From patchwork Tue Dec  3 17:25:35 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jann Horn <jannh@google.com>
X-Patchwork-Id: 13892740
Return-Path: <dri-devel-bounces@lists.freedesktop.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 17674E74AC3
	for <dri-devel@archiver.kernel.org>; Tue,  3 Dec 2024 17:26:51 +0000 (UTC)
Received: from gabe.freedesktop.org (localhost [127.0.0.1])
	by gabe.freedesktop.org (Postfix) with ESMTP id 8D5D110EAD6;
	Tue,  3 Dec 2024 17:26:50 +0000 (UTC)
Authentication-Results: gabe.freedesktop.org;
	dkim=pass (2048-bit key;
 unprotected) header.d=google.com header.i=@google.com header.b="1BU2TDUp";
	dkim-atps=neutral
Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com
 [209.85.128.47])
 by gabe.freedesktop.org (Postfix) with ESMTPS id A597D10EAD5
 for <dri-devel@lists.freedesktop.org>; Tue,  3 Dec 2024 17:26:49 +0000 (UTC)
Received: by mail-wm1-f47.google.com with SMTP id
 5b1f17b1804b1-434a9f9a225so56015e9.1
 for <dri-devel@lists.freedesktop.org>; Tue, 03 Dec 2024 09:26:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=google.com; s=20230601; t=1733246808; x=1733851608;
 darn=lists.freedesktop.org;
 h=cc:to:in-reply-to:references:message-id:content-transfer-encoding
 :mime-version:subject:date:from:from:to:cc:subject:date:message-id
 :reply-to; bh=9A/J5jkgomsMiHFvcuDoSxKD5NJW5y7f08S/zY5zTv8=;
 b=1BU2TDUp4qDFr6xE9piGIkYdMK+NhjbVKBnqFG7pSsOEozmuOnS6jzCHzPsnjItkoy
 dybPMcpJ30eIY/eAWAYRSyUhwg42Cjegjy2hM6JztK4mnnxd0evGFF64YayrB2HRDfZI
 rdBYuj7jXnZ7E6rKEH20meiBYq53rQCMHbq/0YURe68oXQYJHQZmZbhfmlav0Fop8uHy
 Uk6v1xdL5Uz7ibZ5c7DOTRi8x/MEbmm+gZRi6AIAPORXcfF8mJO3w2sIZtOW/thazswq
 XLn2zUcmvkMergZMIE8ixSPJr87kaSzbaAS1P/eJPTn93jHctwCwGDVQ5tuXl9C5puKY
 T9pA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1733246808; x=1733851608;
 h=cc:to:in-reply-to:references:message-id:content-transfer-encoding
 :mime-version:subject:date:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=9A/J5jkgomsMiHFvcuDoSxKD5NJW5y7f08S/zY5zTv8=;
 b=i1s5rq0RELvJ4ABLzMwBQKZHSwwCUtHY1qz0fflVLIENcwzToYIw5YiXyyvI32aeWy
 RDpRMq8ZurREHuhuwBWrdoetfuKEgiuCDptSv90qV8wT43nm6gIYLDqrbV01OsEXXz0z
 lXRpawZC5LKhCHfd8ZGQyaZbDiJL0ZxurMN/4Q6g3iIQMIiUW0nSfjSPl6dzaRtfJD62
 CEOvANMfJ0v0jEn1v3Imji7hDkkVfb7jLsvtWdUnqU8mweSeHJeNieRyKLeNjkraVlId
 JPqKPQQfeHrDuFJ4zDXByI/yNTUWvaLvuWcSYK7vfSfAQdLxFeHOuwFSnLULqi/3S55u
 IiCQ==
X-Gm-Message-State: AOJu0YzctK3R0LsCVhahG3EFiZ69hUPxGsqqNJ1z3kmko8/TrVhYwcmY
 td6ZaRoXRcD4S+U87B8cg3VqtgTHN8JTaKDHCEfWjjRJGDhin2+cJf+646bDig==
X-Gm-Gg: ASbGncspW6qKg82fq5xiRyY+zHkU3INkU6ybW2pGkIJpI5BTf4isowD3UTPftF2cDk+
 FB0vXKZk6f1wXnm+h0TDpC/WGLO8RKsAVlVQAInznLXQN9cT4W/o2FhPPlu8J8H9BkK8z1QV5Ww
 rn0byS4A9tqSIXTGxM+MhFnSsZyAfwJ8HZgHlpjrwRFmwmYtKFABMFvrj6x6Fo5/0/niv/Swi7z
 kgG5KTRmC5024oIx5l+NeqRG87OouZ9wH8F8g==
X-Google-Smtp-Source: 
 AGHT+IFZqTIc4JHhlvLFIIqiUiNlQB9koDtYePpOB1Asac3qhzzJf/qabHheeO4gqnlhnImPyoFMHQ==
X-Received: by 2002:a05:600c:1f93:b0:42b:a961:e51 with SMTP id
 5b1f17b1804b1-434d04fbed7mr1401935e9.0.1733246807548;
 Tue, 03 Dec 2024 09:26:47 -0800 (PST)
Received: from localhost ([2a00:79e0:9d:4:92ba:3294:39ee:2d61])
 by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-434b0f70d9csm201336315e9.38.2024.12.03.09.26.46
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 03 Dec 2024 09:26:47 -0800 (PST)
From: Jann Horn <jannh@google.com>
Date: Tue, 03 Dec 2024 18:25:35 +0100
Subject: [PATCH 1/3] udmabuf: fix racy memfd sealing check
MIME-Version: 1.0
Message-Id: <20241203-udmabuf-fixes-v1-1-f99281c345aa@google.com>
References: <20241203-udmabuf-fixes-v1-0-f99281c345aa@google.com>
In-Reply-To: <20241203-udmabuf-fixes-v1-0-f99281c345aa@google.com>
To: Gerd Hoffmann <kraxel@redhat.com>,
  Vivek Kasireddy <vivek.kasireddy@intel.com>,
  Sumit Semwal <sumit.semwal@linaro.org>,
 =?utf-8?q?Christian_K=C3=B6nig?= <christian.koenig@amd.com>,
  Simona Vetter <simona.vetter@ffwll.ch>,
  John Stultz <john.stultz@linaro.org>,
  Andrew Morton <akpm@linux-foundation.org>,
  "Joel Fernandes (Google)" <joel@joelfernandes.org>
Cc: dri-devel@lists.freedesktop.org, linux-media@vger.kernel.org,
 linaro-mm-sig@lists.linaro.org, linux-kernel@vger.kernel.org,
 Jann Horn <jannh@google.com>, Julian Orth <ju.orth@gmail.com>,
 stable@vger.kernel.org
X-Mailer: b4 0.15-dev
X-Developer-Signature: v=1; a=ed25519-sha256; t=1733246802; l=1642;
 i=jannh@google.com; s=20240730; h=from:subject:message-id;
 bh=Aq2zO2su/gJQZo1LKHbVMD9Hcz8GmXaQFYJOvJIHJUg=;
 b=nHri5mQURsQCt6qUqaiD5aSYbBqGWvkkFAyFFqtmxx/10lRP3oWxueAag4of6Gz9UdJJ7j6rF
 fH9tuFCVgXJDnU7/j0wwtosFko/X7UkQaHlRmJaTrIACgXmedoy/Ws4
X-Developer-Key: i=jannh@google.com; a=ed25519;
 pk=AljNtGOzXeF6khBXDJVVvwSEkVDGnnZZYqfWhP1V+C8=
X-BeenThere: dri-devel@lists.freedesktop.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Direct Rendering Infrastructure - Development
 <dri-devel.lists.freedesktop.org>
List-Unsubscribe: <https://lists.freedesktop.org/mailman/options/dri-devel>,
 <mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <https://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <https://lists.freedesktop.org/mailman/listinfo/dri-devel>,
 <mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>

