From patchwork Tue Dec 3 17:25:35 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jann Horn X-Patchwork-Id: 13892745 Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com [209.85.128.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8F03B1FA825 for ; Tue, 3 Dec 2024 17:26:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.43 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733246812; cv=none; b=efQITwra0U9u7yuFGEwhdo9Gkd1w4sI8UYe1GIUn40Vwz97Io0PSLyNoVggeiQXUXyM5dECZmwbQ7GWJBkXLgUYF3ET/M4Y/eAR5Eo5DjzM6JUzF/b3RtWprMRbZiNVSWZNkLxr55v+UdGdrM0rZWE0OYZrJ+ZPz2P4jjygSx/0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733246812; c=relaxed/simple; bh=Aq2zO2su/gJQZo1LKHbVMD9Hcz8GmXaQFYJOvJIHJUg=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=TN6FZDPtr4Jmn0w7n4cpU8PQ0eAj83LUr3YosH8B1jmlh1sBBwPOyQy6WAlXLPPhtnRiEMmmGcjSp/AezV1+IaHz6zvK1NRMIL6K//4IV1OKVgWr04xiSNAm53ifoELxqGl1Y8FT61nvWaWP4e6vqY8gm/kHtkIiAAvhWl9ORUo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=4SAjdCyj; arc=none smtp.client-ip=209.85.128.43 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="4SAjdCyj" Received: by mail-wm1-f43.google.com with SMTP id 5b1f17b1804b1-434a9f9a225so56025e9.1 for ; Tue, 03 Dec 2024 09:26:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1733246808; x=1733851608; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=9A/J5jkgomsMiHFvcuDoSxKD5NJW5y7f08S/zY5zTv8=; b=4SAjdCyjnIkugf8ljwDjQXnvxNeDEy1R3GoxGeaOuV0Zb0CNbkf+V7fSrTVGXqKVhD Cq95lsNfmUSVwpWk+HDaec9oUsAlRMEIbLrmHCDQEND2gQJRoPas9IGX0OeK0z6tTckY IVwrqCe6eXV1AkjY3J/otecJDvb1KU6L4sjiCNVzk6o6s+MHOou8A8DEVpoEGCoU7O8R tAlak021kRrD++owqZ6JAHiMwFG7BE+AMYGWT5YY9ejwAUgMJYC+b7BVUsJ+eGuPbSMC UbGQOZo1SO7gcyygN048hQ+Y4bmLU67CX8HTrLG49d4RHQ1jFrPU7abrroLJE7AWkBYr IjaA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733246808; x=1733851608; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=9A/J5jkgomsMiHFvcuDoSxKD5NJW5y7f08S/zY5zTv8=; b=mmxjfD7iISAZJk2NPUxSZgoWTS7dUUdI/L/lY18FVsU/91j9jZrRyovDkjNvTFNMp0 rZg7mbM/tp29rvXPagP735DRfo3QUukC/5ScJZUmN/pQLsfkSVE1hEEG7UHjuV5miwn8 +HH63yrRy0kpmQe0RfVRodCMdvWL3O04gMkCUMGFzeeEKgLHfCmWLTo5aszVovdA7MAn InqcVhIe17Ya8Ra96XMsVMVLaNYYTvGPgxWZSdcN57W5rq7FJtyXNRrnoe637GZfWKhd 8+he3wnzaDXCjxTbyE/uUEulyQAcQnyYdaGxLvSSgDpiF8fREDgqT2Cq49N0LRiOcczc RQBQ== X-Forwarded-Encrypted: i=1; AJvYcCXg7tW4wR8rgDloPbSdwpifR+f12pQSXatqCokrxpL47VCR1L6MJzzm87yt6EoFE7uzZPyHEsxNsxX62Q==@vger.kernel.org X-Gm-Message-State: AOJu0Yz9mX5PYWuGFSf/6fbbUZw9a0GR1SwMxjg0DhpCJBksio17XI3i Lg1FrP/RJuZE4NHOx8kmuLhT+o8o6eForLJ6kCtm+BoRPC0DMfreGPqLR/0fow== X-Gm-Gg: