.c:681 dma_buf_export() warn:
>>    '&dmabuf->list_node' not removed from list
>>
>> If dma_buf_stats_setup() fails in dma_buf_export(), goto err_sysfs
>> and dmabuf will be freed, but dmabuf->list_node will not be removed
>> from db_list.head, then list traversal may cause UAF.
>>
>> Fix by removeing it from db_list.head before free().
>>
>> Fixes: ef3a6b70507a ("dma-buf: call dma_buf_stats_setup after dmabuf is in valid list")
>> Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
>> ---
>>   drivers/dma-buf/dma-buf.c | 3 +++
>>   1 file changed, 3 insertions(+)
>>
>> diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
>> index b809513b03fe..6848f50226d5 100644
>> --- a/drivers/dma-buf/dma-buf.c
>> +++ b/drivers/dma-buf/dma-buf.c
>> @@ -675,6 +675,9 @@ struct dma_buf *dma_buf_export(const struct dma_buf_export_info *exp_info)
>>   	return dmabuf;
>>   
>>   err_sysfs:
>> +	mutex_lock(&db_list.lock);
>> +	list_del(&dmabuf->list_node);
>> +	mutex_unlock(&db_list.lock);
>>   	/*
>>   	 * Set file->f_path.dentry->d_fsdata to NULL so that when
>>   	 * dma_buf_release() gets invoked by dentry_ops, it exits

Re: [PATCH] dma-buf: Fix possible UAF in dma_buf_export

[T.J. Mercier]

On Thu, Nov 17, 2022 at 2:16 AM Christian König
<christian.koenig@amd.com> wrote:
>
> Am 17.11.22 um 08:48 schrieb Charan Teja Kalla:
> > Sometime back Dan also reported the same issue[1] where I do mentioned
> > that fput()-->dma_buf_file_release() will remove it from the list.
> >
> > But it seems that I failed to notice fput() here calls the
> > dma_buf_file_release() asynchronously i.e. dmabuf that is accessed in
> > the close path is already freed. Am I wrong here?
> >
> > Should we have the __fput_sync(file) here instead of just fput(file)
> > which can solve this problem?
> >
> > [1]https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flore.kernel.org%2Fall%2F20220516084704.GG29930%40kadam%2F&amp;data=05%7C01%7Cchristian.koenig%40amd.com%7C115292dd7a874278b3ed08dac8701320%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C638042680960627756%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=NYNIAJjt%2FSUXoc3wCz2vPvo%2Be%2FIVcABEA2JYZ8%2F2q04%3D&amp;reserved=0
>
> That doesn't look like the right solution to me either.
>
> Essentially we have two separate tear down methods for the dma_buf
> object here:
>
> 1. It's not completely initialized and we can call kfree()+module_put()
> to clean up.
>      There is actually a dma_resv_fini() here. That should probably be
> fixed.
>
> 2. The dma_buf object is fully initialized, but creating the sysfs stats
> file failed.
>      In this case we should *not* clean it up like we currently do, but
> rather call fput().
>
> So the right thing to do is a) fix the missing dma_resv_fini() call and
> b) drop the setting d_fsdata=NULL hack and properly return after the fput().
>
This looks right to me if by properly return you mean return
ERR_PTR(ret); at the end of err_sysfs after the fput. (letting
dma_buf_file_release and dma_buf_release do the full cleanup)

If we still want to avoid calling dmabuf->ops->release(dmabuf) in
dma_buf_release like the comment says I guess we could use sysfs_entry
and ERR_PTR to flag that, otherwise it looks like we'd need a bit
somewhere.

 >
> Regards,
> Christian.
>
> >
> > Thanks,
> > Charan
> > On 11/17/2022 11:51 AM, Gaosheng Cui wrote:
> >> Smatch report warning as follows:
> >>
> >> drivers/dma-buf/dma-buf.c:681 dma_buf_export() warn:
> >>    '&dmabuf->list_node' not removed from list
> >>
> >> If dma_buf_stats_setup() fails in dma_buf_export(), goto err_sysfs
> >> and dmabuf will be freed, but dmabuf->list_node will not be removed
> >> from db_list.head, then list traversal may cause UAF.
> >>
> >> Fix by removeing it from db_list.head before free().
> >>
> >> Fixes: ef3a6b70507a ("dma-buf: call dma_buf_stats_setup after dmabuf is in valid list")
> >> Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
> >> ---
> >>   drivers/dma-buf/dma-buf.c | 3 +++
> >>   1 file changed, 3 insertions(+)
> >>
> >> diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
> >> index b809513b03fe..6848f50226d5 100644
> >> --- a/drivers/dma-buf/dma-buf.c
> >> +++ b/drivers/dma-buf/dma-buf.c
> >> @@ -675,6 +675,9 @@ struct dma_buf *dma_buf_export(const struct dma_buf_export_info *exp_info)
> >>      return dmabuf;
> >>
> >>   err_sysfs:
> >> +    mutex_lock(&db_list.lock);
> >> +    list_del(&dmabuf->list_node);
> >> +    mutex_unlock(&db_list.lock);
> >>      /*
> >>       * Set file->f_path.dentry->d_fsdata to NULL so that when
> >>       * dma_buf_release() gets invoked by dentry_ops, it exits
>

Re: [PATCH] dma-buf: Fix possible UAF in dma_buf_export

[T.J. Mercier]

On Thu, Nov 17, 2022 at 2:16 AM Christian König
<christian.koenig@amd.com> wrote:
>
> Am 17.11.22 um 08:48 schrieb Charan Teja Kalla:
> > Sometime back Dan also reported the same issue[1] where I do mentioned
> > that fput()-->dma_buf_file_release() will remove it from the list.
> >
> > But it seems that I failed to notice fput() here calls the
> > dma_buf_file_release() asynchronously i.e. dmabuf that is accessed in
> > the close path is already freed. Am I wrong here?
> >
> > Should we have the __fput_sync(file) here instead of just fput(file)
> > which can solve this problem?
> >
> > [1]https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flore.kernel.org%2Fall%2F20220516084704.GG29930%40kadam%2F&amp;data=05%7C01%7Cchristian.koenig%40amd.com%7C115292dd7a874278b3ed08dac8701320%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C638042680960627756%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=NYNIAJjt%2FSUXoc3wCz2vPvo%2Be%2FIVcABEA2JYZ8%2F2q04%3D&amp;reserved=0
>
> That doesn't look like the right solution to me either.
>
> Essentially we have two separate tear down methods for the dma_buf
> object here:
>
> 1. It's not completely initialized and we can call kfree()+module_put()
> to clean up.
>      There is actually a dma_resv_fini() here. That should probably be
> fixed.
>
> 2. The dma_buf object is fully initialized, but creating the sysfs stats
> file failed.
>      In this case we should *not* clean it up like we currently do, but
> rather call fput().
>
> So the right thing to do is a) fix the missing dma_resv_fini() call and
> b) drop the setting d_fsdata=NULL hack and properly return after the fput().
>
This looks right to me if by properly return you mean return
ERR_PTR(ret); at the end of err_sysfs after the fput. (letting
dma_buf_file_release and dma_buf_release do the full cleanup)

If we still want to avoid calling dmabuf->ops->release(dmabuf) in
dma_buf_release like the comment says I guess we could use sysfs_entry
and ERR_PTR to flag that, otherwise it looks like we'd need a bit
somewhere.

 >
> Regards,
> Christian.
>
> >
> > Thanks,
> > Charan
> > On 11/17/2022 11:51 AM, Gaosheng Cui wrote:
> >> Smatch report warning as follows:
> >>
> >> drivers/dma-buf/dma-buf.c:681 dma_buf_export() warn:
> >>    '&dmabuf->list_node' not removed from list
> >>
> >> If dma_buf_stats_setup() fails in dma_buf_export(), goto err_sysfs
> >> and dmabuf will be freed, but dmabuf->list_node will not be removed
> >> from db_list.head, then list traversal may cause UAF.
> >>
> >> Fix by removeing it from db_list.head before free().
> >>
> >> Fixes: ef3a6b70507a ("dma-buf: call dma_buf_stats_setup after dmabuf is in valid list")
> >> Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
> >> ---
> >>   drivers/dma-buf/dma-buf.c | 3 +++
> >>   1 file changed, 3 insertions(+)
> >>
> >> diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
> >> index b809513b03fe..6848f50226d5 100644
> >> --- a/drivers/dma-buf/dma-buf.c
> >> +++ b/drivers/dma-buf/dma-buf.c
> >> @@ -675,6 +675,9 @@ struct dma_buf *dma_buf_export(const struct dma_buf_export_info *exp_info)
> >>      return dmabuf;
> >>
> >>   err_sysfs:
> >> +    mutex_lock(&db_list.lock);
> >> +    list_del(&dmabuf->list_node);
> >> +    mutex_unlock(&db_list.lock);
> >>      /*
> >>       * Set file->f_path.dentry->d_fsdata to NULL so that when
> >>       * dma_buf_release() gets invoked by dentry_ops, it exits
>

Re: [PATCH] dma-buf: Fix possible UAF in dma_buf_export

[Christian König]

Am 18.11.22 um 03:36 schrieb T.J. Mercier:
> On Thu, Nov 17, 2022 at 2:16 AM Christian König
> <christian.koenig@amd.com> wrote:
>> Am 17.11.22 um 08:48 schrieb Charan Teja Kalla:
>>> Sometime back Dan also reported the same issue[1] where I do mentioned
>>> that fput()-->dma_buf_file_release() will remove it from the list.
>>>
>>> But it seems that I failed to notice fput() here calls the
>>> dma_buf_file_release() asynchronously i.e. dmabuf that is accessed in
>>> the close path is already freed. Am I wrong here?
>>>
>>> Should we have the __fput_sync(file) here instead of just fput(file)
>>> which can solve this problem?
>>>
>>> [1]https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flore.kernel.org%2Fall%2F20220516084704.GG29930%40kadam%2F&amp;data=05%7C01%7Cchristian.koenig%40amd.com%7C7d87a302d300479ecfa608dac90dc9f4%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C638043358319479671%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=erPl1hGdfLbfCxK3J3xiIR9boJbgj6hPUnCBvZFobog%3D&amp;reserved=0
>> That doesn't look like the right solution to me either.
>>
>> Essentially we have two separate tear down methods for the dma_buf
>> object here:
>>
>> 1. It's not completely initialized and we can call kfree()+module_put()
>> to clean up.
>>       There is actually a dma_resv_fini() here. That should probably be
>> fixed.
>>
>> 2. The dma_buf object is fully initialized, but creating the sysfs stats
>> file failed.
>>       In this case we should *not* clean it up like we currently do, but
>> rather call fput().
>>
>> So the right thing to do is a) fix the missing dma_resv_fini() call and
>> b) drop the setting d_fsdata=NULL hack and properly return after the fput().
>>
> This looks right to me if by properly return you mean return
> ERR_PTR(ret); at the end of err_sysfs after the fput. (letting
> dma_buf_file_release and dma_buf_release do the full cleanup)

Yes, exactly that's the idea.

