From nobody Thu Dec 18 09:47:13 2025 Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8DD4220C47B for ; Wed, 4 Dec 2024 16:27:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.49 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733329624; cv=none; b=dXrXCf4I6GsfWnDlBJYc0eLq6sl4D1i8KhefJ6TTXfa05xfRIR+7SHww4KN2hlzEns8lSg4Z5XrJBT+8jVb5Bx29MYV/7AgE4jxMh0N5w+xSEUpVoTbwJ4XYTmibBzinA+7+SAZleeRNeMa5KM6JOF49U5TvBIk4gkzUOOd+LgI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733329624; c=relaxed/simple; bh=Tb4zTg8gwUbDaogCnGrqjqwGKOpD1jahUvTB+lbqtzQ=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=sflQ+LFsTDBQJN99FbN4hHMt4vbHA8AhzSf44lZr4xJzjkJzh6ASFUqaAufvCEjpWu4WkZ8XeSozdNl1dNtUll9cljsDPte7du+CDa5aQOLjmeLzYCXLmji8z6o5fYyNtsLdOmErD7CQC1BRP3LPPSOcZJ9tOfFCHbEpbLXV+Zw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=nHtWyHxu; arc=none smtp.client-ip=209.85.128.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="nHtWyHxu" Received: by mail-wm1-f49.google.com with SMTP id 5b1f17b1804b1-4349ea54db7so61735e9.0 for ; Wed, 04 Dec 2024 08:27:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1733329621; x=1733934421; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=G9G1+IA4HE6z5Jl984QuG0eTi6gYVIS+JAIiJpGUT64=; b=nHtWyHxuXQRjOMdNrhEB6NLoK3rnkKQbbuBVs9TqL3+5rdKYuiAzoaG+vv508D/rfB UoJGmSYPjwXmsBGamgihduaUltJIpDcRgY/r9rV2wGxgTsZH40yPJPa3pJpUxc37rky1 U6bTdxGhky8+oHiClGs2maV725B3l/+fm+6+RCiKt31IqGU7HRlG7+QP7rULXgFzXDbL exWO6ALc2aAwu3YKMwGeX6c5uqnDGK++9DVz/uUepkrwhD0egCEU2x1EI3qUTRe+t8Hk rHuRvAgTD6guaSlBsGyWfWUmJxJ+9nMPiRhe7WhHFoVX30SGZsb/x7fKqEDWvi1bl2Fo 08hw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733329621; x=1733934421; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=G9G1+IA4HE6z5Jl984QuG0eTi6gYVIS+JAIiJpGUT64=; b=SPTdcC50lhZL6oDTjAWrWFT1udFfsHVaog8H3q39tMAGWr8vgBD1f3qkX4qi6zRe/9 IL9Xf9DwLBEgm4UL7h9ZMbM4NNgU0oPASknSBvpR7pY0fjFnZWQPQyCBEAtEuGuUMHFy ilp7TTR3JnbamgJBY4h6SPRBQDqokWp6tdNimSVSZJwaDwLg0z8c7/8A1A/vGBhu58QY IgWoJSahmvbS5Zv+lNJHyuqKMHjNLBjcll+XdHFpKiGc5aFLFqqMFU5HfRnk1No65B0C fYSdPriL8YzJSTtfgt82jWCPJIfxCsnz0uN/N256qR20IbDhNcTTVdK6Kk3uQBkeV9AS FTmQ== X-Forwarded-Encrypted: i=1; AJvYcCXw7E73EfYPxHo9rIE7vTKTCunHpL/O8J2frFq20IZvvrV8Z7MVXh+rfSV6IOBD8ARUoESNFHc3LyIcESg=@vger.kernel.org X-Gm-Message-State: AOJu0Yz9AIGDG3qGIJmcdRJyTxWfGFOacWCGs7mwccRwwKyf68j9NVNU nEJKT8XnuE+VBSh47RPGJfBODUfmpB02DF/eInLRA4fakoWH+RVxy4UBEjG5Rg== X-Gm-Gg: ASbGnctpFJMnRHVtFiWuytKVJYJNMZ3CDNxRiTLPvYP3kINMr3tLuy10t7rMqOXfDBx i8B7lgAeQG8n3OngMP26qqMnv2wmLqx6w8ZF7Wq4vHFq12UVyEdMtMoeuY7+Q84MS2QWhR4osXD