From nobody Fri Dec 19 04:54:16 2025 Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9761D1FA82C for ; Tue, 3 Dec 2024 17:26:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.41 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733246811; cv=none; b=BdNKNWcGv/hZTgjeBbiIfmzGFbk6nGdD2sxe46i2nE06ora1fzAAF5vpJZPbTHSuaoIOQ/UvSDiGt1kLuAUFjiOqfY6IbklZ1uX4s8g0DGt8lOFZ87mU9Xo2rtSHjHEVcrFYe3XtIMYKr/tGl9usQuzF7MDjLY00eMkhbeHVMaw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733246811; c=relaxed/simple; bh=Aq2zO2su/gJQZo1LKHbVMD9Hcz8GmXaQFYJOvJIHJUg=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=I9QhAj1XpUWXVAflK7rfp7Dvb9/89hDwC1DfoXhf79oSZ38Wrf2xSVS2/CjMgHEq1WrLK3n8eIqS/ueZm8dOjPiH6TZStH8phaadmMxQjFOPW/JuLKyj9WjG0LRxjs/y6sRB05iZGfN1GMbMqxMTiEjshKIYic4J9xViybNzF2M= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=4SAjdCyj; arc=none smtp.client-ip=209.85.128.41 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="4SAjdCyj" Received: by mail-wm1-f41.google.com with SMTP id 5b1f17b1804b1-4349ea54db7so56535e9.0 for ; Tue, 03 Dec 2024 09:26:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1733246808; x=1733851608; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=9A/J5jkgomsMiHFvcuDoSxKD5NJW5y7f08S/zY5zTv8=; b=4SAjdCyjnIkugf8ljwDjQXnvxNeDEy1R3GoxGeaOuV0Zb0CNbkf+V7fSrTVGXqKVhD Cq95lsNfmUSVwpWk+HDaec9oUsAlRMEIbLrmHCDQEND2gQJRoPas9IGX0OeK0z6tTckY IVwrqCe6eXV1AkjY3J/otecJDvb1KU6L4sjiCNVzk6o6s+MHOou8A8DEVpoEGCoU7O8R tAlak021kRrD++owqZ6JAHiMwFG7BE+AMYGWT5YY9ejwAUgMJYC+b7BVUsJ+eGuPbSMC UbGQOZo1SO7gcyygN048hQ+Y4bmLU67CX8HTrLG49d4RHQ1jFrPU7abrroLJE7AWkBYr IjaA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733246808; x=1733851608; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=9A/J5jkgomsMiHFvcuDoSxKD5NJW5y7f08S/zY5zTv8=; b=qQ4Plf7bDO1DO4YZA0+gLNtBkW+htUAMbjsB8XAGiwqK7kOjRK9jQM3q2RGvsrx2qs IvLlugi7Oiq95il+BHEhMq5rdyei0Rh4CaKbgKphhL8Uy7sn1aDx2yAKnAQAx3TA69Xc flBTazYnFZZXNhewiQyOWX1g9IHjHClLFFM1UDy6lsVp5rTz4U3nyqSg2Xwf4dXB3MVD MsmhX5pct4kGmDHggv1gVC/VWicu5OgIRyHbeLdM8kCE6/uoqbTJXRnaOeqdl5pHY5ES RpbiRw1ln3t+GNQMOoCIbl8Z/oweHvmdd43RaFrp0SOUjH56DeAQxefbNcgLSdEhg65R HA+Q== X-Forwarded-Encrypted: i=1; AJvYcCWmaEbKrdyiC4AUUF/aqpPmb22fc2I4bCzSPHS+knha1XVMiIngoKk9uindjT5Q8bTcuJon4bMakPA+/z4=@vger.kernel.org X-Gm-Message-State: AOJu0Yx34vQC9dbfd9uF9pTLxR++Nul5887EdvbOyWpJHuYxGRUFmtFd ZTCqB0rwkdx1mlieQv+Fo4f0fhZiroQQaECIQtuXzJy6Dquj+bzNkUDXL+SAqw== X-Gm-Gg: ASbGncvdSJSu4m1ZKa+Jj2ZSZO7YDyuYcQy6vUYUvfw8iSUL8LeGY207JbdGAoGTtgb KO7Y3Ing9qmzrrMa55wUifcK7eBNkEKy7Ya2oQ/bCYq6qXVmTmR9+GXYrv9QsxfH+Q/kHhu+G5u