ASbGncuaYb3KRt8aejorU+SsltjzYz6pklaKRLz9wJvljDxj+VFNFyw3YiwuM4jF1FJ qT4kY8yEgTkn4Q+Dw3+ROlzXypBXVYomlzhgUPPPZK7S/zjlUlxKZo1GyV6TedmcNE26E3OhPbh lpYVUqkYJzJQMGF2K5DtlN6dAwJAmMFHjw6pvhIb2AYDjb7oiGR7ujB8n9jinZd2uGZDrXCEQhU 2WO8lRfr2MdowbothnXBf6PykPwjVND/TSJzQ== X-Google-Smtp-Source: AGHT+IFZqTIc4JHhlvLFIIqiUiNlQB9koDtYePpOB1Asac3qhzzJf/qabHheeO4gqnlhnImPyoFMHQ== X-Received: by 2002:a05:600c:1f93:b0:42b:a961:e51 with SMTP id 5b1f17b1804b1-434d04fbed7mr1401935e9.0.1733246807548; Tue, 03 Dec 2024 09:26:47 -0800 (PST) Received: from localhost ([2a00:79e0:9d:4:92ba:3294:39ee:2d61]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-434b0f70d9csm201336315e9.38.2024.12.03.09.26.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 Dec 2024 09:26:47 -0800 (PST) From: Jann Horn Date: Tue, 03 Dec 2024 18:25:35 +0100 Subject: [PATCH 1/3] udmabuf: fix racy memfd sealing check Precedence: bulk X-Mailing-List: linux-media@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-Id: <20241203-udmabuf-fixes-v1-1-f99281c345aa@google.com> References: <20241203-udmabuf-fixes-v1-0-f99281c345aa@google.com> In-Reply-To: <20241203-udmabuf-fixes-v1-0-f99281c345aa@google.com> To: Gerd Hoffmann , Vivek Kasireddy , Sumit Semwal , =?utf-8?q?Christian_K=C3=B6nig?= , Simona Vetter , John Stultz , Andrew Morton , "Joel Fernandes (Google)" Cc: dri-devel@lists.freedesktop.org, linux-media@vger.kernel.org, linaro-mm-sig@lists.linaro.org, linux-kernel@vger.kernel.org, Jann Horn , Julian Orth , stable@vger.kernel.org X-Mailer: b4 0.15-dev X-Developer-Signature: v=1; a=ed25519-sha256; t=1733246802; l=1642; i=jannh@google.com; s=20240730; h=from:subject:message-id; bh=Aq2zO2su/gJQZo1LKHbVMD9Hcz8GmXaQFYJOvJIHJUg=; b=nHri5mQURsQCt6qUqaiD5aSYbBqGWvkkFAyFFqtmxx/10lRP3oWxueAag4of6Gz9UdJJ7j6rF fH9tuFCVgXJDnU7/j0wwtosFko/X7UkQaHlRmJaTrIACgXmedoy/Ws4 X-Developer-Key: i=jannh@google.com; a=ed25519; pk=AljNtGOzXeF6khBXDJVVvwSEkVDGnnZZYqfWhP1V+C8= The current check_memfd_seals() is racy: Since we first do check_memfd_seals() and then udmabuf_pin_folios() without holding any relevant lock across both, F_SEAL_WRITE can be set in between. This is problematic because we can end up holding pins to pages in a write-sealed memfd. Fix it using the inode lock, that's probably the easiest way. In the future, we might want to consider moving this logic into memfd, especially if anyone else wants to use memfd_pin_folios(). Reported-by: Julian Orth Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219106 Closes: https://lore.kernel.org/r/CAG48ez0w8HrFEZtJkfmkVKFDhE5aP7nz=obrimeTgpD+StkV9w@mail.gmail.com Fixes: fbb0de795078 ("Add udmabuf misc device") Cc: stable@vger.kernel.org Signed-off-by: Jann Horn --- drivers/dma-buf/udmabuf.