The only alternatives I can see would be to either move allocating the 
file and so completing the dma_buf initialization last again or just 
ignore errors from sysfs.

> If we still want to avoid calling dmabuf->ops->release(dmabuf) in
> dma_buf_release like the comment says I guess we could use sysfs_entry
> and ERR_PTR to flag that, otherwise it looks like we'd need a bit
> somewhere.

No, this should be dropped as far as I can see. The sysfs cleanup code 
looks like it can handle not initialized kobj pointers.

Regards,
Christian.

>
>   >
>> Regards,
>> Christian.
>>
>>> Thanks,
>>> Charan
>>> On 11/17/2022 11:51 AM, Gaosheng Cui wrote:
>>>> Smatch report warning as follows:
>>>>
>>>> drivers/dma-buf/dma-buf.c:681 dma_buf_export() warn:
>>>>     '&dmabuf->list_node' not removed from list
>>>>
>>>> If dma_buf_stats_setup() fails in dma_buf_export(), goto err_sysfs
>>>> and dmabuf will be freed, but dmabuf->list_node will not be removed
>>>> from db_list.head, then list traversal may cause UAF.
>>>>
>>>> Fix by removeing it from db_list.head before free().
>>>>
>>>> Fixes: ef3a6b70507a ("dma-buf: call dma_buf_stats_setup after dmabuf is in valid list")
>>>> Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
>>>> ---
>>>>    drivers/dma-buf/dma-buf.c | 3 +++
>>>>    1 file changed, 3 insertions(+)
>>>>
>>>> diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
>>>> index b809513b03fe..6848f50226d5 100644
>>>> --- a/drivers/dma-buf/dma-buf.c
>>>> +++ b/drivers/dma-buf/dma-buf.c
>>>> @@ -675,6 +675,9 @@ struct dma_buf *dma_buf_export(const struct dma_buf_export_info *exp_info)
>>>>       return dmabuf;
>>>>
>>>>    err_sysfs:
>>>> +    mutex_lock(&db_list.lock);
>>>> +    list_del(&dmabuf->list_node);
>>>> +    mutex_unlock(&db_list.lock);
>>>>       /*
>>>>        * Set file->f_path.dentry->d_fsdata to NULL so that when
>>>>        * dma_buf_release() gets invoked by dentry_ops, it exits

Re: [PATCH] dma-buf: Fix possible UAF in dma_buf_export

[Christian König]

Am 18.11.22 um 03:36 schrieb T.J. Mercier:
> On Thu, Nov 17, 2022 at 2:16 AM Christian König
> <christian.koenig@amd.com> wrote:
>> Am 17.11.22 um 08:48 schrieb Charan Teja Kalla:
>>> Sometime back Dan also reported the same issue[1] where I do mentioned
>>> that fput()-->dma_buf_file_release() will remove it from the list.
>>>
>>> But it seems that I failed to notice fput() here calls the
>>> dma_buf_file_release() asynchronously i.e. dmabuf that is accessed in
>>> the close path is already freed. Am I wrong here?
>>>
>>> Should we have the __fput_sync(file) here instead of just fput(file)
>>> which can solve this problem?
>>>
>>> [1]https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flore.kernel.org%2Fall%2F20220516084704.GG29930%40kadam%2F&amp;data=05%7C01%7Cchristian.koenig%40amd.com%7C7d87a302d300479ecfa608dac90dc9f4%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C638043358319479671%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=erPl1hGdfLbfCxK3J3xiIR9boJbgj6hPUnCBvZFobog%3D&amp;reserved=0
>> That doesn't look like the right solution to me either.
>>
>> Essentially we have two separate tear down methods for the dma_buf
>> object here:
>>
>> 1. It's not completely initialized and we can call kfree()+module_put()
>> to clean up.
>>       There is actually a dma_resv_fini() here. That should probably be
>> fixed.
>>
>> 2. The dma_buf object is fully initialized, but creating the sysfs stats
>> file failed.
>>       In this case we should *not* clean it up like we currently do, but
>> rather call fput().
>>
>> So the right thing to do is a) fix the missing dma_resv_fini() call and
>> b) drop the setting d_fsdata=NULL hack and properly return after the fput().
>>
> This looks right to me if by properly return you mean return
> ERR_PTR(ret); at the end of err_sysfs after the fput. (letting
> dma_buf_file_release and dma_buf_release do the full cleanup)

Yes, exactly that's the idea.

The only alternatives I can see would be to either move allocating the 
file and so completing the dma_buf initialization last again or just 
ignore errors from sysfs.

> If we still want to avoid calling dmabuf->ops->release(dmabuf) in
> dma_buf_release like the comment says I guess we could use sysfs_entry
> and ERR_PTR to flag that, otherwise it looks like we'd need a bit
> somewhere.

No, this should be dropped as far as I can see. The sysfs cleanup code 
looks like it can handle not initialized kobj pointers.

Regards,
Christian.

>
>   >
>> Regards,
>> Christian.
>>
>>> Thanks,
>>> Charan
>>> On 11/17/2022 11:51 AM, Gaosheng Cui wrote:
>>>> Smatch report warning as follows:
>>>>
>>>> drivers/dma-buf/dma-buf.c:681 dma_buf_export() warn:
>>>>     '&dmabuf->list_node' not removed from list
>>>>
>>>> If dma_buf_stats_setup() fails in dma_buf_export(), goto err_sysfs
>>>> and dmabuf will be freed, but dmabuf->list_node will not be removed
>>>> from db_list.head, then list traversal may cause UAF.
>>>>
>>>> Fix by removeing it from db_list.head before free().
>>>>
>>>> Fixes: ef3a6b70507a ("dma-buf: call dma_buf_stats_setup after dmabuf is in valid list")
>>>> Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
>>>> ---
>>>>    drivers/dma-buf/dma-buf.c | 3 +++
>>>>    1 file changed, 3 insertions(+)
>>>>
>>>> diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
>>>> index b809513b03fe..6848f50226d5 100644
>>>> --- a/drivers/dma-buf/dma-buf.c
>>>> +++ b/drivers/dma-buf/dma-buf.c
>>>> @@ -675,6 +675,9 @@ struct dma_buf *dma_buf_export(const struct dma_buf_export_info *exp_info)
>>>>       return dmabuf;
>>>>
>>>>    err_sysfs:
>>>> +    mutex_lock(&db_list.lock);
>>>> +    list_del(&dmabuf->list_node);
>>>> +    mutex_unlock(&db_list.lock);
>>>>       /*
>>>>        * Set file->f_path.dentry->d_fsdata to NULL so that when
>>>>        * dma_buf_release() gets invoked by dentry_ops, it exits

Re: [PATCH] dma-buf: Fix possible UAF in dma_buf_export

[T.J. Mercier]

[-- Attachment #1: Type: text/plain, Size: 4964 bytes --]

On Fri, Nov 18, 2022 at 12:27 AM Christian König <christian.koenig@amd.com>
wrote:

> Am 18.11.22 um 03:36 schrieb T.J. Mercier:
> > On Thu, Nov 17, 2022 at 2:16 AM Christian König
> > <christian.koenig@amd.com> wrote:
> >> Am 17.11.22 um 08:48 schrieb Charan Teja Kalla:
> >>> Sometime back Dan also reported the same issue[1] where I do mentioned
> >>> that fput()-->dma_buf_file_release() will remove it from the list.
> >>>
> >>> But it seems that I failed to notice fput() here calls the
> >>> dma_buf_file_release() asynchronously i.e. dmabuf that is accessed in
> >>> the close path is already freed. Am I wrong here?
> >>>
> >>> Should we have the __fput_sync(file) here instead of just fput(file)
> >>> which can solve this problem?
> >>>
> >>> [1]
> https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flore.kernel.org%2Fall%2F20220516084704.GG29930%40kadam%2F&amp;data=05%7C01%7Cchristian.koenig%40amd.com%7C7d87a302d300479ecfa608dac90dc9f4%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C638043358319479671%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=erPl1hGdfLbfCxK3J3xiIR9boJbgj6hPUnCBvZFobog%3D&amp;reserved=0
> >> That doesn't look like the right solution to me either.
> >>
> >> Essentially we have two separate tear down methods for the dma_buf
> >> object here:
> >>
> >> 1. It's not completely initialized and we can call kfree()+module_put()
> >> to clean up.
> >>       There is actually a dma_resv_fini() here. That should probably be
> >> fixed.
> >>
> >> 2. The dma_buf object is fully initialized, but creating the sysfs stats
> >> file failed.
> >>       In this case we should *not* clean it up like we currently do, but
> >> rather call fput().
> >>
> >> So the right thing to do is a) fix the missing dma_resv_fini() call and
> >> b) drop the setting d_fsdata=NULL hack and properly return after the
> fput().
> >>
> > This looks right to me if by properly return you mean return
> > ERR_PTR(ret); at the end of err_sysfs after the fput. (letting
> > dma_buf_file_release and dma_buf_release do the full cleanup)
>
> Yes, exactly that's the idea.
>
> The only alternatives I can see would be to either move allocating the
> file and so completing the dma_buf initialization last again or just
> ignore errors from sysfs.
>
> > If we still want to avoid calling dmabuf->ops->release(dmabuf) in
> > dma_buf_release like the comment says I guess we could use sysfs_entry
> > and ERR_PTR to flag that, otherwise it looks like we'd need a bit
> > somewhere.
>
> No, this should be dropped as far as I can see. The sysfs cleanup code
> looks like it can handle not initialized kobj pointers.
>

Yeah there is also the null check in dma_buf_stats_teardown() that would
prevent it from running, but I understood the comment to be referring to
the release() dma_buf_ops call into the exporter which comes right after
the teardown call. That looks like it's preventing the fput task work
calling back into the exporter after the exporter already got an error from
dma_buf_export(). Otherwise the exporter sees a release() for a buffer that
it doesn't know about / thinks shouldn't exist. So I could imagine an
exporter trying to double free: once for the failed dma_buf_export() call,
and again when the release() op is called later.