B9mLQto1aCQ3rR6Z8KfsAT4mrUqqLMwAAjGpwgWYUEOoaY8dlpqP7Tfpvyq68gRKqfjTIwtmPUP Udy6pHZpJDwVx37Sjm+F0Dkts0E0RCZfWZSWg== X-Google-Smtp-Source: AGHT+IG9U1RkmAjCsaZkbHJvJ5nu4yp+BcYJp90LiOTeDBKduQ1hWfRCwdTnNEzAhSGitcQ4jLpnsQ== X-Received: by 2002:a05:600c:138c:b0:434:9d76:5031 with SMTP id 5b1f17b1804b1-434d52a1a87mr1200475e9.1.1733329620387; Wed, 04 Dec 2024 08:27:00 -0800 (PST) Received: from localhost ([2a00:79e0:9d:4:4606:5fa1:8ade:6950]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-385dd99504csm16808066f8f.85.2024.12.04.08.26.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Dec 2024 08:26:59 -0800 (PST) From: Jann Horn Date: Wed, 04 Dec 2024 17:26:19 +0100 Subject: [PATCH v2 1/3] udmabuf: fix racy memfd sealing check Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20241204-udmabuf-fixes-v2-1-23887289de1c@google.com> References: <20241204-udmabuf-fixes-v2-0-23887289de1c@google.com> In-Reply-To: <20241204-udmabuf-fixes-v2-0-23887289de1c@google.com> To: Gerd Hoffmann , Vivek Kasireddy , Sumit Semwal , =?utf-8?q?Christian_K=C3=B6nig?= , Simona Vetter , John Stultz , Andrew Morton , "Joel Fernandes (Google)" Cc: dri-devel@lists.freedesktop.org, linux-media@vger.kernel.org, linaro-mm-sig@lists.linaro.org, linux-kernel@vger.kernel.org, Jann Horn , Julian Orth , stable@vger.kernel.org X-Mailer: b4 0.15-dev X-Developer-Signature: v=1; a=ed25519-sha256; t=1733329589; l=1788; i=jannh@google.com; s=20240730; h=from:subject:message-id; bh=Tb4zTg8gwUbDaogCnGrqjqwGKOpD1jahUvTB+lbqtzQ=; b=x0rM9Iqs4R9cqZm4OwMo3VWit21K6SeS2leyIeQreRfqXoZoMTJdgc0TRz3BeylxDekXItOM6 v3yPm+oXfdYAGerYEcgb+A8uMYKhMtEJ8Hr0uOzDDVLWGCHtKOz9Wou X-Developer-Key: i=jannh@google.com; a=ed25519; pk=AljNtGOzXeF6khBXDJVVvwSEkVDGnnZZYqfWhP1V+C8= The current check_memfd_seals() is racy: Since we first do check_memfd_seals() and then udmabuf_pin_folios() without holding any relevant lock across both, F_SEAL_WRITE can be set in between. This is problematic because we can end up holding pins to pages in a write-sealed memfd. Fix it using the inode lock, that's probably the easiest way. In the future, we might want to consider moving this logic into memfd, especially if anyone else wants to use memfd_pin_folios(). Reported-by: Julian Orth Closes: https://bugzilla.kernel.org/show_bug.cgi?id=3D219106 Closes: https://lore.kernel.org/r/CAG48ez0w8HrFEZtJkfmkVKFDhE5aP7nz=3Dobrim= eTgpD+StkV9w@mail.gmail.com Fixes: fbb0de795078 ("Add udmabuf misc device") Cc: stable@vger.kernel.org Signed-off-by: Jann Horn Acked-by: Joel Fernandes (Google) Acked-by: Vivek Kasireddy --- drivers/dma-buf/udmabuf.