| Message ID | 20211008075420.42874-1-guangming.cao@mediatek.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [v2] dma-buf: acquire name lock before read/write dma_buf.name | expand |
Am 08.10.21 um 09:54 schrieb guangming.cao@mediatek.com: > From: Guangming Cao <Guangming.Cao@mediatek.com> > > Because dma-buf.name can be freed in func: "dma_buf_set_name", > so, we need to acquire lock first before we read/write dma_buf.name > to prevent Use After Free(UAF) issue. > > Signed-off-by: Guangming Cao <Guangming.Cao@mediatek.com> Reviewed-by: Christian König <christian.koenig@amd.com> Going to push that upstream if nobody else objects. Thanks, Christian. > --- > drivers/dma-buf/dma-buf.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c > index 511fe0d217a0..a7f6fd13a635 100644 > --- a/drivers/dma-buf/dma-buf.c > +++ b/drivers/dma-buf/dma-buf.c > @@ -1372,6 +1372,8 @@ static int dma_buf_debug_show(struct seq_file *s, void *unused) > if (ret) > goto error_unlock; > > + > + spin_lock(&buf_obj->name_lock); > seq_printf(s, "%08zu\t%08x\t%08x\t%08ld\t%s\t%08lu\t%s\n", > buf_obj->size, > buf_obj->file->f_flags, buf_obj->file->f_mode, > @@ -1379,6 +1381,7 @@ static int dma_buf_debug_show(struct seq_file *s, void *unused) > buf_obj->exp_name, > file_inode(buf_obj->file)->i_ino, > buf_obj->name ?: ""); > + spin_unlock(&buf_obj->name_lock); > > robj = buf_obj->resv; > fence = dma_resv_excl_fence(robj);
From: Guangming Cao <Guangming.Cao@mediatek.com> > Am 08.10.21 um 09:54 schrieb guangming.cao@mediatek.com: > > From: Guangming Cao <Guangming.Cao@mediatek.com> > > > > Because dma-buf.name can be freed in func: "dma_buf_set_name", > > so, we need to acquire lock first before we read/write dma_buf.name > > to prevent Use After Free(UAF) issue. > > > > Signed-off-by: Guangming Cao <Guangming.Cao@mediatek.com> > > Reviewed-by: Christian König <christian.koenig@amd.com> > > Going to push that upstream if nobody else objects. > > Thanks, > Christian. I'm sorry to disturb you, actually I need this patch to solve our issues. Is there any question about it? seems it hasn't been merged into mainline. Thanks, Guangming. > > > --- > > drivers/dma-buf/dma-buf.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c > > index 511fe0d217a0..a7f6fd13a635 100644 > > --- a/drivers/dma-buf/dma-buf.c > > +++ b/drivers/dma-buf/dma-buf.c > > @@ -1372,6 +1372,8 @@ static int dma_buf_debug_show(struct seq_file *s, void *unused) > > if (ret) > > goto error_unlock; > > > > + > > + spin_lock(&buf_obj->name_lock); > > seq_printf(s, "%08zu\t%08x\t%08x\t%08ld\t%s\t%08lu\t%s\n", > > buf_obj->size, > > buf_obj->file->f_flags, buf_obj->file->f_mode, > > @@ -1379,6 +1381,7 @@ static int dma_buf_debug_show(struct seq_file *s, void *unused) > > buf_obj->exp_name, > > file_inode(buf_obj->file)->i_ino, > > buf_obj->name ?: ""); > > + spin_unlock(&buf_obj->name_lock); > > > > robj = buf_obj->resv; > > fence = dma_resv_excl_fence(robj);
From: Guangming Cao <Guangming.Cao@mediatek.com> On Fri, 2021-10-08 at 12:24 +0200, Christian König wrote: > Am 08.10.21 um 09:54 schrieb guangming.cao@mediatek.com: > > From: Guangming Cao <Guangming.Cao@mediatek.com> > > > > Because dma-buf.name can be freed in func: "dma_buf_set_name", > > so, we need to acquire lock first before we read/write dma_buf.name > > to prevent Use After Free(UAF) issue. > > > > Signed-off-by: Guangming Cao <Guangming.Cao@mediatek.com> > > Reviewed-by: Christian König <christian.koenig@amd.com> > > Going to push that upstream if nobody else objects. > > Thanks, > Christian. Just a gentle ping for this patch, please kindly let me know how is it going. > > > --- > > drivers/dma-buf/dma-buf.