dri-devel.lists.freedesktop.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] dmabuf: fix NULL pointer dereference in dma_buf_release()
@ 2020-09-18 10:32 Charan Teja Reddy
  2020-09-18 11:16 ` Christian König
  0 siblings, 1 reply; 3+ messages in thread
From: Charan Teja Reddy @ 2020-09-18 10:32 UTC (permalink / raw)
  To: sumit.semwal, christian.koenig, arnd
  Cc: linux-kernel, dri-devel, linaro-mm-sig, vinmenon,
	Charan Teja Reddy, stable, linux-media

NULL pointer dereference is observed while exporting the dmabuf but
failed to allocate the 'struct file' which results into the dropping of
the allocated dentry corresponding to this file in the dmabuf fs, which
is ending up in dma_buf_release() and accessing the uninitialzed
dentry->d_fsdata.

Call stack on 5.4 is below:
 dma_buf_release+0x2c/0x254 drivers/dma-buf/dma-buf.c:88
 __dentry_kill+0x294/0x31c fs/dcache.c:584
 dentry_kill fs/dcache.c:673 [inline]
 dput+0x250/0x380 fs/dcache.c:859
 path_put+0x24/0x40 fs/namei.c:485
 alloc_file_pseudo+0x1a4/0x200 fs/file_table.c:235
 dma_buf_getfile drivers/dma-buf/dma-buf.c:473 [inline]
 dma_buf_export+0x25c/0x3ec drivers/dma-buf/dma-buf.c:585

Fix this by checking for the valid pointer in the dentry->d_fsdata.

Fixes: 4ab59c3c638c ("dma-buf: Move dma_buf_release() from fops to dentry_ops")
Cc: <stable@vger.kernel.org> [5.7+]
Signed-off-by: Charan Teja Reddy <charante@codeaurora.org>
---
 drivers/dma-buf/dma-buf.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
index 58564d82..844967f 100644
--- a/drivers/dma-buf/dma-buf.c
+++ b/drivers/dma-buf/dma-buf.c
@@ -59,6 +59,8 @@ static void dma_buf_release(struct dentry *dentry)
 	struct dma_buf *dmabuf;
 
 	dmabuf = dentry->d_fsdata;
+	if (unlikely(!dmabuf))
+		return;
 
 	BUG_ON(dmabuf->vmapping_counter);
 
-- 
QUALCOMM INDIA, on behalf of Qualcomm Innovation Center, Inc. is a
member of the Code Aurora Forum, hosted by The Linux Foundation

_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] dmabuf: fix NULL pointer dereference in dma_buf_release()
  2020-09-18 10:32 [PATCH] dmabuf: fix NULL pointer dereference in dma_buf_release() Charan Teja Reddy
@ 2020-09-18 11:16 ` Christian König
  2020-09-18 12:48   ` Daniel Vetter
  0 siblings, 1 reply; 3+ messages in thread
From: Christian König @ 2020-09-18 11:16 UTC (permalink / raw)
  To: Charan Teja Reddy, sumit.semwal, arnd
  Cc: linux-kernel, stable, linaro-mm-sig, vinmenon, dri-devel, linux-media

Am 18.09.20 um 12:32 schrieb Charan Teja Reddy:
> NULL pointer dereference is observed while exporting the dmabuf but
> failed to allocate the 'struct file' which results into the dropping of
> the allocated dentry corresponding to this file in the dmabuf fs, which
> is ending up in dma_buf_release() and accessing the uninitialzed
> dentry->d_fsdata.
>
> Call stack on 5.4 is below:
>   dma_buf_release+0x2c/0x254 drivers/dma-buf/dma-buf.c:88
>   __dentry_kill+0x294/0x31c fs/dcache.c:584
>   dentry_kill fs/dcache.c:673 [inline]
>   dput+0x250/0x380 fs/dcache.c:859
>   path_put+0x24/0x40 fs/namei.c:485
>   alloc_file_pseudo+0x1a4/0x200 fs/file_table.c:235
>   dma_buf_getfile drivers/dma-buf/dma-buf.c:473 [inline]
>   dma_buf_export+0x25c/0x3ec drivers/dma-buf/dma-buf.c:585
>
> Fix this by checking for the valid pointer in the dentry->d_fsdata.
>
> Fixes: 4ab59c3c638c ("dma-buf: Move dma_buf_release() from fops to dentry_ops")
> Cc: <stable@vger.kernel.org> [5.7+]
> Signed-off-by: Charan Teja Reddy <charante@codeaurora.org>

Reviewed-by: Christian König <christian.koenig@amd.com>

Going to pick this up for inclusion into drm-misc-next as well.