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c index 8ce1f074c2d32a0a9f59ff7184359e37d56548c6..c1d8c2766d6d36fc5fe1b3d7305= 7f6e01ec6678f 100644 --- a/drivers/dma-buf/udmabuf.c +++ b/drivers/dma-buf/udmabuf.c @@ -436,14 +436,19 @@ static long udmabuf_create(struct miscdevice *device, goto err; } =20 + /* + * Take the inode lock to protect against concurrent + * memfd_add_seals(), which takes this lock in write mode. + */ + inode_lock_shared(file_inode(memfd)); ret =3D check_memfd_seals(memfd); - if (ret < 0) { - fput(memfd); - goto err; - } + if (ret) + goto out_unlock; =20 ret =3D udmabuf_pin_folios(ubuf, memfd, list[i].offset, list[i].size, folios); +out_unlock: + inode_unlock_shared(file_inode(memfd)); fput(memfd); if (ret) goto err; --=20 2.47.0.338.g60cca15819-goog From nobody Thu Dec 18 09:47:13 2025 Received: from mail-wm1-f51.google.com (mail-wm1-f51.google.com [209.85.128.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7B76E20C48F for ; Wed, 4 Dec 2024 16:27:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.51 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733329625; cv=none; b=a06pom/D8W8J+yZMOJG0wc08ZEjAxiMojt8iR9IY3NWU3nBTYzjZ6b8jE+CE2FI98XK1DSu/qnIMaFfTRDdzu2V08Q/FAW6VaeWG5h9FkKTVJFRUQ2dNeCXrEwcgO3CuHtpVib4a89wAE9Gvasg6OLLeeH0nNlcgWsL9oAAoAmo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733329625; c=relaxed/simple; bh=fJkw2rLMTtXSXhulM8gnhffaFfLiI1f0yAZSjHGcIX0=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=uIA5dd7/vIM5aAtIybCYwIcemSmY42BrwJ+Am1YJPI2n1YGjN2R9czbcg02m4yB30fGd/uPlO4V3cUnT46r8H69fQ7t9pgKrNdzYLer1gRi/um+J2QVweeqLcridPrZd4IBxGfe2gcIvmbCd0+Ai4M3QVxiuEnRRpmLITahr+yQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=4n1WkQHH; arc=none smtp.client-ip=209.85.128.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="4n1WkQHH" Received: by mail-wm1-f51.google.com with SMTP id 5b1f17b1804b1-4349ea54db7so61745e9.0 for ; Wed, 04 Dec 2024 08:27:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1733329622; x=1733934422; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=ndPjCiEchgmhN558RiQyP0Yt1FLq3iHOnb50r5toGHE=; b=4n1WkQHHwDnRHDoSIIEdJN67nUStmUBcHEIdSHqvKaDm5qIzzeOEW+FB99ksnz+Y4B sB55fX7bW42s94SZXDFZy+jX5zRFdq396No43GpqTPT2w9LMFeMMXS1UCT3UWWlRokUW jMHlxpY55+RCl98zk/WkZY8RF1bJgLFi5W3mn+pU8SCM2ugOa01Gj2yGiWsr9IV8C4CH gBaQzIYQwRUib4RlMxXX7lQkv/P+6LHHQBxt2UUzD6CNVSIchE01Sjg+HTuQH36mNaXK Jmke3uWfIOStAuD8Fk5cfMbH4RH/X8p4dVHTs9midILE1TrB2DpLsA9HPhOlsBmFt4ll