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c > > index 511fe0d217a0..a7f6fd13a635 100644 > > --- a/drivers/dma-buf/dma-buf.c > > +++ b/drivers/dma-buf/dma-buf.c > > @@ -1372,6 +1372,8 @@ static int dma_buf_debug_show(struct seq_file > > *s, void *unused) > > if (ret) > > goto error_unlock; > > > > + > > + spin_lock(&buf_obj->name_lock); > > seq_printf(s, > > "%08zu\t%08x\t%08x\t%08ld\t%s\t%08lu\t%s\n", > > buf_obj->size, > > buf_obj->file->f_flags, buf_obj->file- > > >f_mode, > > @@ -1379,6 +1381,7 @@ static int dma_buf_debug_show(struct seq_file > > *s, void *unused) > > buf_obj->exp_name, > > file_inode(buf_obj->file)->i_ino, > > buf_obj->name ?: ""); > > + spin_unlock(&buf_obj->name_lock); > > > > robj = buf_obj->resv; > > fence = dma_resv_excl_fence(robj); > > > _______________________________________________ > Linux-mediatek mailing list > Linux-mediatek@lists.infradead.org > http://lists.infradead.org/mailman/listinfo/linux-mediatek
Am 29.10.21 um 04:15 schrieb guangming.cao@mediatek.com: > From: Guangming Cao <Guangming.Cao@mediatek.com> > > On Fri, 2021-10-08 at 12:24 +0200, Christian König wrote: >> Am 08.10.21 um 09:54 schrieb guangming.cao@mediatek.com: >>> From: Guangming Cao <Guangming.Cao@mediatek.com> >>> >>> Because dma-buf.name can be freed in func: "dma_buf_set_name", >>> so, we need to acquire lock first before we read/write dma_buf.name >>> to prevent Use After Free(UAF) issue. >>> >>> Signed-off-by: Guangming Cao <Guangming.Cao@mediatek.com> >> Reviewed-by: Christian König <christian.koenig@amd.com> >> >> Going to push that upstream if nobody else objects. >> >> Thanks, >> Christian. > Just a gentle ping for this patch, please kindly let me know how is it going. Ah, yes. Thanks for the reminder. I've just pushed this to drm-misc-fixes. Christian. > >>> --- >>> drivers/dma-buf/dma-buf.c | 3 +++ >>> 1 file changed, 3 insertions(+) >>> >>> diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c >>> index 511fe0d217a0..a7f6fd13a635 100644 >>> --- a/drivers/dma-buf/dma-buf.c >>> +++ b/drivers/dma-buf/dma-buf.c >>> @@ -1372,6 +1372,8 @@ static int dma_buf_debug_show(struct seq_file >>> *s, void *unused) >>> if (ret) >>> goto error_unlock; >>> >>> + >>> + spin_lock(&buf_obj->name_lock); >>> seq_printf(s, >>> "%08zu\t%08x\t%08x\t%08ld\t%s\t%08lu\t%s\n", >>> buf_obj->size, >>> buf_obj->file->f_flags, buf_obj->file- >>>> f_mode, >>> @@ -1379,6 +1381,7 @@ static int dma_buf_debug_show(struct seq_file >>> *s, void *unused) >>> buf_obj->exp_name, >>> file_inode(buf_obj->file)->i_ino, >>> buf_obj->name ?: ""); >>> + spin_unlock(&buf_obj->name_lock); >>> >>> robj = buf_obj->resv; >>> fence = dma_resv_excl_fence(robj); >> >> _______________________________________________ >> Linux-mediatek mailing list >> Linux-mediatek@lists.infradead.org >> https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.infradead.org%2Fmailman%2Flistinfo%2Flinux-mediatek&data=04%7C01%7Cchristian.koenig%40amd.com%7C9e95ae08d63d440fc4d108d99a8200c1%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637710705542841586%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=HdiD8%2FX853nQ1vD8n0Qsfv93NaHCCIJF6Pb2rOd%2FLOQ%3D&reserved=0
diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c index 511fe0d217a0..a7f6fd13a635 100644 --- a/drivers/dma-buf/dma-buf.c +++ b/drivers/dma-buf/dma-buf.c @@ -1372,6 +1372,8 @@ static int dma_buf_debug_show(struct seq_file *s, void *unused) if (ret) goto error_unlock; + + spin_lock(&buf_obj->name_lock); seq_printf(s, "%08zu\t%08x\t%08x\t%08ld\t%s\t%08lu\t%s\n", buf_obj->size, buf_obj->file->f_flags, buf_obj->file->f_mode, @@ -1379,6 +1381,7 @@ static int dma_buf_debug_show(struct seq_file *s, void *unused) buf_obj->exp_name, file_inode(buf_obj->file)->i_ino, buf_obj->name ?: ""); + spin_unlock(&buf_obj->name_lock); robj = buf_obj->resv; fence = dma_resv_excl_fence(robj);