The current check_memfd_seals() is racy: Since we first do
check_memfd_seals() and then udmabuf_pin_folios() without holding any
relevant lock across both, F_SEAL_WRITE can be set in between.
This is problematic because we can end up holding pins to pages in a
write-sealed memfd.

Fix it using the inode lock, that's probably the easiest way.
In the future, we might want to consider moving this logic into memfd,
especially if anyone else wants to use memfd_pin_folios().

Reported-by: Julian Orth <ju.orth@gmail.com>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219106
Closes: https://lore.kernel.org/r/CAG48ez0w8HrFEZtJkfmkVKFDhE5aP7nz=obrimeTgpD+StkV9w@mail.gmail.com
Fixes: fbb0de795078 ("Add udmabuf misc device")
Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
---
 drivers/dma-buf/udmabuf.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c
index 8ce1f074c2d32a0a9f59ff7184359e37d56548c6..662b9a26e06668bf59ab36d07c0648c7b02ee5ae 100644
--- a/drivers/dma-buf/udmabuf.c
+++ b/drivers/dma-buf/udmabuf.c
@@ -436,14 +436,15 @@ static long udmabuf_create(struct miscdevice *device,
 			goto err;
 		}
 
+		inode_lock_shared(memfd->f_inode);
 		ret = check_memfd_seals(memfd);
-		if (ret < 0) {
-			fput(memfd);
-			goto err;
-		}
+		if (ret)
+			goto out_unlock;
 
 		ret = udmabuf_pin_folios(ubuf, memfd, list[i].offset,
 					 list[i].size, folios);
+out_unlock:
+		inode_unlock_shared(memfd->f_inode);
 		fput(memfd);
 		if (ret)
 			goto err;