ZlVw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733329622; x=1733934422; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ndPjCiEchgmhN558RiQyP0Yt1FLq3iHOnb50r5toGHE=; b=cOjB374ytTxU7V4ONgzTfLQZS5JTGN/Z/eR8RabVC3+dgKeKAqnvhRM2/Zs+aM1NE5 njJGf45ZwoSSY7yFjOXj5DLt0tSWmAYsL6ihlJkmksH99xlijv4uyWftVlxBVYk3Llwl ssAtwV7P4cduBZaHMGY4syhCHX3x68iuTEeRG0kCMHJJ4x6Hnz2oZ7uaOVzaVqT+aUX0 7HvFqIfNOaP1FskcEk9dXozONdVaYTB3ARG2Hg8/9bh4AxW4B+nucjcwAZTgiN9a5g5D R6i0Jf5lJ17wJhBPe2Sr6vkpl6VVq0MyGdf4MisK5AG/9MMHqPtXgX670Q+e8chGfcLa rMFg== X-Forwarded-Encrypted: i=1; AJvYcCW+5M0w3+EkLjmXzspl85/BAOdFOrVdOpW9OkO5T1J/xrn/0XuPUWsJvIfy+WabU/3OGKKhGj2LVaIRARs=@vger.kernel.org X-Gm-Message-State: AOJu0YyG6nXBzdHu+owFQYWuLY7MV/acy/tkSViIEi7MyTii2mfIFwWg XCAnRq1H+tfPkSWaMkzlunv2YOkyj8BHrMtHacB2YuOrGzUxNI18V6oZrFDemA== X-Gm-Gg: ASbGncvI1XlKV9rMI24gpZMG0Qr5Kz84jXIRt8nqrOYoSY7FRKX5N7e1i9YDnkW6An/ IzYLDD75nI490qLoX8hToBXvuF0DOmNAlq0r8OQKOhzUAA37/w5jeTjhBvcGWDDfIOIG6c+K2La /UXP/7UzE5/VLevnItPQzP1O6sHeiqiweB7tbJ1vFvXIn4K3LmCON1wdQCYRqj/zbMMwLKJv6lp mG9aoGrSHvkuUt6FpDMlCPWJhIR+gLO3jwUxQ== X-Google-Smtp-Source: AGHT+IHRNnKQuL0FzYJ9sRykYWh8jH2cm3zF2nEbZZRSS5rqUEb9oxCGR02zINfXQfHQRF/jLblOew== X-Received: by 2002:a05:600c:3ac8:b0:42c:9e35:cde6 with SMTP id 5b1f17b1804b1-434d4a5d4a4mr1384465e9.2.1733329621419; Wed, 04 Dec 2024 08:27:01 -0800 (PST) Received: from localhost ([2a00:79e0:9d:4:4606:5fa1:8ade:6950]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-385dec66e0esm16298133f8f.43.2024.12.04.08.27.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Dec 2024 08:27:00 -0800 (PST) From: Jann Horn Date: Wed, 04 Dec 2024 17:26:20 +0100 Subject: [PATCH v2 2/3] udmabuf: also check for F_SEAL_FUTURE_WRITE Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20241204-udmabuf-fixes-v2-2-23887289de1c@google.com> References: <20241204-udmabuf-fixes-v2-0-23887289de1c@google.com> In-Reply-To: <20241204-udmabuf-fixes-v2-0-23887289de1c@google.com> To: Gerd Hoffmann , Vivek Kasireddy , Sumit Semwal , =?utf-8?q?Christian_K=C3=B6nig?= , Simona Vetter , John Stultz , Andrew Morton , "Joel Fernandes (Google)" Cc: dri-devel@lists.freedesktop.org, linux-media@vger.kernel.org, linaro-mm-sig@lists.linaro.org, linux-kernel@vger.kernel.org, Jann Horn , stable@vger.kernel.org X-Mailer: b4 0.15-dev X-Developer-Signature: v=1; a=ed25519-sha256; t=1733329589; l=1031; i=jannh@google.com; s=20240730; h=from:subject:message-id; bh=fJkw2rLMTtXSXhulM8gnhffaFfLiI1f0yAZSjHGcIX0=; b=NhY0leWwseGXjAz22badChvpbfQCiGr6eextWw4sxPskRjjjSOJH/wPzPkPy4s/BHbCWwcM7p