From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EA6BC1A2C11 for ; Mon, 23 Dec 2024 11:58:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1734955083; cv=none; b=Q2fqhaohwFvz0zqwfUgHpuaMBVrAOMFzqh0jLshHDJH1ymSBckBvuEEB1picLaUWmlLgTfmSFbggV6ZCP+t4Ado85aSastdiVNqtpD4BF8sKgFWZNIgaC+eHGyxpsgsad2u9hCYOqvNCr/cNYBRQA0Std47OAmGCKLXIpVT2DeM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1734955083; c=relaxed/simple; bh=bd5rmXMNyY4TptPezVv6SBTQKJBb//LP2P0Dr0oggvw=; h=Subject:To:Cc:From:Date:Message-ID:MIME-Version:Content-Type; b=B4Rth8VQnHAC1AP8X3hUjdfbb/j3qbwQ1hnKQ8hSaeAkUhfo5EsorNCYO5oTOTms3Siq2H5iqrOcJlR9SNexRtJjfWS5zGFkv2nLDcKnhJdMrPFd2rFL8+bNxcFlHyfIDstMj6FPPTZgzWEWC+/N7Rq44VYCzqg3525Mte2yFMI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=qQI3hLr8; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="qQI3hLr8" Received: by smtp.kernel.org (Postfix) with ESMTPSA id E72C9C4CED3; Mon, 23 Dec 2024 11:58:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1734955082; bh=bd5rmXMNyY4TptPezVv6SBTQKJBb//LP2P0Dr0oggvw=; h=Subject:To:Cc:From:Date:From; b=qQI3hLr8fxnj53zj9OKdmnoqyHDvUmAxty5rataswDsOPoFjq23oK3L48TjRgx8oy BD2QBHxk3mXFsCqLrl1UMIQAErYUmgio67rzYJLvGNIenFOBgk9wGXxPX5ItIZ5NTo YAWdnxH0hgGzGxVeByWJZwXR2bhRFO+jpVpXeuvU= Subject: FAILED: patch "[PATCH] udmabuf: fix racy memfd sealing check" failed to apply to 5.15-stable tree To: jannh@google.com,joel@joelfernandes.org,ju.orth@gmail.com,vivek.kasireddy@intel.com Cc: From: Date: Mon, 23 Dec 2024 12:57:48 +0100 Message-ID: <2024122348-endeared-emptier-9ba3@gregkh> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to . To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 9cb189a882738c1d28b349d4e7c6a1ef9b3d8f87 # git commit -s git send-email --to '' --in-reply-to '2024122348-endeared-emptier-9ba3@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 9cb189a882738c1d28b349d4e7c6a1ef9b3d8f87 Mon Sep 17 00:00:00 2001 From: Jann Horn Date: Wed, 4 Dec 2024 17:26:19 +0100 Subject: [PATCH] udmabuf: fix racy memfd sealing check The current check_memfd_seals() is racy: Since we first do check_memfd_seals() and then udmabuf_pin_folios() without holding any relevant lock across both, F_SEAL_WRITE can be set in between. This is problematic because we can end up holding pins to pages in a write-sealed memfd. Fix it using the inode lock, that's probably the easiest way. In the future, we might want to consider moving this logic into memfd, especially if anyone else wants to use memfd_pin_folios(). Reported-by: Julian Orth Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219106 Closes: https://lore.kernel.org/r/CAG48ez0w8HrFEZtJkfmkVKFDhE5aP7nz=obrimeTgpD+StkV9w@mail.gmail.com Fixes: fbb0de795078 ("Add udmabuf misc device") Cc: stable@vger.kernel.org Signed-off-by: Jann Horn Acked-by: Joel Fernandes (Google) Acked-by: Vivek Kasireddy Signed-off-by: Vivek Kasireddy Link: https://patchwork.freedesktop.org/patch/msgid/20241204-udmabuf-fixes-v2-1-23887289de1c@google.com diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c index 8ce1f074c2d3..c1d8c2766d6d 100644 --- a/drivers/dma-buf/udmabuf.c +++ b/drivers/dma-buf/udmabuf.c @@ -436,14 +436,19 @@ static long udmabuf_create(struct miscdevice *device, goto err; } + /* + * Take the inode lock to protect against concurrent + * memfd_add_seals(), which takes this lock in write mode. + */ + inode_lock_shared(file_inode(memfd)); ret = check_memfd_seals(memfd); - if (ret < 0) { - fput(memfd); - goto err; - } + if (ret) + goto out_unlock; ret = udmabuf_pin_folios(ubuf, memfd, list[i].offset, list[i].size, folios); +out_unlock: + inode_unlock_shared(file_inode(memfd)); fput(memfd); if (ret) goto err;