1. Patchew
  2. linux
  3. [PATCH v2 0/3] fixes for udmabuf (memfd sealing checks and a leak)
  4. View patch

[PATCH v2 1/3] udmabuf: fix racy memfd sealing check

Jann Horn posted 3 patches 1 year ago
[PATCH v2 1/3] udmabuf: fix racy memfd sealing check
Posted by Jann Horn 1 year ago 
The current check_memfd_seals() is racy: Since we first do
check_memfd_seals() and then udmabuf_pin_folios() without holding any
relevant lock across both, F_SEAL_WRITE can be set in between.
This is problematic because we can end up holding pins to pages in a
write-sealed memfd.

Fix it using the inode lock, that's probably the easiest way.
In the future, we might want to consider moving this logic into memfd,
especially if anyone else wants to use memfd_pin_folios().

Reported-by: Julian Orth <ju.orth@gmail.com>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219106
Closes: https://lore.kernel.org/r/CAG48ez0w8HrFEZtJkfmkVKFDhE5aP7nz=obrimeTgpD+StkV9w@mail.gmail.com
Fixes: fbb0de795078 ("Add udmabuf misc device")
Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
---
 drivers/dma-buf/udmabuf.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c
index 8ce1f074c2d32a0a9f59ff7184359e37d56548c6..c1d8c2766d6d36fc5fe1b3d73057f6e01ec6678f 100644
--- a/drivers/dma-buf/udmabuf.c
+++ b/drivers/dma-buf/udmabuf.c
@@ -436,14 +436,19 @@ static long udmabuf_create(struct miscdevice *device,
 			goto err;
 		}
 
+		/*
+		 * Take the inode lock to protect against concurrent
+		 * memfd_add_seals(), which takes this lock in write mode.
+		 */
+		inode_lock_shared(file_inode(memfd));
 		ret = check_memfd_seals(memfd);
-		if (ret < 0) {
-			fput(memfd);
-			goto err;
-		}
+		if (ret)
+			goto out_unlock;
 
 		ret = udmabuf_pin_folios(ubuf, memfd, list[i].offset,
 					 list[i].size, folios);
+out_unlock:
+		inode_unlock_shared(file_inode(memfd));
 		fput(memfd);
 		if (ret)
 			goto err;

-- 
2.47.0.338.g60cca15819-goog
RE: [PATCH v2 1/3] udmabuf: fix racy memfd sealing check
Posted by Kasireddy, Vivek 1 year ago 
> Subject: [PATCH v2 1/3] udmabuf: fix racy memfd sealing check
> 
> The current check_memfd_seals() is racy: Since we first do
> check_memfd_seals() and then udmabuf_pin_folios() without holding any
> relevant lock across both, F_SEAL_WRITE can be set in between.
> This is problematic because we can end up holding pins to pages in a
> write-sealed memfd.
> 
> Fix it using the inode lock, that's probably the easiest way.
> In the future, we might want to consider moving this logic into memfd,
> especially if anyone else wants to use memfd_pin_folios().
> 
> Reported-by: Julian Orth <ju.orth@gmail.com>
> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219106
> Closes:
> https://lore.kernel.org/r/CAG48ez0w8HrFEZtJkfmkVKFDhE5aP7nz=obrimeTg
> pD+StkV9w@mail.gmail.com
> Fixes: fbb0de795078 ("Add udmabuf misc device")
> Cc: stable@vger.kernel.org
> Signed-off-by: Jann Horn <jannh@google.com>
> ---
>  drivers/dma-buf/udmabuf.c | 13 +++++++++----
>  1 file changed, 9 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c
> index
> 8ce1f074c2d32a0a9f59ff7184359e37d56548c6..c1d8c2766d6d36fc5fe1b3d73
> 057f6e01ec6678f 100644
> --- a/drivers/dma-buf/udmabuf.c
> +++ b/drivers/dma-buf/udmabuf.c
> @@ -436,14 +436,19 @@ static long udmabuf_create(struct miscdevice
> *device,
>  			goto err;
>  		}
> 
> +		/*
> +		 * Take the inode lock to protect against concurrent
> +		 * memfd_add_seals(), which takes this lock in write mode.
> +		 */
Thank you for adding comments.

Acked-by: Vivek Kasireddy <vivek.kasireddy@intel.com>

> +		inode_lock_shared(file_inode(memfd));
>  		ret = check_memfd_seals(memfd);
> -		if (ret < 0) {
> -			fput(memfd);
> -			goto err;
> -		}
> +		if (ret)
> +			goto out_unlock;
> 
>  		ret = udmabuf_pin_folios(ubuf, memfd, list[i].offset,
>  					 list[i].size, folios);
> +out_unlock:
> +		inode_unlock_shared(file_inode(memfd));
>  		fput(memfd);
>  		if (ret)
>  			goto err;
> 
> --
> 2.47.0.338.g60cca15819-goog
Re: [PATCH v2 1/3] udmabuf: fix racy memfd sealing check
Posted by Joel Fernandes 1 year ago 
On Wed, Dec 4, 2024 at 11:27 AM Jann Horn <jannh@google.com> wrote:
>
> The current check_memfd_seals() is racy: Since we first do
> check_memfd_seals() and then udmabuf_pin_folios() without holding any
> relevant lock across both, F_SEAL_WRITE can be set in between.
> This is problematic because we can end up holding pins to pages in a
> write-sealed memfd.
>
> Fix it using the inode lock, that's probably the easiest way.
> In the future, we might want to consider moving this logic into memfd,
> especially if anyone else wants to use memfd_pin_folios().

