From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4B59DC47254 for ; Tue, 5 May 2020 10:08:11 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 26BE0206E6 for ; Tue, 5 May 2020 10:08:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1588673291; bh=h6ygWRY0TPM1wR0iW+iTQNTbvWj2q0E/jKf9+RhM830=; h=Date:From:To:Cc:Subject:References:In-Reply-To:List-ID:From; b=WSIxMYHm3TNyMhtqdyAAJbVBmUCNInyyi7WTy9htrrJsERiWZjPY6cQwGiJl3/lCq KfwTEWsKLLyxRCeIoGN9Ms7S6dG9dnJ4KnejgtefAnE8efbTGMUmDHKmXTjVBwNv/E zt5hYfiX8J2mgIJOlAL9Z096oHcZCkugcRCxS4m0= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728608AbgEEKIK (ORCPT ); Tue, 5 May 2020 06:08:10 -0400 Received: from mail.kernel.org ([198.145.29.99]:57406 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728238AbgEEKIK (ORCPT ); Tue, 5 May 2020 06:08:10 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 30B14206B9; Tue, 5 May 2020 10:08:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1588673288; bh=h6ygWRY0TPM1wR0iW+iTQNTbvWj2q0E/jKf9+RhM830=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=PDjk/lryDIC+p84TX6qI07P8AC2VHmvxlj5ILost1ux7ggM+rOXjsE0gMpCS3xsWm h0sGOitP6cDkd2cfGYarNFq9/lnNU5Rmz8ZivUd554C3YJyMNGZuxjSAigtDcc6gop vllPCBsPLwQZXEzLAzoEDmGd9EmHUMArlPI6X/r8= Date: Tue, 5 May 2020 12:08:06 +0200 From: Greg KH To: Charan Teja Reddy Cc: sumit.semwal@linaro.org, ghackmann@google.com, fengc@google.com, linux-media@vger.kernel.org, vinmenon@codeaurora.org Subject: Re: [PATCH] dma-buf: fix use-after-free in dmabuffs_dname Message-ID: <20200505100806.GA4177627@kroah.com> References: <1588060442-28638-1-git-send-email-charante@codeaurora.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1588060442-28638-1-git-send-email-charante@codeaurora.org> Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org On Tue, Apr 28, 2020 at 01:24:02PM +0530, Charan Teja Reddy wrote: > The following race occurs while accessing the dmabuf object exported as > file: > P1 P2 > dma_buf_release() dmabuffs_dname() > [say lsof reading /proc//fd/] > > read dmabuf stored in dentry->fsdata > Free the dmabuf object > Start accessing the dmabuf structure > > In the above description, the dmabuf object freed in P1 is being > accessed from P2 which is resulting into the use-after-free. Below is > the dump stack reported. > > Call Trace: > kasan_report+0x12/0x20 > __asan_report_load8_noabort+0x14/0x20 > dmabuffs_dname+0x4f4/0x560 > tomoyo_realpath_from_path+0x165/0x660 > tomoyo_get_realpath > tomoyo_check_open_permission+0x2a3/0x3e0 > tomoyo_file_open > tomoyo_file_open+0xa9/0xd0 > security_file_open+0x71/0x300 > do_dentry_open+0x37a/0x1380 > vfs_open+0xa0/0xd0 > path_openat+0x12ee/0x3490 > do_filp_open+0x192/0x260 > do_sys_openat2+0x5eb/0x7e0 > do_sys_open+0xf2/0x180 > > Fixes: bb2bb90 ("dma-buf: add DMA_BUF_SET_NAME ioctls") Nit, please read the documentation for how to do a Fixes: line properly, you need more digits: Fixes: bb2bb9030425 ("dma-buf: add DMA_BUF_SET_NAME ioctls") > Reported-by: syzbot+3643a18836bce555bff6@syzkaller.appspotmail.com > Signed-off-by: Charan Teja Reddy Also, any reason you didn't include the other