>
> Regards,
> Christian.
>
> >
> >   >
> >> Regards,
> >> Christian.
> >>
> >>> Thanks,
> >>> Charan
> >>> On 11/17/2022 11:51 AM, Gaosheng Cui wrote:
> >>>> Smatch report warning as follows:
> >>>>
> >>>> drivers/dma-buf/dma-buf.c:681 dma_buf_export() warn:
> >>>>     '&dmabuf->list_node' not removed from list
> >>>>
> >>>> If dma_buf_stats_setup() fails in dma_buf_export(), goto err_sysfs
> >>>> and dmabuf will be freed, but dmabuf->list_node will not be removed
> >>>> from db_list.head, then list traversal may cause UAF.
> >>>>
> >>>> Fix by removeing it from db_list.head before free().
> >>>>
> >>>> Fixes: ef3a6b70507a ("dma-buf: call dma_buf_stats_setup after dmabuf
> is in valid list")
> >>>> Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
> >>>> ---
> >>>>    drivers/dma-buf/dma-buf.c | 3 +++
> >>>>    1 file changed, 3 insertions(+)
> >>>>
> >>>> diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
> >>>> index b809513b03fe..6848f50226d5 100644
> >>>> --- a/drivers/dma-buf/dma-buf.c
> >>>> +++ b/drivers/dma-buf/dma-buf.c
> >>>> @@ -675,6 +675,9 @@ struct dma_buf *dma_buf_export(const struct
> dma_buf_export_info *exp_info)
> >>>>       return dmabuf;
> >>>>
> >>>>    err_sysfs:
> >>>> +    mutex_lock(&db_list.lock);
> >>>> +    list_del(&dmabuf->list_node);
> >>>> +    mutex_unlock(&db_list.lock);
> >>>>       /*
> >>>>        * Set file->f_path.dentry->d_fsdata to NULL so that when
> >>>>        * dma_buf_release() gets invoked by dentry_ops, it exits
>
>

[-- Attachment #2: Type: text/html, Size: 7207 bytes --]

Re: [PATCH] dma-buf: Fix possible UAF in dma_buf_export

[Christian König]

[-- Attachment #1: Type: text/plain, Size: 5972 bytes --]

Am 18.11.22 um 18:05 schrieb T.J. Mercier:
>
>
> On Fri, Nov 18, 2022 at 12:27 AM Christian König 
> <christian.koenig@amd.com> wrote:
>
>     Am 18.11.22 um 03:36 schrieb T.J. Mercier:
>     > On Thu, Nov 17, 2022 at 2:16 AM Christian König
>     > <christian.koenig@amd.com> wrote:
>     >> Am 17.11.22 um 08:48 schrieb Charan Teja Kalla:
>     >>> Sometime back Dan also reported the same issue[1] where I do
>     mentioned
>     >>> that fput()-->dma_buf_file_release() will remove it from the list.
>     >>>
>     >>> But it seems that I failed to notice fput() here calls the
>     >>> dma_buf_file_release() asynchronously i.e. dmabuf that is
>     accessed in
>     >>> the close path is already freed. Am I wrong here?
>     >>>
>     >>> Should we have the __fput_sync(file) here instead of just
>     fput(file)
>     >>> which can solve this problem?
>     >>>
>     >>>
>     [1]https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flore.kernel.org%2Fall%2F20220516084704.GG29930%40kadam%2F&amp;data=05%7C01%7Cchristian.koenig%40amd.com%7C7d87a302d300479ecfa608dac90dc9f4%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C638043358319479671%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=erPl1hGdfLbfCxK3J3xiIR9boJbgj6hPUnCBvZFobog%3D&amp;reserved=0
>     <https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flore.kernel.org%2Fall%2F20220516084704.GG29930%40kadam%2F&data=05%7C01%7Cchristian.koenig%40amd.com%7Ca7d0f99c9d8440a4c6d208dac98717cd%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C638043879326367851%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=V38k91cCy446dyGpmRQWTNn5U8u2zSfCAgIRmACukq4%3D&reserved=0>
>     >> That doesn't look like the right solution to me either.
>     >>
>     >> Essentially we have two separate tear down methods for the dma_buf
>     >> object here:
>     >>
>     >> 1. It's not completely initialized and we can call
>     kfree()+module_put()
>     >> to clean up.
>     >>       There is actually a dma_resv_fini() here. That should
>     probably be
>     >> fixed.
>     >>
>     >> 2. The dma_buf object is fully initialized, but creating the
>     sysfs stats
>     >> file failed.
>     >>       In this case we should *not* clean it up like we
>     currently do, but
>     >> rather call fput().
>     >>
>     >> So the right thing to do is a) fix the missing dma_resv_fini()
>     call and
>     >> b) drop the setting d_fsdata=NULL hack and properly return
>     after the fput().
>     >>
>     > This looks right to me if by properly return you mean return
>     > ERR_PTR(ret); at the end of err_sysfs after the fput. (letting
>     > dma_buf_file_release and dma_buf_release do the full cleanup)
>
>     Yes, exactly that's the idea.
>
>     The only alternatives I can see would be to either move allocating
>     the
>     file and so completing the dma_buf initialization last again or just
>     ignore errors from sysfs.
>
>     > If we still want to avoid calling dmabuf->ops->release(dmabuf) in
>     > dma_buf_release like the comment says I guess we could use
>     sysfs_entry
>     > and ERR_PTR to flag that, otherwise it looks like we'd need a bit
>     > somewhere.
>
>     No, this should be dropped as far as I can see. The sysfs cleanup
>     code
>     looks like it can handle not initialized kobj pointers.
>
>
> Yeah there is also the null check in dma_buf_stats_teardown() that 
> would prevent it from running, but I understood the comment to be 
> referring to the release() dma_buf_ops call into the exporter which 
> comes right after the teardown call. That looks like it's preventing 
> the fput task work calling back into the exporter after the exporter 
> already got an error from dma_buf_export(). Otherwise the exporter 
> sees a release() for a buffer that it doesn't know about / thinks 
> shouldn't exist. So I could imagine an exporter trying to double free: 
> once for the failed dma_buf_export() call, and again when the 
> release() op is called later.


Oh, very good point as well. Yeah, then creating the file should 
probably come last.

Regards,
Christian.

>
>     Regards,
>     Christian.
>
>     >
>     >   >
>     >> Regards,
>     >> Christian.
>     >>
>     >>> Thanks,
>     >>> Charan
>     >>> On 11/17/2022 11:51 AM, Gaosheng Cui wrote:
>     >>>> Smatch report warning as follows:
>     >>>>
>     >>>> drivers/dma-buf/dma-buf.c:681 dma_buf_export() warn:
>     >>>>     '&dmabuf->list_node' not removed from list
>     >>>>
>     >>>> If dma_buf_stats_setup() fails in dma_buf_export(), goto
>     err_sysfs
>     >>>> and dmabuf will be freed, but dmabuf->list_node will not be
>     removed
>     >>>> from db_list.head, then list traversal may cause UAF.
>     >>>>
>     >>>> Fix by removeing it from db_list.head before free().
>     >>>>
>     >>>> Fixes: ef3a6b70507a ("dma-buf: call dma_buf_stats_setup after
>     dmabuf is in valid list")
>     >>>> Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
>     >>>> ---
>     >>>>    drivers/dma-buf/dma-buf.c | 3 +++
>     >>>>    1 file changed, 3 insertions(+)
>     >>>>
>     >>>> diff --git a/drivers/dma-buf/dma-buf.c
>     b/drivers/dma-buf/dma-buf.c
>     >>>> index b809513b03fe..6848f50226d5 100644
>     >>>> --- a/drivers/dma-buf/dma-buf.c
>     >>>> +++ b/drivers/dma-buf/dma-buf.c
>     >>>> @@ -675,6 +675,9 @@ struct dma_buf *dma_buf_export(const
>     struct dma_buf_export_info *exp_info)
>     >>>>       return dmabuf;
>     >>>>
>     >>>>    err_sysfs:
>     >>>> +    mutex_lock(&db_list.lock);
>     >>>> +    list_del(&dmabuf->list_node);
>     >>>> +    mutex_unlock(&db_list.lock);
>     >>>>       /*
>     >>>>        * Set file->f_path.dentry->d_fsdata to NULL so that when
>     >>>>        * dma_buf_release() gets invoked by dentry_ops, it exits
>

[-- Attachment #2: Type: text/html, Size: 10297 bytes --]

Re: [PATCH] dma-buf: Fix possible UAF in dma_buf_export

[Charan Teja Kalla]

Thanks T.J and Christian for the inputs.