From patchwork Tue Dec  3 17:25:36 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jann Horn <jannh@google.com>
X-Patchwork-Id: 13892742
Return-Path: <dri-devel-bounces@lists.freedesktop.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 6A9C0E74AC3
	for <dri-devel@archiver.kernel.org>; Tue,  3 Dec 2024 17:26:54 +0000 (UTC)
Received: from gabe.freedesktop.org (localhost [127.0.0.1])
	by gabe.freedesktop.org (Postfix) with ESMTP id DD62310EAD7;
	Tue,  3 Dec 2024 17:26:53 +0000 (UTC)
Authentication-Results: gabe.freedesktop.org;
	dkim=pass (2048-bit key;
 unprotected) header.d=google.com header.i=@google.com header.b="EV/kd2kG";
	dkim-atps=neutral
Received: from mail-wm1-f51.google.com (mail-wm1-f51.google.com
 [209.85.128.51])
 by gabe.freedesktop.org (Postfix) with ESMTPS id 8D3CD10EAD5
 for <dri-devel@lists.freedesktop.org>; Tue,  3 Dec 2024 17:26:50 +0000 (UTC)
Received: by mail-wm1-f51.google.com with SMTP id
 5b1f17b1804b1-434a9f9a225so56055e9.1
 for <dri-devel@lists.freedesktop.org>; Tue, 03 Dec 2024 09:26:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=google.com; s=20230601; t=1733246809; x=1733851609;
 darn=lists.freedesktop.org;
 h=cc:to:in-reply-to:references:message-id:content-transfer-encoding
 :mime-version:subject:date:from:from:to:cc:subject:date:message-id
 :reply-to; bh=uM3+RQXTMnOQ47ZFii0e33qP4d5w9EjJgy5PSo8ovks=;
 b=EV/kd2kG2bgtAqhX0Wk9uASPl8r6WsFoAW0ssJoMty01RGfHrhBZMJUb0uEXLGXenl
 P/SB7VnvJXGs1gCjh05Ii5/Din/lRuUoPMl8ZJXodWx3dmQM07IKvbpVVeaREe+ENy5n
 33SXa+d0LURoXLuvih8VdLIckCVDFI+5wbANQ28Q7ai1HGqRj9G49qqCATWo4iupTgPr
 BQCAVAXUKO5Uzk2fSQKnAM/eSdlnoERrRD6/nlh27me1g9IDuW+IONDaMU8MHRmcxGpU
 rb+DPEka0V7gWcvVhRkBXC1LoJxAConLccal05PCJOuevq8vvYfADaimmwFdmpq3IdCP
 icnA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1733246809; x=1733851609;
 h=cc:to:in-reply-to:references:message-id:content-transfer-encoding
 :mime-version:subject:date:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=uM3+RQXTMnOQ47ZFii0e33qP4d5w9EjJgy5PSo8ovks=;
 b=D5tfrK1zHcsbtZBdiyW5Fy5qF9tq8J4X3EHoCBQS60HCz+iEPyFH3exLPCDM6JexIO
 rQyxlknNj3zKaadLCMsegp3O4gkTZl0GN+v1lqhhz7KLAHjEV2Ds5WQId6XJiJKgLd6V
 q/c44r94H7d9EusZfyY7BM9mwJe1NrleNHI7GRwcxJs6dSx6mof20tcc0ezCaeCw5UuY
 /+W3QAexW4CdirhnDYj4LxRT6HPS5u46VSVKNGY2+26DVtKp3n3tqO1Xl8Ws4KG/8yZt
 WKwF2CkGwtXd4cnq+gEay2WJD08fpB96yeSBw/fnhp6WfCkgcIqLyeAyKHYQipDXhcCO
 sAlg==
X-Gm-Message-State: AOJu0YzimPkQh3ceYmZrJTA/lisEY96NmZoVawGw6ddUA0VhSFiidq04
 gnj96eGsFQruwaYSzdnOtqK4qFBwumgt3L4sbtbynLFa9Gn+9/qRNdM3AHzfNA==
X-Gm-Gg: ASbGncv6IPTypwfeSRrqHWwgTQSgI1HJni8CoiCNuCF7ocVUEEnD/sfySp4mUK1oWv1
 gVdnizLccUFhGWSoJZvU+u8tY7BSufjtoiP2UCVB2/iqOrbB/4EseTgjWqpHwA5b2kDKfYXqHXD