> ---
>   drivers/dma-buf/dma-buf.c | 2 ++
>   1 file changed, 2 insertions(+)
>
> diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
> index 58564d82..844967f 100644
> --- a/drivers/dma-buf/dma-buf.c
> +++ b/drivers/dma-buf/dma-buf.c
> @@ -59,6 +59,8 @@ static void dma_buf_release(struct dentry *dentry)
>   	struct dma_buf *dmabuf;
>   
>   	dmabuf = dentry->d_fsdata;
> +	if (unlikely(!dmabuf))
> +		return;
>   
>   	BUG_ON(dmabuf->vmapping_counter);
>   

_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] dmabuf: fix NULL pointer dereference in dma_buf_release()
  2020-09-18 11:16 ` Christian König
@ 2020-09-18 12:48   ` Daniel Vetter
  0 siblings, 0 replies; 3+ messages in thread
From: Daniel Vetter @ 2020-09-18 12:48 UTC (permalink / raw)
  To: Christian König
  Cc: arnd, linux-kernel, stable, linaro-mm-sig, vinmenon,
	Charan Teja Reddy, dri-devel, linux-media

On Fri, Sep 18, 2020 at 01:16:16PM +0200, Christian König wrote:
> Am 18.09.20 um 12:32 schrieb Charan Teja Reddy:
> > NULL pointer dereference is observed while exporting the dmabuf but
> > failed to allocate the 'struct file' which results into the dropping of
> > the allocated dentry corresponding to this file in the dmabuf fs, which
> > is ending up in dma_buf_release() and accessing the uninitialzed
> > dentry->d_fsdata.
> > 
> > Call stack on 5.4 is below:
> >   dma_buf_release+0x2c/0x254 drivers/dma-buf/dma-buf.c:88
> >   __dentry_kill+0x294/0x31c fs/dcache.c:584
> >   dentry_kill fs/dcache.c:673 [inline]
> >   dput+0x250/0x380 fs/dcache.c:859
> >   path_put+0x24/0x40 fs/namei.c:485
> >   alloc_file_pseudo+0x1a4/0x200 fs/file_table.c:235
> >   dma_buf_getfile drivers/dma-buf/dma-buf.c:473 [inline]
> >   dma_buf_export+0x25c/0x3ec drivers/dma-buf/dma-buf.c:585
> > 
> > Fix this by checking for the valid pointer in the dentry->d_fsdata.
> > 
> > Fixes: 4ab59c3c638c ("dma-buf: Move dma_buf_release() from fops to dentry_ops")
> > Cc: <stable@vger.kernel.org> [5.7+]
> > Signed-off-by: Charan Teja Reddy <charante@codeaurora.org>
> 
> Reviewed-by: Christian König <christian.koenig@amd.com>
> 
> Going to pick this up for inclusion into drm-misc-next as well.

drm-misc-fixes since this is a bugfix that needs to be backported.
-Daniel

> 
> > ---
> >   drivers/dma-buf/dma-buf.c | 2 ++
> >   1 file changed, 2 insertions(+)
> > 
> > diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
> > index 58564d82..844967f 100644
> > --- a/drivers/dma-buf/dma-buf.c
> > +++ b/drivers/dma-buf/dma-buf.c
> > @@ -59,6 +59,8 @@ static void dma_buf_release(struct dentry *dentry)
> >   	struct dma_buf *dmabuf;
> >   	dmabuf = dentry->d_fsdata;
> > +	if (unlikely(!dmabuf))
> > +		return;
> >   	BUG_ON(dmabuf->vmapping_counter);
> 
> _______________________________________________
> dri-devel mailing list
> dri-devel@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/dri-devel

-- 
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-09-19  8:46 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-09-18 10:32 [PATCH] dmabuf: fix NULL pointer dereference in dma_buf_release() Charan Teja Reddy
2020-09-18 11:16 ` Christian König
2020-09-18 12:48   ` Daniel Vetter

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).