On 11/19/2022 7:00 PM, Christian König wrote:
>>
>>     Yes, exactly that's the idea.
>>
>>     The only alternatives I can see would be to either move allocating
>>     the
>>     file and so completing the dma_buf initialization last again or just
>>     ignore errors from sysfs.
>>
>>     > If we still want to avoid calling dmabuf->ops->release(dmabuf) in
>>     > dma_buf_release like the comment says I guess we could use
>>     sysfs_entry
>>     > and ERR_PTR to flag that, otherwise it looks like we'd need a bit
>>     > somewhere.
>>
>>     No, this should be dropped as far as I can see. The sysfs cleanup
>>     code
>>     looks like it can handle not initialized kobj pointers.
>>
>>
>> Yeah there is also the null check in dma_buf_stats_teardown() that
>> would prevent it from running, but I understood the comment to be
>> referring to the release() dma_buf_ops call into the exporter which
>> comes right after the teardown call. That looks like it's preventing
>> the fput task work calling back into the exporter after the exporter
>> already got an error from dma_buf_export(). Otherwise the exporter
>> sees a release() for a buffer that it doesn't know about / thinks
>> shouldn't exist. So I could imagine an exporter trying to double free:
>> once for the failed dma_buf_export() call, and again when the
>> release() op is called later.
> 
> 
> Oh, very good point as well. Yeah, then creating the file should
> probably come last.
> 

@Gaosheng: Could you please make these changes or you let me to do?

> Regards,
> Christian.

Re: [PATCH] dma-buf: Fix possible UAF in dma_buf_export

[Charan Teja Kalla]

Thanks T.J and Christian for the inputs.

On 11/19/2022 7:00 PM, Christian König wrote:
>>
>>     Yes, exactly that's the idea.
>>
>>     The only alternatives I can see would be to either move allocating
>>     the
>>     file and so completing the dma_buf initialization last again or just
>>     ignore errors from sysfs.
>>
>>     > If we still want to avoid calling dmabuf->ops->release(dmabuf) in
>>     > dma_buf_release like the comment says I guess we could use
>>     sysfs_entry
>>     > and ERR_PTR to flag that, otherwise it looks like we'd need a bit
>>     > somewhere.
>>
>>     No, this should be dropped as far as I can see. The sysfs cleanup
>>     code
>>     looks like it can handle not initialized kobj pointers.
>>
>>
>> Yeah there is also the null check in dma_buf_stats_teardown() that
>> would prevent it from running, but I understood the comment to be
>> referring to the release() dma_buf_ops call into the exporter which
>> comes right after the teardown call. That looks like it's preventing
>> the fput task work calling back into the exporter after the exporter
>> already got an error from dma_buf_export(). Otherwise the exporter
>> sees a release() for a buffer that it doesn't know about / thinks
>> shouldn't exist. So I could imagine an exporter trying to double free:
>> once for the failed dma_buf_export() call, and again when the
>> release() op is called later.
> 
> 
> Oh, very good point as well. Yeah, then creating the file should
> probably come last.
> 

@Gaosheng: Could you please make these changes or you let me to do?

> Regards,
> Christian.

Re: [PATCH] dma-buf: Fix possible UAF in dma_buf_export

[cuigaosheng]

Thanks T.J and Christian, thanks everyone for taking time to review this patch.

Charan, actually I don't have a good patch to to fix it, if you can submit
a new patch to solve it, please feel free to do it.

By the way, I'd appreciate it if you could send to me the new patch when you submit it.

Thanks again!

Gaosheng.

On 2022/11/24 13:56, Charan Teja Kalla wrote:
> Thanks T.J and Christian for the inputs.
>
> On 11/19/2022 7:00 PM, Christian König wrote:
>>>      Yes, exactly that's the idea.
>>>
>>>      The only alternatives I can see would be to either move allocating
>>>      the
>>>      file and so completing the dma_buf initialization last again or just
>>>      ignore errors from sysfs.
>>>
>>>      > If we still want to avoid calling dmabuf->ops->release(dmabuf) in
>>>      > dma_buf_release like the comment says I guess we could use
>>>      sysfs_entry
>>>      > and ERR_PTR to flag that, otherwise it looks like we'd need a bit
>>>      > somewhere.
>>>
>>>      No, this should be dropped as far as I can see. The sysfs cleanup
>>>      code
>>>      looks like it can handle not initialized kobj pointers.
>>>
>>>
>>> Yeah there is also the null check in dma_buf_stats_teardown() that
>>> would prevent it from running, but I understood the comment to be
>>> referring to the release() dma_buf_ops call into the exporter which
>>> comes right after the teardown call. That looks like it's preventing
>>> the fput task work calling back into the exporter after the exporter
>>> already got an error from dma_buf_export(). Otherwise the exporter
>>> sees a release() for a buffer that it doesn't know about / thinks
>>> shouldn't exist. So I could imagine an exporter trying to double free:
>>> once for the failed dma_buf_export() call, and again when the
>>> release() op is called later.
>>
>> Oh, very good point as well. Yeah, then creating the file should
>> probably come last.
>>
> @Gaosheng: Could you please make these changes or you let me to do?
>
>> Regards,
>> Christian.
> .

Re: [PATCH] dma-buf: Fix possible UAF in dma_buf_export

[cuigaosheng]

Thanks T.J and Christian, thanks everyone for taking time to review this patch.

Charan, actually I don't have a good patch to to fix it, if you can submit
a new patch to solve it, please feel free to do it.

By the way, I'd appreciate it if you could send to me the new patch when you submit it.

Thanks again!

Gaosheng.

On 2022/11/24 13:56, Charan Teja Kalla wrote:
> Thanks T.J and Christian for the inputs.
>
> On 11/19/2022 7:00 PM, Christian König wrote:
>>>      Yes, exactly that's the idea.
>>>
>>>      The only alternatives I can see would be to either move allocating
>>>      the
>>>      file and so completing the dma_buf initialization last again or just
>>>      ignore errors from sysfs.
>>>
>>>      > If we still want to avoid calling dmabuf->ops->release(dmabuf) in
>>>      > dma_buf_release like the comment says I guess we could use
>>>      sysfs_entry
>>>      > and ERR_PTR to flag that, otherwise it looks like we'd need a bit
>>>      > somewhere.
>>>
>>>      No, this should be dropped as far as I can see. The sysfs cleanup
>>>      code
>>>      looks like it can handle not initialized kobj pointers.
>>>
>>>
>>> Yeah there is also the null check in dma_buf_stats_teardown() that
>>> would prevent it from running, but I understood the comment to be
>>> referring to the release() dma_buf_ops call into the exporter which
>>> comes right after the teardown call. That looks like it's preventing
>>> the fput task work calling back into the exporter after the exporter
>>> already got an error from dma_buf_export(). Otherwise the exporter
>>> sees a release() for a buffer that it doesn't know about / thinks
>>> shouldn't exist. So I could imagine an exporter trying to double free:
>>> once for the failed dma_buf_export() call, and again when the
>>> release() op is called later.
>>
>> Oh, very good point as well. Yeah, then creating the file should
>> probably come last.
>>
> @Gaosheng: Could you please make these changes or you let me to do?
>
>> Regards,
>> Christian.
> .

Re: [PATCH] dma-buf: Fix possible UAF in dma_buf_export

[cuigaosheng]

Some tips:
     Before we call the dma_buf_stats_setup(), we have to finish creating the file,
otherwise dma_buf_stats_setup() will return -EINVAL, maybe we need to think about
this when making a new patch.

Hope these tips are useful, thanks!

On 2022/11/24 13:56, Charan Teja Kalla wrote:
> Thanks T.J and Christian for the inputs.
>
> On 11/19/2022 7:00 PM, Christian König wrote:
>>>      Yes, exactly that's the idea.
>>>
>>>      The only alternatives I can see would be to either move allocating
>>>      the
>>>      file and so completing the dma_buf initialization last again or just
>>>      ignore errors from sysfs.
>>>
>>>      > If we still want to avoid calling dmabuf->ops->release(dmabuf) in
>>>      > dma_buf_release like the comment says I guess we could use
>>>      sysfs_entry
>>>      > and ERR_PTR to flag that, otherwise it looks like we'd need a bit
>>>      > somewhere.
>>>
>>>      No, this should be dropped as far as I can see. The sysfs cleanup
>>>      code
>>>      looks like it can handle not initialized kobj pointers.
>>>
>>>
>>> Yeah there is also the null check in dma_buf_stats_teardown() that
>>> would prevent it from running, but I understood the comment to be
>>> referring to the release() dma_buf_ops call into the exporter which
>>> comes right after the teardown call. That looks like it's preventing
>>> the fput task work calling back into the exporter after the exporter
>>> already got an error from dma_buf_export(). Otherwise the exporter
>>> sees a release() for a buffer that it doesn't know about / thinks
>>> shouldn't exist. So I could imagine an exporter trying to double free:
>>> once for the failed dma_buf_export() call, and again when the
>>> release() op is called later.
>>
>> Oh, very good point as well. Yeah, then creating the file should
>> probably come last.
>>
> @Gaosheng: Could you please make these changes or you let me to do?
>
>> Regards,
>> Christian.
> .

Re: [PATCH] dma-buf: Fix possible UAF in dma_buf_export

[cuigaosheng]

Some tips:
     Before we call the dma_buf_stats_setup(), we have to finish creating the file,
otherwise dma_buf_stats_setup() will return -EINVAL, maybe we need to think about
this when making a new patch.

Hope these tips are useful, thanks!

On 2022/11/24 13:56, Charan Teja Kalla wrote:
> Thanks T.J and Christian for the inputs.
>
> On 11/19/2022 7:00 PM, Christian König wrote:
>>>      Yes, exactly that's the idea.
>>>
>>>      The only alternatives I can see would be to either move allocating
>>>      the
>>>      file and so completing the dma_buf initialization last again or just
>>>      ignore errors from sysfs.
>>>
>>>      > If we still want to avoid calling dmabuf->ops->release(dmabuf) in
>>>      > dma_buf_release like the comment says I guess we could use
>>>      sysfs_entry
>>>      > and ERR_PTR to flag that, otherwise it looks like we'd need a bit
>>>      > somewhere.
>>>
>>>      No, this should be dropped as far as I can see. The sysfs cleanup
>>>      code
>>>      looks like it can handle not initialized kobj pointers.
>>>
>>>
>>> Yeah there is also the null check in dma_buf_stats_teardown() that
>>> would prevent it from running, but I understood the comment to be
>>> referring to the release() dma_buf_ops call into the exporter which
>>> comes right after the teardown call. That looks like it's preventing
>>> the fput task work calling back into the exporter after the exporter
>>> already got an error from dma_buf_export(). Otherwise the exporter
>>> sees a release() for a buffer that it doesn't know about / thinks
>>> shouldn't exist. So I could imagine an exporter trying to double free:
>>> once for the failed dma_buf_export() call, and again when the
>>> release() op is called later.
>>
>> Oh, very good point as well. Yeah, then creating the file should
>> probably come last.
>>
> @Gaosheng: Could you please make these changes or you let me to do?
>
>> Regards,
>> Christian.
> .