V2UbTtx0U2erAvZa8MgKuqC4WzsXVAOr8T8jlQ+Gug6MaSd/47C4vDYYn3c3bCP+HZtcgElLQlD 3mKkUi7eyHmbWrU//3HueOQ0saKIq9v2b53XQ== X-Google-Smtp-Source: AGHT+IFZqTIc4JHhlvLFIIqiUiNlQB9koDtYePpOB1Asac3qhzzJf/qabHheeO4gqnlhnImPyoFMHQ== X-Received: by 2002:a05:600c:1f93:b0:42b:a961:e51 with SMTP id 5b1f17b1804b1-434d04fbed7mr1401935e9.0.1733246807548; Tue, 03 Dec 2024 09:26:47 -0800 (PST) Received: from localhost ([2a00:79e0:9d:4:92ba:3294:39ee:2d61]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-434b0f70d9csm201336315e9.38.2024.12.03.09.26.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 Dec 2024 09:26:47 -0800 (PST) From: Jann Horn Date: Tue, 03 Dec 2024 18:25:35 +0100 Subject: [PATCH 1/3] udmabuf: fix racy memfd sealing check Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20241203-udmabuf-fixes-v1-1-f99281c345aa@google.com> References: <20241203-udmabuf-fixes-v1-0-f99281c345aa@google.com> In-Reply-To: <20241203-udmabuf-fixes-v1-0-f99281c345aa@google.com> To: Gerd Hoffmann , Vivek Kasireddy , Sumit Semwal , =?utf-8?q?Christian_K=C3=B6nig?= , Simona Vetter , John Stultz , Andrew Morton , "Joel Fernandes (Google)" Cc: dri-devel@lists.freedesktop.org, linux-media@vger.kernel.org, linaro-mm-sig@lists.linaro.org, linux-kernel@vger.kernel.org, Jann Horn , Julian Orth , stable@vger.kernel.org X-Mailer: b4 0.15-dev X-Developer-Signature: v=1; a=ed25519-sha256; t=1733246802; l=1642; i=jannh@google.com; s=20240730; h=from:subject:message-id; bh=Aq2zO2su/gJQZo1LKHbVMD9Hcz8GmXaQFYJOvJIHJUg=; b=nHri5mQURsQCt6qUqaiD5aSYbBqGWvkkFAyFFqtmxx/10lRP3oWxueAag4of6Gz9UdJJ7j6rF fH9tuFCVgXJDnU7/j0wwtosFko/X7UkQaHlRmJaTrIACgXmedoy/Ws4 X-Developer-Key: i=jannh@google.com; a=ed25519; pk=AljNtGOzXeF6khBXDJVVvwSEkVDGnnZZYqfWhP1V+C8= The current check_memfd_seals() is racy: Since we first do check_memfd_seals() and then udmabuf_pin_folios() without holding any relevant lock across both, F_SEAL_WRITE can be set in between. This is problematic because we can end up holding pins to pages in a write-sealed memfd. Fix it using the inode lock, that's probably the easiest way. In the future, we might want to consider moving this logic into memfd, especially if anyone else wants to use memfd_pin_folios(). Reported-by: Julian Orth Closes: https://bugzilla.kernel.org/show_bug.cgi?id=3D219106 Closes: https://lore.kernel.org/r/CAG48ez0w8HrFEZtJkfmkVKFDhE5aP7nz=3Dobrim= eTgpD+StkV9w@mail.gmail.com Fixes: fbb0de795078 ("Add udmabuf misc device") Cc: stable@vger.kernel.org Signed-off-by: Jann Horn --- drivers/dma-buf/udmabuf.