* [PATCH 0/1] udmabuf: reject unknown UDMABUF_CREATE flags @ 2026-07-01 17:21 Iván Ezequiel Rodriguez 2026-07-01 17:21 ` [PATCH 1/1] " Iván Ezequiel Rodriguez 0 siblings, 1 reply; 3+ messages in thread From: Iván Ezequiel Rodriguez @ 2026-07-01 17:21 UTC (permalink / raw) To: kraxel, vivek.kasireddy Cc: dri-devel, linux-kselftest, linux-kernel, Iván Ezequiel Rodriguez UDMABUF_CREATE and UDMABUF_CREATE_LIST only define UDMABUF_FLAGS_CLOEXEC in include/uapi/linux/udmabuf.h. Today the driver masks unknown flag bits and returns a dmabuf fd anyway, so userspace cannot tell that an unsupported flag was ignored. dma-heap already rejects unknown fd_flags and heap_flags with -EINVAL; apply the same policy in udmabuf_create(), which is shared by both ioctls. This series adds the driver check, documents the flag semantics in the uapi header, and extends the existing kselftest with test-unknown-flags (UDMABUF_FLAGS_CLOEXEC | 0x2 must fail). Tested with the udmabuf kselftest on a kernel built with this patch (test-unknown-flags PASS). Iván Ezequiel Rodriguez (1): udmabuf: reject unknown UDMABUF_CREATE flags drivers/dma-buf/udmabuf.c | 3 +++ include/uapi/linux/udmabuf.h | 13 +++++++++++++ tools/testing/selftests/drivers/dma-buf/udmabuf.c | 14 +++++++++++++- 3 files changed, 29 insertions(+), 1 deletion(-) -- 2.43.0 ^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH 1/1] udmabuf: reject unknown UDMABUF_CREATE flags 2026-07-01 17:21 [PATCH 0/1] udmabuf: reject unknown UDMABUF_CREATE flags Iván Ezequiel Rodriguez @ 2026-07-01 17:21 ` Iván Ezequiel Rodriguez 2026-07-01 17:39 ` sashiko-bot 0 siblings, 1 reply; 3+ messages in thread From: Iván Ezequiel Rodriguez @ 2026-07-01 17:21 UTC (permalink / raw) To: kraxel, vivek.kasireddy Cc: dri-devel, linux-kselftest, linux-kernel, Iván Ezequiel Rodriguez UDMABUF_CREATE and UDMABUF_CREATE_LIST only define UDMABUF_FLAGS_CLOEXEC. Unknown flag bits were silently masked before returning a dmabuf fd, so userspace could not detect unsupported flags. Reject them with -EINVAL, consistent with dma-heap flag validation. Document the flag semantics in udmabuf.h and add a selftest. Signed-off-by: Iván Ezequiel Rodriguez <ivanrwcm25@gmail.com> --- drivers/dma-buf/udmabuf.c | 3 +++ include/uapi/linux/udmabuf.h | 13 +++++++++++++ tools/testing/selftests/drivers/dma-buf/udmabuf.c | 14 +++++++++++++- 3 files changed, 29 insertions(+), 1 deletion(-) diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c index bced421c0d65..fb36c0d9ffe7 100644 --- a/drivers/dma-buf/udmabuf.c +++ b/drivers/dma-buf/udmabuf.c @@ -358,6 +358,9 @@ static long udmabuf_create(struct miscdevice *device, long ret = -EINVAL; u32 i, flags; + if (head->flags & ~UDMABUF_FLAGS_CLOEXEC) + return -EINVAL; + ubuf = kzalloc(sizeof(*ubuf), GFP_KERNEL); if (!ubuf) return -ENOMEM; diff --git a/include/uapi/linux/udmabuf.h b/include/uapi/linux/udmabuf.h index 46b6532ed855..e267856dd510 100644 --- a/include/uapi/linux/udmabuf.h +++ b/include/uapi/linux/udmabuf.h @@ -7,6 +7,13 @@ #define UDMABUF_FLAGS_CLOEXEC 0x01 +/** + * struct udmabuf_create - parameters for %UDMABUF_CREATE + * @memfd: memfd containing the memory to export + * @flags: %UDMABUF_FLAGS_CLOEXEC only; unknown bits are rejected + * @offset: byte offset into @memfd (page aligned) + * @size: number of bytes to export (page aligned, non-zero) + */ struct udmabuf_create { __u32 memfd; __u32 flags; @@ -21,6 +28,12 @@ struct udmabuf_create_item { __u64 size; }; +/** + * struct udmabuf_create_list - parameters for %UDMABUF_CREATE_LIST + * @flags: %UDMABUF_FLAGS_CLOEXEC only; unknown bits are rejected + * @count: number of entries in @list (non-zero, capped by driver) + * @list: flexible array of memfd regions to combine + */ struct udmabuf_create_list { __u32 flags; __u32 count; diff --git a/tools/testing/selftests/drivers/dma-buf/udmabuf.c b/tools/testing/selftests/drivers/dma-buf/udmabuf.c index d78aec662586..95c781855404 100644 --- a/tools/testing/selftests/drivers/dma-buf/udmabuf.c +++ b/tools/testing/selftests/drivers/dma-buf/udmabuf.c @@ -138,7 +138,7 @@ int main(int argc, char *argv[]) void *addr1, *addr2; ksft_print_header(); - ksft_set_plan(7); + ksft_set_plan(8); devfd = open("/dev/udmabuf", O_RDWR); if (devfd < 0) { @@ -189,6 +189,18 @@ int main(int argc, char *argv[]) else ksft_test_result_pass("%s: [PASS,test-2]\n", TEST_PREFIX); + /* should fail (unknown flags) */ + create.memfd = memfd; + create.offset = 0; + create.size = size; + create.flags = UDMABUF_FLAGS_CLOEXEC | 0x2; + buf = ioctl(devfd, UDMABUF_CREATE, &create); + if (buf >= 0) + ksft_test_result_fail("%s: [FAIL,test-unknown-flags]\n", TEST_PREFIX); + else + ksft_test_result_pass("%s: [PASS,test-unknown-flags]\n", TEST_PREFIX); + create.flags = 0; + /* should fail (not memfd) */ create.memfd = 0; /* stdin */ create.offset = 0; -- 2.43.0 ^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH 1/1] udmabuf: reject unknown UDMABUF_CREATE flags 2026-07-01 17:21 ` [PATCH 1/1] " Iván Ezequiel Rodriguez @ 2026-07-01 17:39 ` sashiko-bot 0 siblings, 0 replies; 3+ messages in thread From: sashiko-bot @ 2026-07-01 17:39 UTC (permalink / raw) To: Iván Ezequiel Rodriguez; +Cc: dri-devel Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider: Pre-existing issues: - [High] Integer overflow in `lsize` calculation in `udmabuf_ioctl_create_list` allows out-of-bounds heap memory access if `list_limit` is misconfigured. -- commit 0bd9a7c7e5bbe2cbc29a0cdc4dcdb2763d2b20e1 Author: Iván Ezequiel Rodriguez <ivanrwcm25@gmail.com> udmabuf: reject unknown UDMABUF_CREATE flags This patch updates udmabuf_create() to reject unknown flags by checking against UDMABUF_FLAGS_CLOEXEC and returning -EINVAL. It also documents the flag semantics in udmabuf.h and adds a selftest. > diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c > index bced421c0d658..fb36c0d9ffe72 100644 > --- a/drivers/dma-buf/udmabuf.c > +++ b/drivers/dma-buf/udmabuf.c > @@ -358,6 +358,9 @@ static long udmabuf_create(struct miscdevice *device, > long ret = -EINVAL; > u32 i, flags; > > + if (head->flags & ~UDMABUF_FLAGS_CLOEXEC) > + return -EINVAL; > + [Severity: High] This is a pre-existing issue, but can this code trigger an out-of-bounds heap read if the list limit is misconfigured? If an administrator sets the module parameter list_limit to a negative value (like -1 to mean unlimited), a large head.count from userspace can bypass the limit check in udmabuf_ioctl_create_list() because head.count is an unsigned u32 and list_limit is promoted to unsigned for the comparison. If a user calls ioctl(UDMABUF_CREATE_LIST) with a crafted head.count of 0x20000001, the allocation size calculation in udmabuf_ioctl_create_list() overflows: drivers/dma-buf/udmabuf.c:udmabuf_ioctl_create_list() { ... lsize = sizeof(struct udmabuf_create_item) * head.count; list = memdup_user((void __user *)(arg + sizeof(head)), lsize); } The size calculation evaluates to 0x300000018, which is truncated to 24 bytes when assigned to the u32 lsize variable. memdup_user() then allocates a 24-byte buffer for the list. When execution reaches udmabuf_create(), the loop iterates head->count times: drivers/dma-buf/udmabuf.c:udmabuf_create() { ... for (i = 0; i < head->count; i++) { pgoff_t subpgcnt; if (!PAGE_ALIGNED(list[i].offset)) goto err_noinit; ... } Since the list buffer is only 24 bytes long but the loop iterates 0x20000001 times, does this result in out-of-bounds reads on the kernel heap that could trigger a page fault and kernel oops? > ubuf = kzalloc(sizeof(*ubuf), GFP_KERNEL); > if (!ubuf) > return -ENOMEM; [ ... ] -- Sashiko AI review · https://sashiko.dev/#/patchset/20260701172159.270872-2-ivanrwcm25@gmail.com?part=1 ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-07-01 17:39 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-07-01 17:21 [PATCH 0/1] udmabuf: reject unknown UDMABUF_CREATE flags Iván Ezequiel Rodriguez 2026-07-01 17:21 ` [PATCH 1/1] " Iván Ezequiel Rodriguez 2026-07-01 17:39 ` sashiko-bot
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.