Re: [PATCH] dma-buf: Fix possible UAF in dma_buf_export

[Christian König]

Am 24.11.22 um 13:05 schrieb cuigaosheng:
> Some tips:
>     Before we call the dma_buf_stats_setup(), we have to finish 
> creating the file,
> otherwise dma_buf_stats_setup() will return -EINVAL, maybe we need to 
> think about
> this when making a new patch.

I was already wondering why the order is this way.

Why is dma_buf_stats_setup() needing the file in the first place?

Thanks,
Christian.

>
> Hope these tips are useful, thanks!
>
> On 2022/11/24 13:56, Charan Teja Kalla wrote:
>> Thanks T.J and Christian for the inputs.
>>
>> On 11/19/2022 7:00 PM, Christian König wrote:
>>>>      Yes, exactly that's the idea.
>>>>
>>>>      The only alternatives I can see would be to either move 
>>>> allocating
>>>>      the
>>>>      file and so completing the dma_buf initialization last again 
>>>> or just
>>>>      ignore errors from sysfs.
>>>>
>>>>      > If we still want to avoid calling 
>>>> dmabuf->ops->release(dmabuf) in
>>>>      > dma_buf_release like the comment says I guess we could use
>>>>      sysfs_entry
>>>>      > and ERR_PTR to flag that, otherwise it looks like we'd need 
>>>> a bit
>>>>      > somewhere.
>>>>
>>>>      No, this should be dropped as far as I can see. The sysfs cleanup
>>>>      code
>>>>      looks like it can handle not initialized kobj pointers.
>>>>
>>>>
>>>> Yeah there is also the null check in dma_buf_stats_teardown() that
>>>> would prevent it from running, but I understood the comment to be
>>>> referring to the release() dma_buf_ops call into the exporter which
>>>> comes right after the teardown call. That looks like it's preventing
>>>> the fput task work calling back into the exporter after the exporter
>>>> already got an error from dma_buf_export(). Otherwise the exporter
>>>> sees a release() for a buffer that it doesn't know about / thinks
>>>> shouldn't exist. So I could imagine an exporter trying to double free:
>>>> once for the failed dma_buf_export() call, and again when the
>>>> release() op is called later.
>>>
>>> Oh, very good point as well. Yeah, then creating the file should
>>> probably come last.
>>>
>> @Gaosheng: Could you please make these changes or you let me to do?
>>
>>> Regards,
>>> Christian.
>> .

Re: [PATCH] dma-buf: Fix possible UAF in dma_buf_export

[Christian König]

Am 24.11.22 um 13:05 schrieb cuigaosheng:
> Some tips:
>     Before we call the dma_buf_stats_setup(), we have to finish 
> creating the file,
> otherwise dma_buf_stats_setup() will return -EINVAL, maybe we need to 
> think about
> this when making a new patch.

I was already wondering why the order is this way.

Why is dma_buf_stats_setup() needing the file in the first place?

Thanks,
Christian.

>
> Hope these tips are useful, thanks!
>
> On 2022/11/24 13:56, Charan Teja Kalla wrote:
>> Thanks T.J and Christian for the inputs.
>>
>> On 11/19/2022 7:00 PM, Christian König wrote:
>>>>      Yes, exactly that's the idea.
>>>>
>>>>      The only alternatives I can see would be to either move 
>>>> allocating
>>>>      the
>>>>      file and so completing the dma_buf initialization last again 
>>>> or just
>>>>      ignore errors from sysfs.
>>>>
>>>>      > If we still want to avoid calling 
>>>> dmabuf->ops->release(dmabuf) in
>>>>      > dma_buf_release like the comment says I guess we could use
>>>>      sysfs_entry
>>>>      > and ERR_PTR to flag that, otherwise it looks like we'd need 
>>>> a bit
>>>>      > somewhere.
>>>>
>>>>      No, this should be dropped as far as I can see. The sysfs cleanup
>>>>      code
>>>>      looks like it can handle not initialized kobj pointers.
>>>>
>>>>
>>>> Yeah there is also the null check in dma_buf_stats_teardown() that
>>>> would prevent it from running, but I understood the comment to be
>>>> referring to the release() dma_buf_ops call into the exporter which
>>>> comes right after the teardown call. That looks like it's preventing
>>>> the fput task work calling back into the exporter after the exporter
>>>> already got an error from dma_buf_export(). Otherwise the exporter
>>>> sees a release() for a buffer that it doesn't know about / thinks
>>>> shouldn't exist. So I could imagine an exporter trying to double free:
>>>> once for the failed dma_buf_export() call, and again when the
>>>> release() op is called later.
>>>
>>> Oh, very good point as well. Yeah, then creating the file should
>>> probably come last.
>>>
>> @Gaosheng: Could you please make these changes or you let me to do?
>>
>>> Regards,
>>> Christian.
>> .

Re: [PATCH] dma-buf: Fix possible UAF in dma_buf_export

[cuigaosheng]

> I was already wondering why the order is this way.
>
> Why is dma_buf_stats_setup() needing the file in the first place? 

dmabuf->file will be used in dma_buf_stats_setup(), the 
dma_buf_stats_setup() as follows:

> 171 int dma_buf_stats_setup(struct dma_buf *dmabuf)
> 172 {
> 173         struct dma_buf_sysfs_entry *sysfs_entry;
> 174         int ret;
> 175
> 176         if (!dmabuf || !dmabuf->file)
> 177                 return -EINVAL;
> 178
> 179         if (!dmabuf->exp_name) {
> 180                 pr_err("exporter name must not be empty if stats 
> needed\n");
> 181                 return -EINVAL;
> 182         }
> 183
> 184         sysfs_entry = kzalloc(sizeof(struct dma_buf_sysfs_entry), 
> GFP_KERNEL);
> 185         if (!sysfs_entry)
> 186                 return -ENOMEM;
> 187
> 188         sysfs_entry->kobj.kset = dma_buf_per_buffer_stats_kset;
> 189         sysfs_entry->dmabuf = dmabuf;
> 190
> 191         dmabuf->sysfs_entry = sysfs_entry;
> 192
> 193         /* create the directory for buffer stats */
> 194         ret = kobject_init_and_add(&sysfs_entry->kobj, 
> &dma_buf_ktype, NULL,
> 195                                    "%lu", 
> file_inode(dmabuf->file)->i_ino);
> 196         if (ret)
> 197                 goto err_sysfs_dmabuf;
> 198
> 199         return 0;
> 200
> 201 err_sysfs_dmabuf:
> 202         kobject_put(&sysfs_entry->kobj);
> 203         dmabuf->sysfs_entry = NULL;
> 204         return ret;
> 205 }
Did I miss something?

Thanks.

On 2022/11/24 20:37, Christian König wrote:
>
>
> Am 24.11.22 um 13:05 schrieb cuigaosheng:
>> Some tips:
>>     Before we call the dma_buf_stats_setup(), we have to finish 
>> creating the file,
>> otherwise dma_buf_stats_setup() will return -EINVAL, maybe we need to 
>> think about
>> this when making a new patch.
>
> I was already wondering why the order is this way.
>
> Why is dma_buf_stats_setup() needing the file in the first place?
>
> Thanks,
> Christian.
>
>>
>> Hope these tips are useful, thanks!
>>
>> On 2022/11/24 13:56, Charan Teja Kalla wrote:
>>> Thanks T.J and Christian for the inputs.
>>>
>>> On 11/19/2022 7:00 PM, Christian König wrote:
>>>>>      Yes, exactly that's the idea.
>>>>>
>>>>>      The only alternatives I can see would be to either move 
>>>>> allocating
>>>>>      the
>>>>>      file and so completing the dma_buf initialization last again 
>>>>> or just
>>>>>      ignore errors from sysfs.
>>>>>
>>>>>      > If we still want to avoid calling 
>>>>> dmabuf->ops->release(dmabuf) in
>>>>>      > dma_buf_release like the comment says I guess we could use
>>>>>      sysfs_entry
>>>>>      > and ERR_PTR to flag that, otherwise it looks like we'd need 
>>>>> a bit
>>>>>      > somewhere.
>>>>>
>>>>>      No, this should be dropped as far as I can see. The sysfs 
>>>>> cleanup
>>>>>      code
>>>>>      looks like it can handle not initialized kobj pointers.
>>>>>
>>>>>
>>>>> Yeah there is also the null check in dma_buf_stats_teardown() that
>>>>> would prevent it from running, but I understood the comment to be
>>>>> referring to the release() dma_buf_ops call into the exporter which
>>>>> comes right after the teardown call. That looks like it's preventing
>>>>> the fput task work calling back into the exporter after the exporter
>>>>> already got an error from dma_buf_export(). Otherwise the exporter
>>>>> sees a release() for a buffer that it doesn't know about / thinks
>>>>> shouldn't exist. So I could imagine an exporter trying to double 
>>>>> free:
>>>>> once for the failed dma_buf_export() call, and again when the
>>>>> release() op is called later.
>>>>
>>>> Oh, very good point as well. Yeah, then creating the file should
>>>> probably come last.
>>>>
>>> @Gaosheng: Could you please make these changes or you let me to do?
>>>
>>>> Regards,
>>>> Christian.
>>> .
>
> .