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c index 8ce1f074c2d32a0a9f59ff7184359e37d56548c6..662b9a26e06668bf59ab36d07c0= 648c7b02ee5ae 100644 --- a/drivers/dma-buf/udmabuf.c +++ b/drivers/dma-buf/udmabuf.c @@ -436,14 +436,15 @@ static long udmabuf_create(struct miscdevice *device, goto err; } =20 + inode_lock_shared(memfd->f_inode); ret =3D check_memfd_seals(memfd); - if (ret < 0) { - fput(memfd); - goto err; - } + if (ret) + goto out_unlock; =20 ret =3D udmabuf_pin_folios(ubuf, memfd, list[i].offset, list[i].size, folios); +out_unlock: + inode_unlock_shared(memfd->f_inode); fput(memfd); if (ret) goto err; --=20 2.47.0.338.g60cca15819-goog From nobody Fri Dec 19 04:54:16 2025 Received: from mail-wm1-f45.google.com (mail-wm1-f45.google.com [209.85.128.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8A8D11FAC30 for ; Tue, 3 Dec 2024 17:26:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.45 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733246812; cv=none; b=gDKW+Q/BTQru/Z1cJPAAjTTdFPdRUi0RX96z+61PS/I66L2NL1Ur3RmoxxFJf0j7ZUSgCvE3vC9gkNAw0A9gY7QQvn+oW6csQ5vcGWKL+G4bHgT5dr+sZKajKI/AKNdLph0y9dMaxHyH0jYnD3myTxtUxDPLYTcLHpaKSDIZMZU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733246812; c=relaxed/simple; bh=3m/LMLlH/7jMESx6X9fIIIIib4hfJn5luoPUIkkkDds=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=NGeDuRYbj0u2KUyzyeGPmTjt7w8qcaJnFWy+OoBmPHUeXitj8C9ei09RTQ4NA4lPue3SkW3IbmSjyEK8V8phIcObu3H/zED3AlaeptABgcGS5mlkFDhSguedNNulqMOso5acdDOAUF8owRrmwQtSGXdvIpenXTJKg3o2QGco9Y8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=qygmHYjK; arc=none smtp.client-ip=209.85.128.45 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="qygmHYjK" Received: by mail-wm1-f45.google.com with SMTP id 5b1f17b1804b1-4349ea54db7so56575e9.0 for ; Tue, 03 Dec 2024 09:26:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1733246809; x=1733851609; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=uM3+RQXTMnOQ47ZFii0e33qP4d5w9EjJgy5PSo8ovks=; b=qygmHYjKQarvwNSRKLUHpG64+r89RJ9syZWWveMgWVAAr3lExgEHLY8Zdbj5etLAMI NjRZK/MfCjZFZvRVxm4ruMI0VMGFsgp6REnI/lQSrzIZKxH3fYlJdX4wQlY5pD9eDvzY /bX4sO2JofKUVjmO2z0Z/doBzyGn+0flHjImQbq/tueHYe8qqu0FkfSdMs84/ogb+hC8 /JMFFdD593bzZVSb7k852U4ikdcjLDQdEjRF99MNHVBRKmnIg9mQ5mfvcBfN0Bit0Itn vZBEGmOB2H7E1ZuIs4Tvv78gjrYabb0b2OSSn5xFKQ4/c4qzDLtZ5/dyIrhMj11wtFUh fY+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733246809; x=1733851609; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=uM3+RQXTMnOQ47ZFii0e33qP4d5w9EjJgy5PSo8ovks=; b=WwJCnnKX/XMiEEP5RJZhiRUadAUF4If1Zuo6QKLgcBcb4pc9tDIB8aNzrNTy+EEIMw