 8FhNFznliWOtwJ0OOuJ0Jc1jPi33YoPgr9pAF31PU/jwEO8hlvFdM/WCajhPoKhUKWeahtCy4IQ
 CKg4SlgaEtCooDnutJLgcQq/3mHsRl6sTDozw==
X-Google-Smtp-Source: 
 AGHT+IHah3tfnWDLN3UKIDFtEX6OxzBKzVPQiPV9mkH1uPluyyoiP9zAGpDGGtbXeYMGH6VNL1bEUg==
X-Received: by 2002:a7b:cc83:0:b0:434:9d76:5031 with SMTP id
 5b1f17b1804b1-434d12b8d88mr1204455e9.1.1733246808530;
 Tue, 03 Dec 2024 09:26:48 -0800 (PST)
Received: from localhost ([2a00:79e0:9d:4:92ba:3294:39ee:2d61])
 by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-385ccd3a522sm15986910f8f.52.2024.12.03.09.26.47
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 03 Dec 2024 09:26:48 -0800 (PST)
From: Jann Horn <jannh@google.com>
Date: Tue, 03 Dec 2024 18:25:36 +0100
Subject: [PATCH 2/3] udmabuf: also check for F_SEAL_FUTURE_WRITE
MIME-Version: 1.0
Message-Id: <20241203-udmabuf-fixes-v1-2-f99281c345aa@google.com>
References: <20241203-udmabuf-fixes-v1-0-f99281c345aa@google.com>
In-Reply-To: <20241203-udmabuf-fixes-v1-0-f99281c345aa@google.com>
To: Gerd Hoffmann <kraxel@redhat.com>,
  Vivek Kasireddy <vivek.kasireddy@intel.com>,
  Sumit Semwal <sumit.semwal@linaro.org>,
 =?utf-8?q?Christian_K=C3=B6nig?= <christian.koenig@amd.com>,
  Simona Vetter <simona.vetter@ffwll.ch>,
  John Stultz <john.stultz@linaro.org>,
  Andrew Morton <akpm@linux-foundation.org>,
  "Joel Fernandes (Google)" <joel@joelfernandes.org>
Cc: dri-devel@lists.freedesktop.org, linux-media@vger.kernel.org,
 linaro-mm-sig@lists.linaro.org, linux-kernel@vger.kernel.org,
 Jann Horn <jannh@google.com>, stable@vger.kernel.org
X-Mailer: b4 0.15-dev
X-Developer-Signature: v=1; a=ed25519-sha256; t=1733246802; l=976;
 i=jannh@google.com; s=20240730; h=from:subject:message-id;
 bh=3m/LMLlH/7jMESx6X9fIIIIib4hfJn5luoPUIkkkDds=;
 b=C68RSNAz5tSn7/At1pT+/cqpyr2/1yVHxrn2ThIXppaycwhw+jpyJIrVQd0vwYT6uWunp7bMu
 gPYbSI141ikD1YI6YQFzt61WVCUN7ejJNigEshkNyhdAZUVB/Jcx0OG
X-Developer-Key: i=jannh@google.com; a=ed25519;
 pk=AljNtGOzXeF6khBXDJVVvwSEkVDGnnZZYqfWhP1V+C8=
X-BeenThere: dri-devel@lists.freedesktop.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Direct Rendering Infrastructure - Development
 <dri-devel.lists.freedesktop.org>
List-Unsubscribe: <https://lists.freedesktop.org/mailman/options/dri-devel>,
 <mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <https://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <https://lists.freedesktop.org/mailman/listinfo/dri-devel>,
 <mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>

When F_SEAL_FUTURE_WRITE was introduced, it was overlooked that udmabuf
must reject memfds with this flag, just like ones with F_SEAL_WRITE.
Fix it by adding F_SEAL_FUTURE_WRITE to SEALS_DENIED.

