dma-buf: free dmabuf->name in dma_buf_release()

Message ID	20200225204446.11378-1-xiyou.wangcong@gmail.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=g7RT=4O=lists.freedesktop.org=dri-devel-bounces@kernel.org> DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 4509224650 From: Cong Wang <xiyou.wangcong@gmail.com> To: linux-media@vger.kernel.org Subject: [PATCH] dma-buf: free dmabuf->name in dma_buf_release() Date: Tue, 25 Feb 2020 12:44:46 -0800 Message-Id: <20200225204446.11378-1-xiyou.wangcong@gmail.com> MIME-Version: 1.0 Precedence: list Cc: Chenbo Feng <fengc@google.com>, linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org, linaro-mm-sig@lists.linaro.org, syzbot+b2098bc44728a4efb3e9@syzkaller.appspotmail.com, Cong Wang <xiyou.wangcong@gmail.com>, Andrew Morton <akpm@linux-foundation.org>, Linus Torvalds <torvalds@linux-foundation.org> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>
Series	dma-buf: free dmabuf->name in dma_buf_release() \| expand dma-buf: free dmabuf->name in dma_buf_release()

Message ID

20200225204446.11378-1-xiyou.wangcong@gmail.com (mailing list archive)

State

New, archived

Headers

DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 4509224650
From: Cong Wang <xiyou.wangcong@gmail.com>
To: linux-media@vger.kernel.org
Subject: [PATCH] dma-buf: free dmabuf->name in dma_buf_release()
Date: Tue, 25 Feb 2020 12:44:46 -0800
Message-Id: <20200225204446.11378-1-xiyou.wangcong@gmail.com>
MIME-Version: 1.0
Precedence: list
Cc: Chenbo Feng <fengc@google.com>, linux-kernel@vger.kernel.org,
 dri-devel@lists.freedesktop.org, linaro-mm-sig@lists.linaro.org,
 syzbot+b2098bc44728a4efb3e9@syzkaller.appspotmail.com,
 Cong Wang <xiyou.wangcong@gmail.com>,
 Andrew Morton <akpm@linux-foundation.org>,
 Linus Torvalds <torvalds@linux-foundation.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>

Series

dma-buf: free dmabuf->name in dma_buf_release() | expand

Commit Message

Cong Wang Feb. 25, 2020, 8:44 p.m. UTC

dma-buff name can be set via DMA_BUF_SET_NAME ioctl, but once set
it never gets freed.

Free it in dma_buf_release().

Fixes: bb2bb9030425 ("dma-buf: add DMA_BUF_SET_NAME ioctls")
Reported-by: syzbot+b2098bc44728a4efb3e9@syzkaller.appspotmail.com
Acked-by: Chenbo Feng <fengc@google.com>
Cc: Sumit Semwal <sumit.semwal@linaro.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
---
 drivers/dma-buf/dma-buf.c | 1 +
 1 file changed, 1 insertion(+)

Comments

Cong Wang Feb. 27, 2020, 9:38 p.m. UTC | #1

On Tue, Feb 25, 2020 at 5:54 PM Andrew Morton <akpm@linux-foundation.org> wrote:
>
> On Tue, 25 Feb 2020 12:44:46 -0800 Cong Wang <xiyou.wangcong@gmail.com> wrote:
>
> > dma-buff name can be set via DMA_BUF_SET_NAME ioctl, but once set
> > it never gets freed.
> >
> > Free it in dma_buf_release().
> >
> > ...
> >
> > --- a/drivers/dma-buf/dma-buf.c
> > +++ b/drivers/dma-buf/dma-buf.c
> > @@ -108,6 +108,7 @@ static int dma_buf_release(struct inode *inode, struct file *file)
> >               dma_resv_fini(dmabuf->resv);
> >
> >       module_put(dmabuf->owner);
> > +     kfree(dmabuf->name);
> >       kfree(dmabuf);
> >       return 0;
> >  }
>
> ow.  Is that ioctl privileged?

It looks unprivileged to me, as I don't see capable() called along
the path.

Thanks.

Andrew Morton Feb. 27, 2020, 9:45 p.m. UTC | #2

On Thu, 27 Feb 2020 13:38:03 -0800 Cong Wang <xiyou.wangcong@gmail.com> wrote:

> On Tue, Feb 25, 2020 at 5:54 PM Andrew Morton <akpm@linux-foundation.org> wrote:
> >
> > On Tue, 25 Feb 2020 12:44:46 -0800 Cong Wang <xiyou.wangcong@gmail.com> wrote:
> >
> > > dma-buff name can be set via DMA_BUF_SET_NAME ioctl, but once set
> > > it never gets freed.
> > >
> > > Free it in dma_buf_release().
> > >
> > > ...
> > >
> > > --- a/drivers/dma-buf/dma-buf.c
> > > +++ b/drivers/dma-buf/dma-buf.c
> > > @@ -108,6 +108,7 @@ static int dma_buf_release(struct inode *inode, struct file *file)
> > >               dma_resv_fini(dmabuf->resv);
> > >
> > >       module_put(dmabuf->owner);
> > > +     kfree(dmabuf->name);
> > >       kfree(dmabuf);
> > >       return 0;
> > >  }
> >
> > ow.  Is that ioctl privileged?
> 
> It looks unprivileged to me, as I don't see capable() called along
> the path.
> 

OK, thanks.  I added cc:stable to my copy.

diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
index d4097856c86b..c343c7c10b4c 100644
--- a/drivers/dma-buf/dma-buf.c
+++ b/drivers/dma-buf/dma-buf.c
@@ -108,6 +108,7 @@  static int dma_buf_release(struct inode *inode, struct file *file)
 		dma_resv_fini(dmabuf->resv);
 
 	module_put(dmabuf->owner);
+	kfree(dmabuf->name);
 	kfree(dmabuf);
 	return 0;
 }

dma-buf: free dmabuf->name in dma_buf_release()

Commit Message

Comments

Patch