lbCzYRimlk3WA5UDwhquakyv3swNbCy7vp83ofDm+lrgG7OBopeWF21/rZnK+IwOg6ux 7iXIMFoH17q2UBjLvTmTYkGgPpFqH5+bGtdNmjhMJTGjMKFEzXEEMRzEynPYx2t+J+Lz mE9GrvSA/VjMyiZt0722R3fL83ESTKeSjKt18h5dhpp1EQQ+mlDp4LgUphK5OQPP28eP oR8GS48qZ1lNOJIi7aA3dryCOtdDYiRdZ55La5K5Dg8tT5DM/CIYV7OxJ2KrGQVmwjTC mdaA== X-Forwarded-Encrypted: i=1; AJvYcCWjgFxRWaogYcRaUB1AEdwpU8SUUimXiTBf7nCqLQaEZNOENTiamTfwpcR+83LkgqPSa29uQHJSM0kfhbo=@vger.kernel.org X-Gm-Message-State: AOJu0YyJA89f1mvqn4oo7CzlE7WV9XHiBSw/+KXc3QULacGAgNzClK4M zO4n8j7+9kHvmXcqDVed0oS5eCQgxDNJM/TBDPYfXd6+vDsoaKEPNXmV7cflGw== X-Gm-Gg: ASbGncu0Ou76aDn1snvx505Mtfk+hmjTHus9P6MOqn86un4lCKv6FHD5NrUm5+jWtfK XmeViqNIop3YSNce/CtZTX8Y5HXgnbPHACv80m4RRvj4lR/HWnuEgcFIIXRpjUfctYqrlMqQ946 qPcjABE6qDPWFDkawQB8D8/fFX8OUgU3sfQp3ReFl2FVyTMD0jZhfGoTs+56rZBJA1KMIFAj3hY r7nbmbln0qEKSCV/RIFbmxwcFDcQp/Cr4rgMA== X-Google-Smtp-Source: AGHT+IHah3tfnWDLN3UKIDFtEX6OxzBKzVPQiPV9mkH1uPluyyoiP9zAGpDGGtbXeYMGH6VNL1bEUg== X-Received: by 2002:a7b:cc83:0:b0:434:9d76:5031 with SMTP id 5b1f17b1804b1-434d12b8d88mr1204455e9.1.1733246808530; Tue, 03 Dec 2024 09:26:48 -0800 (PST) Received: from localhost ([2a00:79e0:9d:4:92ba:3294:39ee:2d61]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-385ccd3a522sm15986910f8f.52.2024.12.03.09.26.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 Dec 2024 09:26:48 -0800 (PST) From: Jann Horn Date: Tue, 03 Dec 2024 18:25:36 +0100 Subject: [PATCH 2/3] udmabuf: also check for F_SEAL_FUTURE_WRITE Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20241203-udmabuf-fixes-v1-2-f99281c345aa@google.com> References: <20241203-udmabuf-fixes-v1-0-f99281c345aa@google.com> In-Reply-To: <20241203-udmabuf-fixes-v1-0-f99281c345aa@google.com> To: Gerd Hoffmann , Vivek Kasireddy , Sumit Semwal , =?utf-8?q?Christian_K=C3=B6nig?= , Simona Vetter , John Stultz , Andrew Morton , "Joel Fernandes (Google)" Cc: dri-devel@lists.freedesktop.org, linux-media@vger.kernel.org, linaro-mm-sig@lists.linaro.org, linux-kernel@vger.kernel.org, Jann Horn , stable@vger.kernel.org X-Mailer: b4 0.15-dev X-Developer-Signature: v=1; a=ed25519-sha256; t=1733246802; l=976; i=jannh@google.com; s=20240730; h=from:subject:message-id; bh=3m/LMLlH/7jMESx6X9fIIIIib4hfJn5luoPUIkkkDds=; b=C68RSNAz5tSn7/At1pT+/cqpyr2/1yVHxrn2ThIXppaycwhw+jpyJIrVQd0vwYT6uWunp7bMu gPYbSI141ikD1YI6YQFzt61WVCUN7ejJNigEshkNyhdAZUVB/Jcx0OG X-Developer-Key: i=jannh@google.com; a=ed25519; pk=AljNtGOzXeF6khBXDJVVvwSEkVDGnnZZYqfWhP1V+C8= When F_SEAL_FUTURE_WRITE was introduced, it was overlooked that udmabuf must