Fixes: ab3948f58ff8 ("mm/memfd: add an F_SEAL_FUTURE_WRITE seal to memfd")
Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: Vivek Kasireddy <vivek.kasireddy@intel.com>
---
 drivers/dma-buf/udmabuf.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c
index 662b9a26e06668bf59ab36d07c0648c7b02ee5ae..8ce77f5837d71a73be677cad014e05f29706057d 100644
--- a/drivers/dma-buf/udmabuf.c
+++ b/drivers/dma-buf/udmabuf.c
@@ -297,7 +297,7 @@ static const struct dma_buf_ops udmabuf_ops = {
 };
 
 #define SEALS_WANTED (F_SEAL_SHRINK)
-#define SEALS_DENIED (F_SEAL_WRITE)
+#define SEALS_DENIED (F_SEAL_WRITE|F_SEAL_FUTURE_WRITE)
 
 static int check_memfd_seals(struct file *memfd)
 {

From patchwork Tue Dec  3 17:25:37 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jann Horn <jannh@google.com>
X-Patchwork-Id: 13892741
Return-Path: <dri-devel-bounces@lists.freedesktop.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 436A3E74AC7
	for <dri-devel@archiver.kernel.org>; Tue,  3 Dec 2024 17:26:53 +0000 (UTC)
Received: from gabe.freedesktop.org (localhost [127.0.0.1])
	by gabe.freedesktop.org (Postfix) with ESMTP id BB8A010EAD5;
	Tue,  3 Dec 2024 17:26:52 +0000 (UTC)
Authentication-Results: gabe.freedesktop.org;
	dkim=pass (2048-bit key;
 unprotected) header.d=google.com header.i=@google.com header.b="cGV3BBVF";
	dkim-atps=neutral
Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com
 [209.85.128.54])
 by gabe.freedesktop.org (Postfix) with ESMTPS id 9614A10EAD5
 for <dri-devel@lists.freedesktop.org>; Tue,  3 Dec 2024 17:26:51 +0000 (UTC)
Received: by mail-wm1-f54.google.com with SMTP id
 5b1f17b1804b1-434a9f9a225so56125e9.1
 for <dri-devel@lists.freedesktop.org>; Tue, 03 Dec 2024 09:26:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=google.com; s=20230601; t=1733246810; x=1733851610;
 darn=lists.freedesktop.org;
 h=cc:to:in-reply-to:references:message-id:content-transfer-encoding
 :mime-version:subject:date:from:from:to:cc:subject:date:message-id
 :reply-to; bh=/Vb9UXBOYsKi0pZ5x9hV4iMqdA2fMvrJ4pmauvo9ZZ8=;
 b=cGV3BBVFWql2JNekIhnwqxLVVScwmnUJXSBL5q7G93SKDnHfHvOrMPWh/xbDTbo1fo
 1yW+l9k6g3rz/IB3dJiutUm80ws5G1TDmf7yWIJo4CkMEv6fVfDFxpwc2mcowHOP4hI9
 mpp81QVMb6FtpIGhm9mKrg1J/nFgT+GHB6IEVDiDlh/VVRwdqUF6Y6+fgnbUTKwyj/yJ
 zhlrinDBvu+EUuKududiXrTXLygPwoEr1QVmtMWBGuzRBLxtUwpaG56jboyyfHlucVCv
 /vIxMw9g8DGVz5Mmic1HGtIoTO+LylhuVU9kWOeLx4xsSSyc+EotI+FL3Xv4ytTMe7c0
 0Zww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1733246810; x=1733851610;
 h=cc:to:in-reply-to:references:message-id:content-transfer-encoding
 :mime-version:subject:date:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=/Vb9UXBOYsKi0pZ5x9hV4iMqdA2fMvrJ4pmauvo9ZZ8=;
 b=dvWoBOURp1ZS4Dy1IHZFMRm/OSe1ue20A1fhsESBIVAvtqv/O5+h5XR1dYVNla6M6I
 MOYTl8er3lvYYTCJ4H9rHkyE2WtVlQbnKWaeTk9c23zkO08aE4QgLzL36x3a7qwiGhls
 Ulao3bAOuPw0YiIfZmIJXFeqLtGYeKuk2RuZgMu1ZtBwSWUMETUM77td2F30nkiH6PVO