mailing lists that get_maintainer.pl said to? And finally, no cc: stable in the s-o-b area for an issue that needs to be backported to older kernels? > --- > drivers/dma-buf/dma-buf.c | 25 +++++++++++++++++++++++-- > include/linux/dma-buf.h | 1 + > 2 files changed, 24 insertions(+), 2 deletions(-) > > diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c > index 570c923..069d8f78 100644 > --- a/drivers/dma-buf/dma-buf.c > +++ b/drivers/dma-buf/dma-buf.c > @@ -25,6 +25,7 @@ > #include > #include > #include > +#include > > #include > #include > @@ -38,18 +39,34 @@ struct dma_buf_list { > > static struct dma_buf_list db_list; > > +static void dmabuf_dent_put(struct dma_buf *dmabuf) > +{ > + if (atomic_dec_and_test(&dmabuf->dent_count)) { > + kfree(dmabuf->name); > + kfree(dmabuf); > + } Why not just use a kref instead of an open-coded atomic value? > +} > + > static char *dmabuffs_dname(struct dentry *dentry, char *buffer, int buflen) > { > struct dma_buf *dmabuf; > char name[DMA_BUF_NAME_LEN]; > size_t ret = 0; > > + spin_lock(&dentry->d_lock); > dmabuf = dentry->d_fsdata; > + if (!dmabuf || !atomic_add_unless(&dmabuf->dent_count, 1, 0)) { > + spin_unlock(&dentry->d_lock); > + goto out; How can dmabuf not be valid here? And isn't there already a usecount for the buffer? > + } > + spin_unlock(&dentry->d_lock); > dma_resv_lock(dmabuf->resv, NULL); > if (dmabuf->name) > ret = strlcpy(name, dmabuf->name, DMA_BUF_NAME_LEN); > dma_resv_unlock(dmabuf->resv); > + dmabuf_dent_put(dmabuf); > > +out: > return dynamic_dname(dentry, buffer, buflen, "/%s:%s", > dentry->d_name.name, ret > 0 ? name : ""); > } > @@ -80,12 +97,16 @@ static int dma_buf_fs_init_context(struct fs_context *fc) > static int dma_buf_release(struct inode *inode, struct file *file) > { > struct dma_buf *dmabuf; > + struct dentry *dentry = file->f_path.dentry; > > if (!is_dma_buf_file(file)) > return -EINVAL; > > dmabuf = file->private_data; > > + spin_lock(&dentry->d_lock); > + dentry->d_fsdata = NULL; > + spin_unlock(&dentry->d_lock); > BUG_ON(dmabuf->vmapping_counter); > > /* > @@ -108,8 +129,7 @@ static int dma_buf_release(struct inode *inode, struct file *file) > dma_resv_fini(dmabuf->resv); > > module_put(dmabuf->owner); > - kfree(dmabuf->name); > - kfree(dmabuf); > + dmabuf_dent_put(dmabuf); > return 0; > } > > @@ -548,6 +568,7 @@ struct dma_buf *dma_buf_export(const struct dma_buf_export_info *exp_info) > init_waitqueue_head(&dmabuf->poll); > dmabuf->cb_excl.poll = dmabuf->cb_shared.poll = &dmabuf->poll; > dmabuf->cb_excl.active = dmabuf->cb_shared.active = 0; > + atomic_set(&dmabuf->dent_count, 1); > > if (!resv) { > resv = (struct dma_resv *)&dmabuf[1]; > diff --git a/include/linux/dma-buf.h b/include/linux/dma-buf.h > index 82e0a4a..a259042 100644 > --- a/include/linux/dma-buf.h > +++ b/include/linux/dma-buf.h > @@ -315,6 +315,7 @@ struct dma_buf { > struct list_head list_node; > void *priv; > struct dma_resv *resv; > + atomic_t dent_count; Isn't there other usage counters here that can support this? Adding another one feels wrong as now we have multiple use counts, right? thanks, greg k-h