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c index 8ce1f074c2d32a0a9f59ff7184359e37d56548c6..662b9a26e06668bf59ab36d07c0648c7b02ee5ae 100644 --- a/drivers/dma-buf/udmabuf.c +++ b/drivers/dma-buf/udmabuf.c @@ -436,14 +436,15 @@ static long udmabuf_create(struct miscdevice *device, goto err; } + inode_lock_shared(memfd->f_inode); ret = check_memfd_seals(memfd); - if (ret < 0) { - fput(memfd); - goto err; - } + if (ret) + goto out_unlock; ret = udmabuf_pin_folios(ubuf, memfd, list[i].offset, list[i].size, folios); +out_unlock: + inode_unlock_shared(memfd->f_inode); fput(memfd); if (ret) goto err; From patchwork Tue Dec 3 17:25:36 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jann Horn X-Patchwork-Id: 13892744 Received: from mail-wm1-f46.google.com (mail-wm1-f46.google.com [209.85.128.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9C4A81FAC3B for ; Tue, 3 Dec 2024 17:26:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.46 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733246812; cv=none; b=d5m3N0ZqFlWacCK/aSo0VndNMCqZSSKUUec9opV1bsBA1NB8N9qFv17UH/AfRZ3TWZRmdgMkIAA7ejBZHOlXvm9xEEblo2UmX1Adtnfpev19pvab4CFUQurdeke4fGxPcOIL8on2pmgHHmx0EaEdLIkLuW6iZ+x75aWMm78Kv6Y= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733246812; c=relaxed/simple; bh=3m/LMLlH/7jMESx6X9fIIIIib4hfJn5luoPUIkkkDds=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=NGeDuRYbj0u2KUyzyeGPmTjt7w8qcaJnFWy+OoBmPHUeXitj8C9ei09RTQ4NA4lPue3SkW3IbmSjyEK8V8phIcObu3H/zED3AlaeptABgcGS5mlkFDhSguedNNulqMOso5acdDOAUF8owRrmwQtSGXdvIpenXTJKg3o2QGco9Y8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=qygmHYjK; arc=none smtp.client-ip=209.85.128.46 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="qygmHYjK" Received: by mail-wm1-f46.google.com with SMTP id 5b1f17b1804b1-4349ea54db7so56585e9.0 for ; Tue, 03 Dec 2024 09:26:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1733246809; x=1733851609; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=uM3+RQXTMnOQ47ZFii0e33qP4d5w9EjJgy5PSo8ovks=; b=qygmHYjKQarvwNSRKLUHpG64+r89RJ9syZWWveMgWVAAr3lExgEHLY8Zdbj5etLAMI NjRZK/MfCjZFZvRVxm4ruMI0VMGFsgp6REnI/lQSrzIZKxH3fYlJdX4wQlY5pD9eDvzY /bX4sO2JofKUVjmO2z0Z/doBzyGn+0flHjImQbq/tueHYe8qqu0FkfSdMs84/ogb+hC8 /JMFFdD593bzZVSb7k852U4ikdcjLDQdEjRF99MNHVBRKmnIg9mQ5mfvcBfN0Bit0Itn vZBEGmOB2H7E1ZuIs4Tvv78gjrYabb0b2OSSn5xFKQ4/c4qzDLtZ5/dyIrhMj11wtFUh fY+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733246809; x=1733851609; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=uM3+RQXTMnOQ47ZFii0e33qP4d5w9EjJgy5PSo8ovks=; b=mE0uLynikc2pnQQqEottAB1YvsyXNZ631xBbNwHspXU4hb/pJgGVnjDRqwUJN2rE1e