I am curious, why is it not possible to have a reproducer for this
issue, is it not reproducible and is theoretical?

thanks,

 - Joel

>
> Reported-by: Julian Orth <ju.orth@gmail.com>
> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219106
> Closes: https://lore.kernel.org/r/CAG48ez0w8HrFEZtJkfmkVKFDhE5aP7nz=obrimeTgpD+StkV9w@mail.gmail.com
> Fixes: fbb0de795078 ("Add udmabuf misc device")
> Cc: stable@vger.kernel.org
> Signed-off-by: Jann Horn <jannh@google.com>
> ---
>  drivers/dma-buf/udmabuf.c | 13 +++++++++----
>  1 file changed, 9 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c
> index 8ce1f074c2d32a0a9f59ff7184359e37d56548c6..c1d8c2766d6d36fc5fe1b3d73057f6e01ec6678f 100644
> --- a/drivers/dma-buf/udmabuf.c
> +++ b/drivers/dma-buf/udmabuf.c
> @@ -436,14 +436,19 @@ static long udmabuf_create(struct miscdevice *device,
>                         goto err;
>                 }
>
> +               /*
> +                * Take the inode lock to protect against concurrent
> +                * memfd_add_seals(), which takes this lock in write mode.
> +                */
> +               inode_lock_shared(file_inode(memfd));
>                 ret = check_memfd_seals(memfd);
> -               if (ret < 0) {
> -                       fput(memfd);
> -                       goto err;
> -               }
> +               if (ret)
> +                       goto out_unlock;
>
>                 ret = udmabuf_pin_folios(ubuf, memfd, list[i].offset,
>                                          list[i].size, folios);
> +out_unlock:
> +               inode_unlock_shared(file_inode(memfd));
>                 fput(memfd);
>                 if (ret)
>                         goto err;
>
> --
> 2.47.0.338.g60cca15819-goog
>
Re: [PATCH v2 1/3] udmabuf: fix racy memfd sealing check
Posted by Jann Horn 1 year ago 
On Tue, Dec 10, 2024 at 11:51 PM Joel Fernandes <joel@joelfernandes.org> wrote:
> On Wed, Dec 4, 2024 at 11:27 AM Jann Horn <jannh@google.com> wrote:
> > The current check_memfd_seals() is racy: Since we first do
> > check_memfd_seals() and then udmabuf_pin_folios() without holding any
> > relevant lock across both, F_SEAL_WRITE can be set in between.
> > This is problematic because we can end up holding pins to pages in a
> > write-sealed memfd.
> >
> > Fix it using the inode lock, that's probably the easiest way.
> > In the future, we might want to consider moving this logic into memfd,
> > especially if anyone else wants to use memfd_pin_folios().
>
> I am curious, why is it not possible to have a reproducer for this
> issue, is it not reproducible and is theoretical?

Sorry, I think I must have forgotten about this part when I wrote the
cover letter: The original bug reporter (Julian) linked to a
reproducer that is linked in the bugzilla bug report, at
<https://github.com/mahkoh/udmabuf-seal>. I haven't tried running it
myself though.


> thanks,
>
>  - Joel
>
> >
> > Reported-by: Julian Orth <ju.orth@gmail.com>
> > Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219106
> > Closes: https://lore.kernel.org/r/CAG48ez0w8HrFEZtJkfmkVKFDhE5aP7nz=obrimeTgpD+StkV9w@mail.gmail.com
> > Fixes: fbb0de795078 ("Add udmabuf misc device")
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Jann Horn <jannh@google.com>
Re: [PATCH v2 1/3] udmabuf: fix racy memfd sealing check
Posted by Joel Fernandes 1 year ago 
On Tue, Dec 10, 2024 at 6:12 PM Jann Horn <jannh@google.com> wrote:
>
> On Tue, Dec 10, 2024 at 11:51 PM Joel Fernandes <joel@joelfernandes.org> wrote:
> > On Wed, Dec 4, 2024 at 11:27 AM Jann Horn <jannh@google.com> wrote:
> > > The current check_memfd_seals() is racy: Since we first do
> > > check_memfd_seals() and then udmabuf_pin_folios() without holding any
> > > relevant lock across both, F_SEAL_WRITE can be set in between.
> > > This is problematic because we can end up holding pins to pages in a
> > > write-sealed memfd.
> > >
> > > Fix it using the inode lock, that's probably the easiest way.
> > > In the future, we might want to consider moving this logic into memfd,
> > > especially if anyone else wants to use memfd_pin_folios().
> >
> > I am curious, why is it not possible to have a reproducer for this
> > issue, is it not reproducible and is theoretical?
>
> Sorry, I think I must have forgotten about this part when I wrote the
> cover letter: The original bug reporter (Julian) linked to a
> reproducer that is linked in the bugzilla bug report, at
> <https://github.com/mahkoh/udmabuf-seal>. I haven't tried running it
> myself though.

Thanks, I appreciate the pointer to the reproducer.

Acked-by: Joel Fernandes (Google) <joel@joelfernandes.org>

thanks,

 - Joel

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.