Re: [PATCH] dma-buf: Fix possible UAF in dma_buf_export

[cuigaosheng]

> I was already wondering why the order is this way.
>
> Why is dma_buf_stats_setup() needing the file in the first place? 

dmabuf->file will be used in dma_buf_stats_setup(), the 
dma_buf_stats_setup() as follows:

> 171 int dma_buf_stats_setup(struct dma_buf *dmabuf)
> 172 {
> 173         struct dma_buf_sysfs_entry *sysfs_entry;
> 174         int ret;
> 175
> 176         if (!dmabuf || !dmabuf->file)
> 177                 return -EINVAL;
> 178
> 179         if (!dmabuf->exp_name) {
> 180                 pr_err("exporter name must not be empty if stats 
> needed\n");
> 181                 return -EINVAL;
> 182         }
> 183
> 184         sysfs_entry = kzalloc(sizeof(struct dma_buf_sysfs_entry), 
> GFP_KERNEL);
> 185         if (!sysfs_entry)
> 186                 return -ENOMEM;
> 187
> 188         sysfs_entry->kobj.kset = dma_buf_per_buffer_stats_kset;
> 189         sysfs_entry->dmabuf = dmabuf;
> 190
> 191         dmabuf->sysfs_entry = sysfs_entry;
> 192
> 193         /* create the directory for buffer stats */
> 194         ret = kobject_init_and_add(&sysfs_entry->kobj, 
> &dma_buf_ktype, NULL,
> 195                                    "%lu", 
> file_inode(dmabuf->file)->i_ino);
> 196         if (ret)
> 197                 goto err_sysfs_dmabuf;
> 198
> 199         return 0;
> 200
> 201 err_sysfs_dmabuf:
> 202         kobject_put(&sysfs_entry->kobj);
> 203         dmabuf->sysfs_entry = NULL;
> 204         return ret;
> 205 }
Did I miss something?

Thanks.

On 2022/11/24 20:37, Christian König wrote:
>
>
> Am 24.11.22 um 13:05 schrieb cuigaosheng:
>> Some tips:
>>     Before we call the dma_buf_stats_setup(), we have to finish 
>> creating the file,
>> otherwise dma_buf_stats_setup() will return -EINVAL, maybe we need to 
>> think about
>> this when making a new patch.
>
> I was already wondering why the order is this way.
>
> Why is dma_buf_stats_setup() needing the file in the first place?
>
> Thanks,
> Christian.
>
>>
>> Hope these tips are useful, thanks!
>>
>> On 2022/11/24 13:56, Charan Teja Kalla wrote:
>>> Thanks T.J and Christian for the inputs.
>>>
>>> On 11/19/2022 7:00 PM, Christian König wrote:
>>>>>      Yes, exactly that's the idea.
>>>>>
>>>>>      The only alternatives I can see would be to either move 
>>>>> allocating
>>>>>      the
>>>>>      file and so completing the dma_buf initialization last again 
>>>>> or just
>>>>>      ignore errors from sysfs.
>>>>>
>>>>>      > If we still want to avoid calling 
>>>>> dmabuf->ops->release(dmabuf) in
>>>>>      > dma_buf_release like the comment says I guess we could use
>>>>>      sysfs_entry
>>>>>      > and ERR_PTR to flag that, otherwise it looks like we'd need 
>>>>> a bit
>>>>>      > somewhere.
>>>>>
>>>>>      No, this should be dropped as far as I can see. The sysfs 
>>>>> cleanup
>>>>>      code
>>>>>      looks like it can handle not initialized kobj pointers.
>>>>>
>>>>>
>>>>> Yeah there is also the null check in dma_buf_stats_teardown() that
>>>>> would prevent it from running, but I understood the comment to be
>>>>> referring to the release() dma_buf_ops call into the exporter which
>>>>> comes right after the teardown call. That looks like it's preventing
>>>>> the fput task work calling back into the exporter after the exporter
>>>>> already got an error from dma_buf_export(). Otherwise the exporter
>>>>> sees a release() for a buffer that it doesn't know about / thinks
>>>>> shouldn't exist. So I could imagine an exporter trying to double 
>>>>> free:
>>>>> once for the failed dma_buf_export() call, and again when the
>>>>> release() op is called later.
>>>>
>>>> Oh, very good point as well. Yeah, then creating the file should
>>>> probably come last.
>>>>
>>> @Gaosheng: Could you please make these changes or you let me to do?
>>>
>>>> Regards,
>>>> Christian.
>>> .
>
> .

Re: [Linaro-mm-sig] Re: [PATCH] dma-buf: Fix possible UAF in dma_buf_export

[Christian König]

Am 24.11.22 um 13:49 schrieb cuigaosheng:
>> I was already wondering why the order is this way.
>>
>> Why is dma_buf_stats_setup() needing the file in the first place? 
>
> dmabuf->file will be used in dma_buf_stats_setup(), the 
> dma_buf_stats_setup() as follows:
>
>> 171 int dma_buf_stats_setup(struct dma_buf *dmabuf)
>> 172 {
>> 173         struct dma_buf_sysfs_entry *sysfs_entry;
>> 174         int ret;
>> 175
>> 176         if (!dmabuf || !dmabuf->file)
>> 177                 return -EINVAL;
>> 178
>> 179         if (!dmabuf->exp_name) {
>> 180                 pr_err("exporter name must not be empty if stats 
>> needed\n");
>> 181                 return -EINVAL;
>> 182         }
>> 183
>> 184         sysfs_entry = kzalloc(sizeof(struct dma_buf_sysfs_entry), 
>> GFP_KERNEL);
>> 185         if (!sysfs_entry)
>> 186                 return -ENOMEM;
>> 187
>> 188         sysfs_entry->kobj.kset = dma_buf_per_buffer_stats_kset;
>> 189         sysfs_entry->dmabuf = dmabuf;
>> 190
>> 191         dmabuf->sysfs_entry = sysfs_entry;
>> 192
>> 193         /* create the directory for buffer stats */
>> 194         ret = kobject_init_and_add(&sysfs_entry->kobj, 
>> &dma_buf_ktype, NULL,
>> 195                                    "%lu", 
>> file_inode(dmabuf->file)->i_ino);

Ah, so it uses the i_ino of the file for the sysfs unique name.

I'm going to take another look how to properly clean this up.

Thanks for pointing this out,
Christian.

>> 196         if (ret)
>> 197                 goto err_sysfs_dmabuf;
>> 198
>> 199         return 0;
>> 200
>> 201 err_sysfs_dmabuf:
>> 202         kobject_put(&sysfs_entry->kobj);
>> 203         dmabuf->sysfs_entry = NULL;
>> 204         return ret;
>> 205 }
> Did I miss something?
>
> Thanks.
>
> On 2022/11/24 20:37, Christian König wrote:
>>
>>
>> Am 24.11.22 um 13:05 schrieb cuigaosheng:
>>> Some tips:
>>>     Before we call the dma_buf_stats_setup(), we have to finish 
>>> creating the file,
>>> otherwise dma_buf_stats_setup() will return -EINVAL, maybe we need 
>>> to think about
>>> this when making a new patch.
>>
>> I was already wondering why the order is this way.
>>
>> Why is dma_buf_stats_setup() needing the file in the first place?
>>
>> Thanks,
>> Christian.
>>
>>>
>>> Hope these tips are useful, thanks!
>>>
>>> On 2022/11/24 13:56, Charan Teja Kalla wrote:
>>>> Thanks T.J and Christian for the inputs.
>>>>
>>>> On 11/19/2022 7:00 PM, Christian König wrote:
>>>>>>      Yes, exactly that's the idea.
>>>>>>
>>>>>>      The only alternatives I can see would be to either move 
>>>>>> allocating
>>>>>>      the
>>>>>>      file and so completing the dma_buf initialization last again 
>>>>>> or just
>>>>>>      ignore errors from sysfs.
>>>>>>
>>>>>>      > If we still want to avoid calling 
>>>>>> dmabuf->ops->release(dmabuf) in
>>>>>>      > dma_buf_release like the comment says I guess we could use
>>>>>>      sysfs_entry
>>>>>>      > and ERR_PTR to flag that, otherwise it looks like we'd 
>>>>>> need a bit
>>>>>>      > somewhere.
>>>>>>
>>>>>>      No, this should be dropped as far as I can see. The sysfs 
>>>>>> cleanup
>>>>>>      code
>>>>>>      looks like it can handle not initialized kobj pointers.
>>>>>>
>>>>>>
>>>>>> Yeah there is also the null check in dma_buf_stats_teardown() that
>>>>>> would prevent it from running, but I understood the comment to be
>>>>>> referring to the release() dma_buf_ops call into the exporter which
>>>>>> comes right after the teardown call. That looks like it's preventing
>>>>>> the fput task work calling back into the exporter after the exporter
>>>>>> already got an error from dma_buf_export(). Otherwise the exporter
>>>>>> sees a release() for a buffer that it doesn't know about / thinks
>>>>>> shouldn't exist. So I could imagine an exporter trying to double 
>>>>>> free:
>>>>>> once for the failed dma_buf_export() call, and again when the
>>>>>> release() op is called later.
>>>>>
>>>>> Oh, very good point as well. Yeah, then creating the file should
>>>>> probably come last.
>>>>>
>>>> @Gaosheng: Could you please make these changes or you let me to do?
>>>>
>>>>> Regards,
>>>>> Christian.
>>>> .
>>
>> .
> _______________________________________________
> Linaro-mm-sig mailing list -- linaro-mm-sig@lists.linaro.org
> To unsubscribe send an email to linaro-mm-sig-leave@lists.linaro.org

Re: [Linaro-mm-sig] Re: [PATCH] dma-buf: Fix possible UAF in dma_buf_export

[Christian König]

Am 24.11.22 um 13:49 schrieb cuigaosheng:
>> I was already wondering why the order is this way.
>>
>> Why is dma_buf_stats_setup() needing the file in the first place? 
>
> dmabuf->file will be used in dma_buf_stats_setup(), the 
> dma_buf_stats_setup() as follows:
>
>> 171 int dma_buf_stats_setup(struct dma_buf *dmabuf)
>> 172 {
>> 173         struct dma_buf_sysfs_entry *sysfs_entry;
>> 174         int ret;
>> 175
>> 176         if (!dmabuf || !dmabuf->file)
>> 177                 return -EINVAL;
>> 178
>> 179         if (!dmabuf->exp_name) {
>> 180                 pr_err("exporter name must not be empty if stats 
>> needed\n");
>> 181                 return -EINVAL;
>> 182         }
>> 183
>> 184         sysfs_entry = kzalloc(sizeof(struct dma_buf_sysfs_entry), 
>> GFP_KERNEL);
>> 185         if (!sysfs_entry)
>> 186                 return -ENOMEM;
>> 187
>> 188         sysfs_entry->kobj.kset = dma_buf_per_buffer_stats_kset;
>> 189         sysfs_entry->dmabuf = dmabuf;
>> 190
>> 191         dmabuf->sysfs_entry = sysfs_entry;
>> 192
>> 193         /* create the directory for buffer stats */
>> 194         ret = kobject_init_and_add(&sysfs_entry->kobj, 
>> &dma_buf_ktype, NULL,
>> 195                                    "%lu", 
>> file_inode(dmabuf->file)->i_ino);

Ah, so it uses the i_ino of the file for the sysfs unique name.