QmVTjJz+PkVHtKSBJtN1yrCAsKh0KdGnaVXLHRtytbrRKo5BpS3Vz34kRRd7836J7mZy p9slZVDvXIlCaNAM0VNKl4ePooNVgzDJkKAsW3FjUw6H5j/YGwjhrHK7l6PBYRdMY+9E Z1faPCOXY0Did4ccG8r+qVTraQ5VLMRrYAvfdbOhkm8GrOnqf1OekQTBKhpt/KrT7OAb kJEnoPLsdWI0L7xgLXmHSsp2AERq/rwMpSrnh7KzVM2CO7WCj1Lf2tkPQsJYGnTlZ/PI q9zQ== X-Forwarded-Encrypted: i=1; AJvYcCVKziArhMJ43fk7091+dNPuxT3b5yHwhi1tRWvgQ/SwB0nPY/c0A3pRPsg6VNJs/UYxJR7eARuUdlTKgQ==@vger.kernel.org X-Gm-Message-State: AOJu0YycwDKOaJsWp+4vNu9WHSGFwGAVHLArYk4t0gwemk1zg4rBvFXK 4GGiI+Jol7rMPm7CiUsqzebpzCcGzN6/G67mRO2LjQnsBtR4/C8EOYUUjPbd+w== X-Gm-Gg: ASbGncs0gJ93o4b8ekYk1UCy+OSiRauFrXTmnyy2e2n9qSJv1gl7/gBN1aRRNdsILTY XpZQf1pqGwN8eq2NaSsgpQJ+919FfGHjWqn8nvvLw3YwI8xz+OUpKdUYGcs1m6hrIf6aLx3Pl64 q6seWHiDysB65+MO3tfODeYTzPMH0dkP17Nj+xcl5/CNdxMYjX9MnbSW9YXgy17/stSPWhA3npt JsIspwSiXYTdASaEA64zFTr/idsT8DYuZtftw== X-Google-Smtp-Source: AGHT+IHah3tfnWDLN3UKIDFtEX6OxzBKzVPQiPV9mkH1uPluyyoiP9zAGpDGGtbXeYMGH6VNL1bEUg== X-Received: by 2002:a7b:cc83:0:b0:434:9d76:5031 with SMTP id 5b1f17b1804b1-434d12b8d88mr1204455e9.1.1733246808530; Tue, 03 Dec 2024 09:26:48 -0800 (PST) Received: from localhost ([2a00:79e0:9d:4:92ba:3294:39ee:2d61]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-385ccd3a522sm15986910f8f.52.2024.12.03.09.26.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 Dec 2024 09:26:48 -0800 (PST) From: Jann Horn Date: Tue, 03 Dec 2024 18:25:36 +0100 Subject: [PATCH 2/3] udmabuf: also check for F_SEAL_FUTURE_WRITE Precedence: bulk X-Mailing-List: linux-media@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-Id: <20241203-udmabuf-fixes-v1-2-f99281c345aa@google.com> References: <20241203-udmabuf-fixes-v1-0-f99281c345aa@google.com> In-Reply-To: <20241203-udmabuf-fixes-v1-0-f99281c345aa@google.com> To: Gerd Hoffmann , Vivek Kasireddy , Sumit Semwal , =?utf-8?q?Christian_K=C3=B6nig?= , Simona Vetter , John Stultz , Andrew Morton , "Joel Fernandes (Google)" Cc: dri-devel@lists.freedesktop.org, linux-media@vger.kernel.org, linaro-mm-sig@lists.linaro.org, linux-kernel@vger.kernel.org, Jann Horn , stable@vger.kernel.org X-Mailer: b4 0.15-dev X-Developer-Signature: v=1; a=ed25519-sha256; t=1733246802; l=976; i=jannh@google.com; s=20240730; h=from:subject:message-id; bh=3m/LMLlH/7jMESx6X9fIIIIib4hfJn5luoPUIkkkDds=; b=C68RSNAz5tSn7/At1pT+/cqpyr2/1yVHxrn2ThIXppaycwhw+jpyJIrVQd0vwYT6uWunp7bMu gPYbSI141ikD1YI6YQFzt61WVCUN7ejJNigEshkNyhdAZUVB/Jcx0OG X-Developer-Key: i=jannh@google.com; a=ed25519; pk=AljNtGOzXeF6khBXDJVVvwSEkVDGnnZZYqfWhP1V+C8= When