 YjpcNaHt4Fjcidn+fA5w45i5+9KPn8VZM6OFXfLN0PZp1B6z+RTqKiYutXF2v+oZ1yXE
 kUggehvjNKFppxa/c+Ioy6MmoAUopTH0cLcwpB4JDCdtcqpbDYdeLIsRFrd2EycUWHk9
 CQ4g==
X-Gm-Message-State: AOJu0YyMG/QISEoJ2DLUciRjaQ66QJvbRqn6TBkI5gjXoDtHDzlFVk32
 HTwCQNh4njiOurs9YHwKqr2UA6xvb3mKeNnetYAFSFz7BZIIcRCc4h5g3Arnrg==
X-Gm-Gg: ASbGncsiLZNbqvOyLWuSiQZ3cnFtdPbdIMlWtLcAtfL0Xg2azA76JreYyadxNelZkhc
 rC/7QARjuxVLgVtmjxX6rSVXstjPXYScy4hhhGTx637NB+g6aUXzXKsAwsttSiRXqUwioOh4e4q
 vHJbks32v6ajcwpbLOOwvgSoFduq6i8vLhfTFFyjp3K+BPpgfFVttiA0Ed2/LtAGCN+IQryOsvR
 TYZ1HrXQPRPbXfbiKXz+diAa215vPB+7L8grkQ=
X-Google-Smtp-Source: 
 AGHT+IH0TNX49DlvsUlDmYHqE+X/GJfm7kzNvuJYlH9rEpQHDfxMRPXJgjMqM5godm3e1PRO0SoeKQ==
X-Received: by 2002:a7b:cc83:0:b0:434:9d76:5031 with SMTP id
 5b1f17b1804b1-434d12b8d88mr1204505e9.1.1733246809511;
 Tue, 03 Dec 2024 09:26:49 -0800 (PST)
Received: from localhost ([2a00:79e0:9d:4:92ba:3294:39ee:2d61])
 by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-434b0dbe4e6sm194671505e9.14.2024.12.03.09.26.48
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 03 Dec 2024 09:26:49 -0800 (PST)
From: Jann Horn <jannh@google.com>
Date: Tue, 03 Dec 2024 18:25:37 +0100
Subject: [PATCH 3/3] udmabuf: fix memory leak on last export_udmabuf()
 error path
MIME-Version: 1.0
Message-Id: <20241203-udmabuf-fixes-v1-3-f99281c345aa@google.com>
References: <20241203-udmabuf-fixes-v1-0-f99281c345aa@google.com>
In-Reply-To: <20241203-udmabuf-fixes-v1-0-f99281c345aa@google.com>
To: Gerd Hoffmann <kraxel@redhat.com>,
  Vivek Kasireddy <vivek.kasireddy@intel.com>,
  Sumit Semwal <sumit.semwal@linaro.org>,
 =?utf-8?q?Christian_K=C3=B6nig?= <christian.koenig@amd.com>,
  Simona Vetter <simona.vetter@ffwll.ch>,
  John Stultz <john.stultz@linaro.org>,
  Andrew Morton <akpm@linux-foundation.org>,
  "Joel Fernandes (Google)" <joel@joelfernandes.org>
Cc: dri-devel@lists.freedesktop.org, linux-media@vger.kernel.org,
 linaro-mm-sig@lists.linaro.org, linux-kernel@vger.kernel.org,
 Jann Horn <jannh@google.com>
X-Mailer: b4 0.15-dev
X-Developer-Signature: v=1; a=ed25519-sha256; t=1733246802; l=2748;
 i=jannh@google.com; s=20240730; h=from:subject:message-id;
 bh=d/SKaEARJ6M0/cu1G8obkYNjM7fgsn+zCy4/XdkuEqM=;
 b=X3evmweW4JuzseSHwdhP7RA4Pf8e6N5ueqNFDbhwq7nktyWWe+H3fxCMDbqjeNobSJ+OFwz4q
 CrhwTQWCO5HCdsMU7uLiRuWbk2eiWJ94PEjMmxwGvVbe3p9pYkPZ/mf
X-Developer-Key: i=jannh@google.com; a=ed25519;
 pk=AljNtGOzXeF6khBXDJVVvwSEkVDGnnZZYqfWhP1V+C8=
X-BeenThere: dri-devel@lists.freedesktop.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Direct Rendering Infrastructure - Development
 <dri-devel.lists.freedesktop.org>
List-Unsubscribe: <https://lists.freedesktop.org/mailman/options/dri-devel>,
 <mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <https://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <https://lists.freedesktop.org/mailman/listinfo/dri-devel>,
 <mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>