I'm going to take another look how to properly clean this up.

Thanks for pointing this out,
Christian.

>> 196         if (ret)
>> 197                 goto err_sysfs_dmabuf;
>> 198
>> 199         return 0;
>> 200
>> 201 err_sysfs_dmabuf:
>> 202         kobject_put(&sysfs_entry->kobj);
>> 203         dmabuf->sysfs_entry = NULL;
>> 204         return ret;
>> 205 }
> Did I miss something?
>
> Thanks.
>
> On 2022/11/24 20:37, Christian König wrote:
>>
>>
>> Am 24.11.22 um 13:05 schrieb cuigaosheng:
>>> Some tips:
>>>     Before we call the dma_buf_stats_setup(), we have to finish 
>>> creating the file,
>>> otherwise dma_buf_stats_setup() will return -EINVAL, maybe we need 
>>> to think about
>>> this when making a new patch.
>>
>> I was already wondering why the order is this way.
>>
>> Why is dma_buf_stats_setup() needing the file in the first place?
>>
>> Thanks,
>> Christian.
>>
>>>
>>> Hope these tips are useful, thanks!
>>>
>>> On 2022/11/24 13:56, Charan Teja Kalla wrote:
>>>> Thanks T.J and Christian for the inputs.
>>>>
>>>> On 11/19/2022 7:00 PM, Christian König wrote:
>>>>>>      Yes, exactly that's the idea.
>>>>>>
>>>>>>      The only alternatives I can see would be to either move 
>>>>>> allocating
>>>>>>      the
>>>>>>      file and so completing the dma_buf initialization last again 
>>>>>> or just
>>>>>>      ignore errors from sysfs.
>>>>>>
>>>>>>      > If we still want to avoid calling 
>>>>>> dmabuf->ops->release(dmabuf) in
>>>>>>      > dma_buf_release like the comment says I guess we could use
>>>>>>      sysfs_entry
>>>>>>      > and ERR_PTR to flag that, otherwise it looks like we'd 
>>>>>> need a bit
>>>>>>      > somewhere.
>>>>>>
>>>>>>      No, this should be dropped as far as I can see. The sysfs 
>>>>>> cleanup
>>>>>>      code
>>>>>>      looks like it can handle not initialized kobj pointers.
>>>>>>
>>>>>>
>>>>>> Yeah there is also the null check in dma_buf_stats_teardown() that
>>>>>> would prevent it from running, but I understood the comment to be
>>>>>> referring to the release() dma_buf_ops call into the exporter which
>>>>>> comes right after the teardown call. That looks like it's preventing
>>>>>> the fput task work calling back into the exporter after the exporter
>>>>>> already got an error from dma_buf_export(). Otherwise the exporter
>>>>>> sees a release() for a buffer that it doesn't know about / thinks
>>>>>> shouldn't exist. So I could imagine an exporter trying to double 
>>>>>> free:
>>>>>> once for the failed dma_buf_export() call, and again when the
>>>>>> release() op is called later.
>>>>>
>>>>> Oh, very good point as well. Yeah, then creating the file should
>>>>> probably come last.
>>>>>
>>>> @Gaosheng: Could you please make these changes or you let me to do?
>>>>
>>>>> Regards,
>>>>> Christian.
>>>> .
>>
>> .
> _______________________________________________
> Linaro-mm-sig mailing list -- linaro-mm-sig@lists.linaro.org
> To unsubscribe send an email to linaro-mm-sig-leave@lists.linaro.org

Re: [Linaro-mm-sig] Re: [PATCH] dma-buf: Fix possible UAF in dma_buf_export

[Charan Teja Kalla]

Thanks Christian/TJ for all your inputs!!

On 11/24/2022 6:25 PM, Christian König wrote:
>>> I was already wondering why the order is this way.
>>>
>>> Why is dma_buf_stats_setup() needing the file in the first place? 
>>
>> dmabuf->file will be used in dma_buf_stats_setup(), the
>> dma_buf_stats_setup() as follows:
>>
>>> 171 int dma_buf_stats_setup(struct dma_buf *dmabuf)
>>> 172 {
>>> 173         struct dma_buf_sysfs_entry *sysfs_entry;
>>> 174         int ret;
>>> 175
>>> 176         if (!dmabuf || !dmabuf->file)
>>> 177                 return -EINVAL;
>>> 178
>>> 179         if (!dmabuf->exp_name) {
>>> 180                 pr_err("exporter name must not be empty if stats
>>> needed\n");
>>> 181                 return -EINVAL;
>>> 182         }
>>> 183
>>> 184         sysfs_entry = kzalloc(sizeof(struct dma_buf_sysfs_entry),
>>> GFP_KERNEL);
>>> 185         if (!sysfs_entry)
>>> 186                 return -ENOMEM;
>>> 187
>>> 188         sysfs_entry->kobj.kset = dma_buf_per_buffer_stats_kset;
>>> 189         sysfs_entry->dmabuf = dmabuf;
>>> 190
>>> 191         dmabuf->sysfs_entry = sysfs_entry;
>>> 192
>>> 193         /* create the directory for buffer stats */
>>> 194         ret = kobject_init_and_add(&sysfs_entry->kobj,
>>> &dma_buf_ktype, NULL,
>>> 195                                    "%lu",
>>> file_inode(dmabuf->file)->i_ino);
> 
> Ah, so it uses the i_ino of the file for the sysfs unique name.
> 
> I'm going to take another look how to properly clean this up.
> 

How about deleting the dmabuf from the db_list directly in the error
path (which is usually done by the fput()) and then continue with the
normal fput() here.

Just compile tested the below code and If the logic make sense for you,
will send the final tested patch.
----------------------><---------------------------------------------

diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
index e6f36c0..10a1727 100644
--- a/drivers/dma-buf/dma-buf.c
+++ b/drivers/dma-buf/dma-buf.c
@@ -87,19 +87,28 @@ static void dma_buf_release(struct dentry *dentry)
        kfree(dmabuf);
 }

-static int dma_buf_file_release(struct inode *inode, struct file *file)
+static void dma_buf_db_list_remove(struct file *file)
 {
        struct dma_buf *dmabuf;

-       if (!is_dma_buf_file(file))
-               return -EINVAL;
-
        dmabuf = file->private_data;
+       if (!dmabuf)
+               return;

        mutex_lock(&db_list.lock);
        list_del(&dmabuf->list_node);
        mutex_unlock(&db_list.lock);

+       file->private_data = NULL;
+}
+
+static int dma_buf_file_release(struct inode *inode, struct file *file)
+{
+       if (!is_dma_buf_file(file))
+               return -EINVAL;
+
+       dma_buf_db_list_remove(file);
+
        return 0;
 }

@@ -688,6 +697,8 @@ struct dma_buf *dma_buf_export(const struct
dma_buf_export_info *exp_info)
         * early before calling the release() dma_buf op.
         */
        file->f_path.dentry->d_fsdata = NULL;
+
+       dma_buf_db_list_remove(file);
        fput(file);
 err_dmabuf:
        kfree(dmabuf);

--------------------><-----------------------------


> Thanks for pointing this out,
> Christian.

Re: [Linaro-mm-sig] Re: [PATCH] dma-buf: Fix possible UAF in dma_buf_export

[Charan Teja Kalla]

Thanks Christian/TJ for all your inputs!!

On 11/24/2022 6:25 PM, Christian König wrote:
>>> I was already wondering why the order is this way.
>>>
>>> Why is dma_buf_stats_setup() needing the file in the first place? 
>>
>> dmabuf->file will be used in dma_buf_stats_setup(), the
>> dma_buf_stats_setup() as follows:
>>
>>> 171 int dma_buf_stats_setup(struct dma_buf *dmabuf)
>>> 172 {
>>> 173         struct dma_buf_sysfs_entry *sysfs_entry;
>>> 174         int ret;
>>> 175
>>> 176         if (!dmabuf || !dmabuf->file)
>>> 177                 return -EINVAL;
>>> 178
>>> 179         if (!dmabuf->exp_name) {
>>> 180                 pr_err("exporter name must not be empty if stats
>>> needed\n");
>>> 181                 return -EINVAL;
>>> 182         }
>>> 183
>>> 184         sysfs_entry = kzalloc(sizeof(struct dma_buf_sysfs_entry),
>>> GFP_KERNEL);
>>> 185         if (!sysfs_entry)
>>> 186                 return -ENOMEM;
>>> 187
>>> 188         sysfs_entry->kobj.kset = dma_buf_per_buffer_stats_kset;
>>> 189         sysfs_entry->dmabuf = dmabuf;
>>> 190
>>> 191         dmabuf->sysfs_entry = sysfs_entry;
>>> 192
>>> 193         /* create the directory for buffer stats */
>>> 194         ret = kobject_init_and_add(&sysfs_entry->kobj,
>>> &dma_buf_ktype, NULL,
>>> 195                                    "%lu",
>>> file_inode(dmabuf->file)->i_ino);
> 
> Ah, so it uses the i_ino of the file for the sysfs unique name.
> 
> I'm going to take another look how to properly clean this up.
> 

How about deleting the dmabuf from the db_list directly in the error
path (which is usually done by the fput()) and then continue with the
normal fput() here.