F_SEAL_FUTURE_WRITE was introduced, it was overlooked that udmabuf must reject memfds with this flag, just like ones with F_SEAL_WRITE. Fix it by adding F_SEAL_FUTURE_WRITE to SEALS_DENIED. Fixes: ab3948f58ff8 ("mm/memfd: add an F_SEAL_FUTURE_WRITE seal to memfd") Cc: stable@vger.kernel.org Signed-off-by: Jann Horn Acked-by: Vivek Kasireddy --- drivers/dma-buf/udmabuf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c index 662b9a26e06668bf59ab36d07c0648c7b02ee5ae..8ce77f5837d71a73be677cad014e05f29706057d 100644 --- a/drivers/dma-buf/udmabuf.c +++ b/drivers/dma-buf/udmabuf.c @@ -297,7 +297,7 @@ static const struct dma_buf_ops udmabuf_ops = { }; #define SEALS_WANTED (F_SEAL_SHRINK) -#define SEALS_DENIED (F_SEAL_WRITE) +#define SEALS_DENIED (F_SEAL_WRITE|F_SEAL_FUTURE_WRITE) static int check_memfd_seals(struct file *memfd) { From patchwork Tue Dec 3 17:25:37 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jann Horn X-Patchwork-Id: 13892746 Received: from mail-wm1-f52.google.com (mail-wm1-f52.google.com [209.85.128.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8616F1FBCB5 for ; Tue, 3 Dec 2024 17:26:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.52 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733246813; cv=none; b=j/OFkePC4iVBe/qxyjXOYyta0BJB3An9n7I6LjF/ADc8U3/NEyQpJ4vWzV1LG2uBZ0k3f+3waxyrmQUwaw2IXyaroCGFd8Q4cpW5C4FymnAvPpvi4w+1Y7yMeVkzH06e8R8WuIfZ/NV4yl+G9gh18Ui1RjJvkCcVdUxcgm6utf4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733246813; c=relaxed/simple; bh=d/SKaEARJ6M0/cu1G8obkYNjM7fgsn+zCy4/XdkuEqM=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=Ahgh3Eb2NyTbRtu1ELwHXIaVMYGVHzRsCt2qyXjBC685x73O5y9FQ42k3JK0/kCVCx35pvFwlV8YuQuWau4i8itxVTefeslebioso0cqSpgDM9TkOJNUfXj02QM4YkapBu34shl45RFofugexjusq0MjOgAn9RJXPAiFRpGUc70= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=KVIsVwFx; arc=none smtp.client-ip=209.85.128.52 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="KVIsVwFx" Received: by mail-wm1-f52.google.com with SMTP id 5b1f17b1804b1-434a9f9a225so56105e9.1 for ; Tue, 03 Dec 2024 09:26:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1733246810; x=1733851610; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=/Vb9UXBOYsKi0pZ5x9hV4iMqdA2fMvrJ4pmauvo9ZZ8=; b=KVIsVwFxDhDefX7PSff7Lc1+S7MXB+cnYhP2mbB+dFDWfQhYaLOs6nVM85Zj43S0tM dm/hxnbrojsn4paJs6GxQs3na332MzvVkpAEiWmhXDJD8lRrPt6ueU8XTbYI9P4yHmtw +2RKGw/KrukdrQBXNPdzVKUHbull7Om7uA3OullCdUDmPx/7WEl32DrUFbIUnL9tUU4z A82vA6kAvsCMHadJzxZQte5PR1AOg7c/MUsRs47iBITAgJGpICiO0ZXWzWH7JtrEla76 +H8aSgTTveexDPQ4iC18dCAxf4U7QCQ1o71ajaLeeGloM0/jSD5a7vW8Me26HSGey2we