reject memfds with this flag, just like ones with F_SEAL_WRITE. Fix it by adding F_SEAL_FUTURE_WRITE to SEALS_DENIED. Fixes: ab3948f58ff8 ("mm/memfd: add an F_SEAL_FUTURE_WRITE seal to memfd") Cc: stable@vger.kernel.org Signed-off-by: Jann Horn Acked-by: Vivek Kasireddy --- drivers/dma-buf/udmabuf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c index 662b9a26e06668bf59ab36d07c0648c7b02ee5ae..8ce77f5837d71a73be677cad014= e05f29706057d 100644 --- a/drivers/dma-buf/udmabuf.c +++ b/drivers/dma-buf/udmabuf.c @@ -297,7 +297,7 @@ static const struct dma_buf_ops udmabuf_ops =3D { }; =20 #define SEALS_WANTED (F_SEAL_SHRINK) -#define SEALS_DENIED (F_SEAL_WRITE) +#define SEALS_DENIED (F_SEAL_WRITE|F_SEAL_FUTURE_WRITE) =20 static int check_memfd_seals(struct file *memfd) { --=20 2.47.0.338.g60cca15819-goog From nobody Fri Dec 19 04:54:16 2025 Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 89E461FBE88 for ; Tue, 3 Dec 2024 17:26:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.50 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733246813; cv=none; b=mdxKWedQBH4xSc9H8M3/oAMuEuGjNSD7FijzM2XQibcw3IdAAxwoxsyW7QTtNGKj4//EaJzfiBErx1/bmv7zeiTC59hRE3LCSpsGW33Gy1HR/bPsYlPp1/JqM3QJJTCnNVrhQ/NKGBl77jceETKaVxMVzBJfCfxm9HUnJhIgdyU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733246813; c=relaxed/simple; bh=d/SKaEARJ6M0/cu1G8obkYNjM7fgsn+zCy4/XdkuEqM=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=Ahgh3Eb2NyTbRtu1ELwHXIaVMYGVHzRsCt2qyXjBC685x73O5y9FQ42k3JK0/kCVCx35pvFwlV8YuQuWau4i8itxVTefeslebioso0cqSpgDM9TkOJNUfXj02QM4YkapBu34shl45RFofugexjusq0MjOgAn9RJXPAiFRpGUc70= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=KVIsVwFx; arc=none smtp.client-ip=209.85.128.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="KVIsVwFx" Received: by mail-wm1-f50.google.com with SMTP id 5b1f17b1804b1-4349ea54db7so56635e9.0 for ; Tue, 03 Dec 2024 09:26:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1733246810; x=1733851610; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=/Vb9UXBOYsKi0pZ5x9hV4iMqdA2fMvrJ4pmauvo9ZZ8=; b=KVIsVwFxDhDefX7PSff7Lc1+S7MXB+cnYhP2mbB+dFDWfQhYaLOs6nVM85Zj43S0tM dm/hxnbrojsn4paJs6GxQs3na332MzvVkpAEiWmhXDJD8lRrPt6ueU8XTbYI9P4yHmtw +2RKGw/KrukdrQBXNPdzVKUHbull7Om7uA3OullCdUDmPx/7WEl32DrUFbIUnL9tUU4z A82vA6kAvsCMHadJzxZQte5PR1AOg7c/MUsRs47iBITAgJGpICiO0ZXWzWH7JtrEla76 +H8aSgTTveexDPQ4iC18dCAxf4U7QCQ1o71ajaLeeGloM0/jSD5a7vW8Me26HSGey2we pIdA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733246810; x=1733851610; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=/Vb9UXBOYsKi0pZ5x9hV4iMqdA2fMvrJ4pmauvo9ZZ8=; b=VtJ+/uKaenD3dwzrudFUvJog0tbsI6mmY40b8OBO73wBf6AIYCxIotw15nVnAC9hHq