Just compile tested the below code and If the logic make sense for you,
will send the final tested patch.
----------------------><---------------------------------------------

diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
index e6f36c0..10a1727 100644
--- a/drivers/dma-buf/dma-buf.c
+++ b/drivers/dma-buf/dma-buf.c
@@ -87,19 +87,28 @@ static void dma_buf_release(struct dentry *dentry)
        kfree(dmabuf);
 }

-static int dma_buf_file_release(struct inode *inode, struct file *file)
+static void dma_buf_db_list_remove(struct file *file)
 {
        struct dma_buf *dmabuf;

-       if (!is_dma_buf_file(file))
-               return -EINVAL;
-
        dmabuf = file->private_data;
+       if (!dmabuf)
+               return;

        mutex_lock(&db_list.lock);
        list_del(&dmabuf->list_node);
        mutex_unlock(&db_list.lock);

+       file->private_data = NULL;
+}
+
+static int dma_buf_file_release(struct inode *inode, struct file *file)
+{
+       if (!is_dma_buf_file(file))
+               return -EINVAL;
+
+       dma_buf_db_list_remove(file);
+
        return 0;
 }

@@ -688,6 +697,8 @@ struct dma_buf *dma_buf_export(const struct
dma_buf_export_info *exp_info)
         * early before calling the release() dma_buf op.
         */
        file->f_path.dentry->d_fsdata = NULL;
+
+       dma_buf_db_list_remove(file);
        fput(file);
 err_dmabuf:
        kfree(dmabuf);

--------------------><-----------------------------


> Thanks for pointing this out,
> Christian.

Re: [Linaro-mm-sig] Re: [PATCH] dma-buf: Fix possible UAF in dma_buf_export

[Christian König]

Am 06.12.22 um 13:55 schrieb Charan Teja Kalla:
> Thanks Christian/TJ for all your inputs!!
>
> On 11/24/2022 6:25 PM, Christian König wrote:
>>>> I was already wondering why the order is this way.
>>>>
>>>> Why is dma_buf_stats_setup() needing the file in the first place?
>>> dmabuf->file will be used in dma_buf_stats_setup(), the
>>> dma_buf_stats_setup() as follows:
>>>
>>>> 171 int dma_buf_stats_setup(struct dma_buf *dmabuf)
>>>> 172 {
>>>> 173         struct dma_buf_sysfs_entry *sysfs_entry;
>>>> 174         int ret;
>>>> 175
>>>> 176         if (!dmabuf || !dmabuf->file)
>>>> 177                 return -EINVAL;
>>>> 178
>>>> 179         if (!dmabuf->exp_name) {
>>>> 180                 pr_err("exporter name must not be empty if stats
>>>> needed\n");
>>>> 181                 return -EINVAL;
>>>> 182         }
>>>> 183
>>>> 184         sysfs_entry = kzalloc(sizeof(struct dma_buf_sysfs_entry),
>>>> GFP_KERNEL);
>>>> 185         if (!sysfs_entry)
>>>> 186                 return -ENOMEM;
>>>> 187
>>>> 188         sysfs_entry->kobj.kset = dma_buf_per_buffer_stats_kset;
>>>> 189         sysfs_entry->dmabuf = dmabuf;
>>>> 190
>>>> 191         dmabuf->sysfs_entry = sysfs_entry;
>>>> 192
>>>> 193         /* create the directory for buffer stats */
>>>> 194         ret = kobject_init_and_add(&sysfs_entry->kobj,
>>>> &dma_buf_ktype, NULL,
>>>> 195                                    "%lu",
>>>> file_inode(dmabuf->file)->i_ino);
>> Ah, so it uses the i_ino of the file for the sysfs unique name.
>>
>> I'm going to take another look how to properly clean this up.
>>
> How about deleting the dmabuf from the db_list directly in the error
> path (which is usually done by the fput()) and then continue with the
> normal fput() here.

No, that's not really clean either.

Give me 10 Minutes, going to come up with something.

Regards,
Christian.

>
> Just compile tested the below code and If the logic make sense for you,
> will send the final tested patch.
> ----------------------><---------------------------------------------
>
> diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
> index e6f36c0..10a1727 100644
> --- a/drivers/dma-buf/dma-buf.c
> +++ b/drivers/dma-buf/dma-buf.c
> @@ -87,19 +87,28 @@ static void dma_buf_release(struct dentry *dentry)
>          kfree(dmabuf);
>   }
>
> -static int dma_buf_file_release(struct inode *inode, struct file *file)
> +static void dma_buf_db_list_remove(struct file *file)
>   {
>          struct dma_buf *dmabuf;
>
> -       if (!is_dma_buf_file(file))
> -               return -EINVAL;
> -
>          dmabuf = file->private_data;
> +       if (!dmabuf)
> +               return;
>
>          mutex_lock(&db_list.lock);
>          list_del(&dmabuf->list_node);
>          mutex_unlock(&db_list.lock);
>
> +       file->private_data = NULL;
> +}
> +
> +static int dma_buf_file_release(struct inode *inode, struct file *file)
> +{
> +       if (!is_dma_buf_file(file))
> +               return -EINVAL;
> +
> +       dma_buf_db_list_remove(file);
> +
>          return 0;
>   }
>
> @@ -688,6 +697,8 @@ struct dma_buf *dma_buf_export(const struct
> dma_buf_export_info *exp_info)
>           * early before calling the release() dma_buf op.
>           */
>          file->f_path.dentry->d_fsdata = NULL;
> +
> +       dma_buf_db_list_remove(file);
>          fput(file);
>   err_dmabuf:
>          kfree(dmabuf);
>
> --------------------><-----------------------------
>
>
>> Thanks for pointing this out,
>> Christian.

Re: [Linaro-mm-sig] Re: [PATCH] dma-buf: Fix possible UAF in dma_buf_export

[Christian König]

Am 06.12.22 um 13:55 schrieb Charan Teja Kalla:
> Thanks Christian/TJ for all your inputs!!
>
> On 11/24/2022 6:25 PM, Christian König wrote:
>>>> I was already wondering why the order is this way.
>>>>
>>>> Why is dma_buf_stats_setup() needing the file in the first place?
>>> dmabuf->file will be used in dma_buf_stats_setup(), the
>>> dma_buf_stats_setup() as follows:
>>>
>>>> 171 int dma_buf_stats_setup(struct dma_buf *dmabuf)
>>>> 172 {
>>>> 173         struct dma_buf_sysfs_entry *sysfs_entry;
>>>> 174         int ret;
>>>> 175
>>>> 176         if (!dmabuf || !dmabuf->file)
>>>> 177                 return -EINVAL;
>>>> 178
>>>> 179         if (!dmabuf->exp_name) {
>>>> 180                 pr_err("exporter name must not be empty if stats
>>>> needed\n");
>>>> 181                 return -EINVAL;
>>>> 182         }
>>>> 183
>>>> 184         sysfs_entry = kzalloc(sizeof(struct dma_buf_sysfs_entry),
>>>> GFP_KERNEL);
>>>> 185         if (!sysfs_entry)
>>>> 186                 return -ENOMEM;
>>>> 187
>>>> 188         sysfs_entry->kobj.kset = dma_buf_per_buffer_stats_kset;
>>>> 189         sysfs_entry->dmabuf = dmabuf;
>>>> 190
>>>> 191         dmabuf->sysfs_entry = sysfs_entry;
>>>> 192
>>>> 193         /* create the directory for buffer stats */
>>>> 194         ret = kobject_init_and_add(&sysfs_entry->kobj,
>>>> &dma_buf_ktype, NULL,
>>>> 195                                    "%lu",
>>>> file_inode(dmabuf->file)->i_ino);
>> Ah, so it uses the i_ino of the file for the sysfs unique name.
>>
>> I'm going to take another look how to properly clean this up.
>>
> How about deleting the dmabuf from the db_list directly in the error
> path (which is usually done by the fput()) and then continue with the
> normal fput() here.

No, that's not really clean either.

Give me 10 Minutes, going to come up with something.

Regards,
Christian.

>
> Just compile tested the below code and If the logic make sense for you,
> will send the final tested patch.
> ----------------------><---------------------------------------------
>
> diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
> index e6f36c0..10a1727 100644
> --- a/drivers/dma-buf/dma-buf.c
> +++ b/drivers/dma-buf/dma-buf.c
> @@ -87,19 +87,28 @@ static void dma_buf_release(struct dentry *dentry)
>          kfree(dmabuf);
>   }
>
> -static int dma_buf_file_release(struct inode *inode, struct file *file)
> +static void dma_buf_db_list_remove(struct file *file)
>   {
>          struct dma_buf *dmabuf;
>
> -       if (!is_dma_buf_file(file))
> -               return -EINVAL;
> -
>          dmabuf = file->private_data;
> +       if (!dmabuf)
> +               return;
>
>          mutex_lock(&db_list.lock);
>          list_del(&dmabuf->list_node);
>          mutex_unlock(&db_list.lock);
>
> +       file->private_data = NULL;
> +}
> +
> +static int dma_buf_file_release(struct inode *inode, struct file *file)
> +{
> +       if (!is_dma_buf_file(file))
> +               return -EINVAL;
> +
> +       dma_buf_db_list_remove(file);
> +
>          return 0;
>   }
>
> @@ -688,6 +697,8 @@ struct dma_buf *dma_buf_export(const struct
> dma_buf_export_info *exp_info)
>           * early before calling the release() dma_buf op.
>           */
>          file->f_path.dentry->d_fsdata = NULL;
> +
> +       dma_buf_db_list_remove(file);
>          fput(file);
>   err_dmabuf:
>          kfree(dmabuf);
>
> --------------------><-----------------------------
>
>
>> Thanks for pointing this out,
>> Christian.