pIdA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733246810; x=1733851610; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=/Vb9UXBOYsKi0pZ5x9hV4iMqdA2fMvrJ4pmauvo9ZZ8=; b=tqBY0M/SxVSvlEn9HjTYxo6yB1smyNRfOMl9lpgvBxK6z8OUu1PGVhSGK0sFGuZf+E kKmot2Sk0Mm8Cy4h6w4VO1E8g+92K6mOLW3DVptwKVyw9O70aXUrXvnY0vngqmt2mXp9 1NI+9MebY4x3JZ9ObMgkaSW+APdVcRxFBL/MSBMWG1Rxxye4Armbpr2WeXLQzwOJLk/w IWpfnGZb5dh8NwE8uufBGkTFkyvLVGQl8kqALagGT3kejM0M5uiwhdDZwGUs8se7Dkrh rtUJUmHVZwELkxrJO20gogczuv+LfI6S1hY79NLxcF1eiCfFnosqqZFhUtbhTuWAIdqP yKng== X-Forwarded-Encrypted: i=1; AJvYcCVT6VMB1BZ2Sz7IzKrLK72CiuAa1bly1P75D1M0uuI3CVu84gL3iyBMxxrfwC9x6X7uFv/uScukDo4F9A==@vger.kernel.org X-Gm-Message-State: AOJu0Yw3yLTkZ8jRggFJ8YWkKzkn59/Zt7YXH8oD1ro8zjtsO74igpCA V52D2E2xefv561MkT5bBeQ8K9wM7ZEAynyOAKCfbDUf0vI6+ti+sYGRvJxmtqA== X-Gm-Gg: ASbGncvFfaBtvlXiw0+W0XcvMnG04CEOy5AizTIvzgoz0UsjeH+pE7QOsnG3Mjrn01L PrS1u+nS+jfsWt/AgaayGPiozi4dnusFiz9JxqFKcEHQw7X2J97UQPY6XX5p9SoP7MCyYy6TUf+ gfYjbE3SLGVmZHdALG9lr8H/ARW8RNNwlsILNtWrxzhmnEmfLSy2RM1IrsApmVzi1bIBehYHkrs bQMAKrGnjeGqgg5YMzzdvzNF3zRsh8XKxPooqs= X-Google-Smtp-Source: AGHT+IH0TNX49DlvsUlDmYHqE+X/GJfm7kzNvuJYlH9rEpQHDfxMRPXJgjMqM5godm3e1PRO0SoeKQ== X-Received: by 2002:a7b:cc83:0:b0:434:9d76:5031 with SMTP id 5b1f17b1804b1-434d12b8d88mr1204505e9.1.1733246809511; Tue, 03 Dec 2024 09:26:49 -0800 (PST) Received: from localhost ([2a00:79e0:9d:4:92ba:3294:39ee:2d61]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-434b0dbe4e6sm194671505e9.14.2024.12.03.09.26.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 Dec 2024 09:26:49 -0800 (PST) From: Jann Horn Date: Tue, 03 Dec 2024 18:25:37 +0100 Subject: [PATCH 3/3] udmabuf: fix memory leak on last export_udmabuf() error path Precedence: bulk X-Mailing-List: linux-media@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-Id: <20241203-udmabuf-fixes-v1-3-f99281c345aa@google.com> References: <20241203-udmabuf-fixes-v1-0-f99281c345aa@google.com> In-Reply-To: <20241203-udmabuf-fixes-v1-0-f99281c345aa@google.com> To: Gerd Hoffmann , Vivek Kasireddy , Sumit Semwal , =?utf-8?q?Christian_K=C3=B6nig?= , Simona Vetter , John Stultz , Andrew Morton , "Joel Fernandes (Google)" Cc: dri-devel@lists.freedesktop.org, linux-media@vger.kernel.org, linaro-mm-sig@lists.linaro.org, linux-kernel@vger.kernel.org, Jann Horn X-Mailer: b4 0.15-dev X-Developer-Signature: v=1; a=ed25519-sha256; t=1733246802; l=2748; i=jannh@google.com; s=20240730; h=from:subject:message-id; bh=d/SKaEARJ6M0/cu1G8obkYNjM7fgsn+zCy4/XdkuEqM=; b=X3evmweW4JuzseSHwdhP7RA4Pf8e6N5ueqNFDbhwq7nktyWWe+H3fxCMDbqjeNobSJ+OFwz4q