NkzasBuMEHxf6eWNJoaneIYXaJhNh8WEgH1mScchy2zl0rRH8oOCdSGNvwZlTCbRXdG9 trYaxwXPLzb0LAlS1bbvekhms043+P+MqxUhQuedjb0n+oU9iSNJWRAe/DVgY4yFOjrL uklKevTVH9E+hh2sklJwN061F7pNP1+ZQiMoPq3J1y5/ZmGRUr68XKqpxovqEalTl9Jn 443kHl99etFBr6hbambV75Ws6dvlOS58SdQICa/iD+9b1JKAuYfrMBDpMZZyPRdbjmDR djHA== X-Forwarded-Encrypted: i=1; AJvYcCUjcptN13blOw1lHA6TPDDK1ntzXUn7A1LEE2dAqz3KOOBv+8I6Yl2trC7uhpeOi/eKWqu832cjgqr/4rY=@vger.kernel.org X-Gm-Message-State: AOJu0YwrBNfEQgUcJHs+oCf2tDRr5OetKT38u1dpfslnJpHb6yqtfdp5 aE8uDRlPAuVMBYXS+wSDY5rfEDKXZQWjpNEPk9/EJYXl3B7pFp1PpLH39nQtsg== X-Gm-Gg: ASbGnctr90Z6gG+CuhoKF4IVrd9wAEp98KYo03Ogl2WDe5ee0j7H9P3aj7uHR4eU3Pb WYi6fDeivwWdFN1MYbvqGJCM3R8REGwtADY7eN7RzE7Uz2+CfBVoPQ2vO7nOg+dF4iYshsvmn7n H6jXkDgSNrfUNZI+KzrqXN/5iPfXGqnGF3UdiJj6uKAB724GYm9LGRbt2v421r9Fndk9aHJknto jXtzENnE0QA/1737oEG1/Zfd/htK/UGC9S22pI= X-Google-Smtp-Source: AGHT+IH0TNX49DlvsUlDmYHqE+X/GJfm7kzNvuJYlH9rEpQHDfxMRPXJgjMqM5godm3e1PRO0SoeKQ== X-Received: by 2002:a7b:cc83:0:b0:434:9d76:5031 with SMTP id 5b1f17b1804b1-434d12b8d88mr1204505e9.1.1733246809511; Tue, 03 Dec 2024 09:26:49 -0800 (PST) Received: from localhost ([2a00:79e0:9d:4:92ba:3294:39ee:2d61]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-434b0dbe4e6sm194671505e9.14.2024.12.03.09.26.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 Dec 2024 09:26:49 -0800 (PST) From: Jann Horn Date: Tue, 03 Dec 2024 18:25:37 +0100 Subject: [PATCH 3/3] udmabuf: fix memory leak on last export_udmabuf() error path Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20241203-udmabuf-fixes-v1-3-f99281c345aa@google.com> References: <20241203-udmabuf-fixes-v1-0-f99281c345aa@google.com> In-Reply-To: <20241203-udmabuf-fixes-v1-0-f99281c345aa@google.com> To: Gerd Hoffmann , Vivek Kasireddy , Sumit Semwal , =?utf-8?q?Christian_K=C3=B6nig?= , Simona Vetter , John Stultz , Andrew Morton , "Joel Fernandes (Google)" Cc: dri-devel@lists.freedesktop.org, linux-media@vger.kernel.org, linaro-mm-sig@lists.linaro.org, linux-kernel@vger.kernel.org, Jann Horn X-Mailer: b4 0.15-dev X-Developer-Signature: v=1; a=ed25519-sha256; t=1733246802; l=2748; i=jannh@google.com; s=20240730; h=from:subject:message-id; bh=d/SKaEARJ6M0/cu1G8obkYNjM7fgsn+zCy4/XdkuEqM=; b=X3evmweW4JuzseSHwdhP7RA4Pf8e6N5ueqNFDbhwq7nktyWWe+H3fxCMDbqjeNobSJ+OFwz4q CrhwTQWCO5HCdsMU7uLiRuWbk2eiWJ94PEjMmxwGvVbe3p9pYkPZ/mf X-Developer-Key: i=jannh@google.com; a=ed25519; pk=AljNtGOzXeF6khBXDJVVvwSEkVDGnnZZYqfWhP1V+C8= In