In export_udmabuf(), if dma_buf_fd() fails because the FD table is full, a
dma_buf owning the udmabuf has already been created; but the error handling
in udmabuf_create() will tear down the udmabuf without doing anything about
the containing dma_buf.

This leaves a dma_buf in memory that contains a dangling pointer; though
that doesn't seem to lead to anything bad except a memory leak.

Fix it by moving the dma_buf_fd() call out of export_udmabuf() so that we
can give it different error handling.

Note that the shape of this code changed a lot in commit 5e72b2b41a21
("udmabuf: convert udmabuf driver to use folios"); but the memory leak
seems to have existed since the introduction of udmabuf.

Fixes: fbb0de795078 ("Add udmabuf misc device")
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: Vivek Kasireddy <vivek.kasireddy@intel.com>
---
 drivers/dma-buf/udmabuf.c | 25 ++++++++++++++-----------
 1 file changed, 14 insertions(+), 11 deletions(-)

diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c
index 8ce77f5837d71a73be677cad014e05f29706057d..aae0071be14a2c83a428b59ea9e905c7173232be 100644
--- a/drivers/dma-buf/udmabuf.c
+++ b/drivers/dma-buf/udmabuf.c
@@ -317,12 +317,11 @@ static int check_memfd_seals(struct file *memfd)
 	return 0;
 }
 
-static int export_udmabuf(struct udmabuf *ubuf,
-			  struct miscdevice *device,
-			  u32 flags)
+static struct dma_buf *export_udmabuf(struct udmabuf *ubuf,
+				      struct miscdevice *device,
+				      u32 flags)
 {
 	DEFINE_DMA_BUF_EXPORT_INFO(exp_info);
-	struct dma_buf *buf;
 
 	ubuf->device = device;
 	exp_info.ops  = &udmabuf_ops;
@@ -330,11 +329,7 @@ static int export_udmabuf(struct udmabuf *ubuf,
 	exp_info.priv = ubuf;
 	exp_info.flags = O_RDWR;
 
-	buf = dma_buf_export(&exp_info);
-	if (IS_ERR(buf))
-		return PTR_ERR(buf);
-
-	return dma_buf_fd(buf, flags);
+	return dma_buf_export(&exp_info);
 }
 
 static long udmabuf_pin_folios(struct udmabuf *ubuf, struct file *memfd,
@@ -391,6 +386,7 @@ static long udmabuf_create(struct miscdevice *device,
 	struct folio **folios = NULL;
 	pgoff_t pgcnt = 0, pglimit;
 	struct udmabuf *ubuf;
+	struct dma_buf *dmabuf;
 	long ret = -EINVAL;
 	u32 i, flags;
 
@@ -451,9 +447,16 @@ static long udmabuf_create(struct miscdevice *device,
 	}
 
 	flags = head->flags & UDMABUF_FLAGS_CLOEXEC ? O_CLOEXEC : 0;
-	ret = export_udmabuf(ubuf, device, flags);
-	if (ret < 0)
+	dmabuf = export_udmabuf(ubuf, device, flags);
+	if (IS_ERR(dmabuf)) {
+		ret = PTR_ERR(dmabuf);
 		goto err;
+	}
+	/* ownership of ubuf is held by the dmabuf from here */
+
+	ret = dma_buf_fd(dmabuf, flags);
+	if (ret < 0)
+		dma_buf_put(dmabuf);
 
 	kvfree(folios);
 	return ret;