CrhwTQWCO5HCdsMU7uLiRuWbk2eiWJ94PEjMmxwGvVbe3p9pYkPZ/mf X-Developer-Key: i=jannh@google.com; a=ed25519; pk=AljNtGOzXeF6khBXDJVVvwSEkVDGnnZZYqfWhP1V+C8= In export_udmabuf(), if dma_buf_fd() fails because the FD table is full, a dma_buf owning the udmabuf has already been created; but the error handling in udmabuf_create() will tear down the udmabuf without doing anything about the containing dma_buf. This leaves a dma_buf in memory that contains a dangling pointer; though that doesn't seem to lead to anything bad except a memory leak. Fix it by moving the dma_buf_fd() call out of export_udmabuf() so that we can give it different error handling. Note that the shape of this code changed a lot in commit 5e72b2b41a21 ("udmabuf: convert udmabuf driver to use folios"); but the memory leak seems to have existed since the introduction of udmabuf. Fixes: fbb0de795078 ("Add udmabuf misc device") Signed-off-by: Jann Horn Acked-by: Vivek Kasireddy --- drivers/dma-buf/udmabuf.c | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c index 8ce77f5837d71a73be677cad014e05f29706057d..aae0071be14a2c83a428b59ea9e905c7173232be 100644 --- a/drivers/dma-buf/udmabuf.c +++ b/drivers/dma-buf/udmabuf.c @@ -317,12 +317,11 @@ static int check_memfd_seals(struct file *memfd) return 0; } -static int export_udmabuf(struct udmabuf *ubuf, - struct miscdevice *device, - u32 flags) +static struct dma_buf *export_udmabuf(struct udmabuf *ubuf, + struct miscdevice *device, + u32 flags) { DEFINE_DMA_BUF_EXPORT_INFO(exp_info); - struct dma_buf *buf; ubuf->device = device; exp_info.ops = &udmabuf_ops; @@ -330,11 +329,7 @@ static int export_udmabuf(struct udmabuf *ubuf, exp_info.priv = ubuf; exp_info.flags = O_RDWR; - buf = dma_buf_export(&exp_info); - if (IS_ERR(buf)) - return PTR_ERR(buf); - - return dma_buf_fd(buf, flags); + return dma_buf_export(&exp_info); } static long udmabuf_pin_folios(struct udmabuf *ubuf, struct file *memfd, @@ -391,6 +386,7 @@ static long udmabuf_create(struct miscdevice *device, struct folio **folios = NULL; pgoff_t pgcnt = 0, pglimit; struct udmabuf *ubuf; + struct dma_buf *dmabuf; long ret = -EINVAL; u32 i, flags; @@ -451,9 +447,16 @@ static long udmabuf_create(struct miscdevice *device, } flags = head->flags & UDMABUF_FLAGS_CLOEXEC ? O_CLOEXEC : 0; - ret = export_udmabuf(ubuf, device, flags); - if (ret < 0) + dmabuf = export_udmabuf(ubuf, device, flags); + if (IS_ERR(dmabuf)) { + ret = PTR_ERR(dmabuf); goto err; + } + /* ownership of ubuf is held by the dmabuf from here */ + + ret = dma_buf_fd(dmabuf, flags); + if (ret < 0) + dma_buf_put(dmabuf); kvfree(folios); return ret;