export_udmabuf(), if dma_buf_fd() fails because the FD table is full, a dma_buf owning the udmabuf has already been created; but the error handling in udmabuf_create() will tear down the udmabuf without doing anything about the containing dma_buf. This leaves a dma_buf in memory that contains a dangling pointer; though that doesn't seem to lead to anything bad except a memory leak. Fix it by moving the dma_buf_fd() call out of export_udmabuf() so that we can give it different error handling. Note that the shape of this code changed a lot in commit 5e72b2b41a21 ("udmabuf: convert udmabuf driver to use folios"); but the memory leak seems to have existed since the introduction of udmabuf. Fixes: fbb0de795078 ("Add udmabuf misc device") Signed-off-by: Jann Horn Acked-by: Vivek Kasireddy --- drivers/dma-buf/udmabuf.c | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c index 8ce77f5837d71a73be677cad014e05f29706057d..aae0071be14a2c83a428b59ea9e= 905c7173232be 100644 --- a/drivers/dma-buf/udmabuf.c +++ b/drivers/dma-buf/udmabuf.c @@ -317,12 +317,11 @@ static int check_memfd_seals(struct file *memfd) return 0; } =20 -static int export_udmabuf(struct udmabuf *ubuf, - struct miscdevice *device, - u32 flags) +static struct dma_buf *export_udmabuf(struct udmabuf *ubuf, + struct miscdevice *device, + u32 flags) { DEFINE_DMA_BUF_EXPORT_INFO(exp_info); - struct dma_buf *buf; =20 ubuf->device =3D device; exp_info.ops =3D &udmabuf_ops; @@ -330,11 +329,7 @@ static int export_udmabuf(struct udmabuf *ubuf, exp_info.priv =3D ubuf; exp_info.flags =3D O_RDWR; =20 - buf =3D dma_buf_export(&exp_info); - if (IS_ERR(buf)) - return PTR_ERR(buf); - - return dma_buf_fd(buf, flags); + return dma_buf_export(&exp_info); } =20 static long udmabuf_pin_folios(struct udmabuf *ubuf, struct file *memfd, @@ -391,6 +386,7 @@ static long udmabuf_create(struct miscdevice *device, struct folio **folios =3D NULL; pgoff_t pgcnt =3D 0, pglimit; struct udmabuf *ubuf; + struct dma_buf *dmabuf; long ret =3D -EINVAL; u32 i, flags; =20 @@ -451,9 +447,16 @@ static long udmabuf_create(struct miscdevice *device, } =20 flags =3D head->flags & UDMABUF_FLAGS_CLOEXEC ? O_CLOEXEC : 0; - ret =3D export_udmabuf(ubuf, device, flags); - if (ret < 0) + dmabuf =3D export_udmabuf(ubuf, device, flags); + if (IS_ERR(dmabuf)) { + ret =3D PTR_ERR(dmabuf); goto err; + } + /* ownership of ubuf is held by the dmabuf from here */ + + ret =3D dma_buf_fd(dmabuf, flags); + if (ret < 0) + dma_buf_put(dmabuf); =20 kvfree(folios); return ret; --=20 2.47.0.338.g60cca15819-goog