LC618vgQbjWCzsNvNI9+Z53VJP06p8zJnx97CEnj6l4JcYpay7agU4B X-Developer-Key: i=jannh@google.com; a=ed25519; pk=AljNtGOzXeF6khBXDJVVvwSEkVDGnnZZYqfWhP1V+C8= When F_SEAL_FUTURE_WRITE was introduced, it was overlooked that udmabuf must reject memfds with this flag, just like ones with F_SEAL_WRITE. Fix it by adding F_SEAL_FUTURE_WRITE to SEALS_DENIED. Fixes: ab3948f58ff8 ("mm/memfd: add an F_SEAL_FUTURE_WRITE seal to memfd") Cc: stable@vger.kernel.org Acked-by: Vivek Kasireddy Signed-off-by: Jann Horn Reviewed-by: Joel Fernandes (Google) --- drivers/dma-buf/udmabuf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c index c1d8c2766d6d36fc5fe1b3d73057f6e01ec6678f..b330b99fcc7619a05bb7dc2aeeb= 9c82faf9a387b 100644 --- a/drivers/dma-buf/udmabuf.c +++ b/drivers/dma-buf/udmabuf.c @@ -297,7 +297,7 @@ static const struct dma_buf_ops udmabuf_ops =3D { }; =20 #define SEALS_WANTED (F_SEAL_SHRINK) -#define SEALS_DENIED (F_SEAL_WRITE) +#define SEALS_DENIED (F_SEAL_WRITE|F_SEAL_FUTURE_WRITE) =20 static int check_memfd_seals(struct file *memfd) { --=20 2.47.0.338.g60cca15819-goog From nobody Thu Dec 18 09:47:13 2025 Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com [209.85.128.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EBA8620CCE2 for ; Wed, 4 Dec 2024 16:27:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.43 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733329626; cv=none; b=T4Spxzjwj4h9tmFB9JJCcUHnyTXydbbQ3nnDpyXTpU3z0KJIU+3fdlGkOZUUPwuoIM30j+wTa0nRrIT+8IC89Uj+tqhkFKOSIL57XGebbLpDbSYCwmoM5tz2pVFzYBTHAvTWpTTmVn2lud3VbyQrFf4bWsVmytqzwlUyBkE4k1w= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733329626; c=relaxed/simple; bh=mvwHL7Jb84Pbju4MjxbJaCZAU90KwtuuZ/LtjIuw+f8=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=jbhBBrD6osI+ZjjZpRSVVdaYHYsQ6eo3EoHPVIdzzBSn6tmRwWfoT53hqVKxfsjdLV625XOtkDlO+8eRIMlOvctHgEWhXLdHO1dVBVSFdMhn7+iOZAjK2Mmb2GKHrzTOU1AMNFxbGDi3clRUQLWejByuHy/NONdf5ZuM3hJDvyA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=0tm4hcD9; arc=none smtp.client-ip=209.85.128.43 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="0tm4hcD9" Received: by mail-wm1-f43.google.com with SMTP id 5b1f17b1804b1-4349ea54db7so61805e9.0 for ; Wed, 04 Dec 2024 08:27:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1733329623; x=1733934423; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=4W1li+PQJAySFeW+G0OUEYywmlbqWEh+T217K5HBe5s=; b=0tm4hcD9Rdc1/uJ8eW9oZMKN8dUnmpthZPz4oE9NOkhfLo0TzCWMOv274JrGRuBG1j sKm15naXCQbSAC7aL0yIk4Yzzi0NzbG128GZRHN+iPDFNlwMjdKchb4xK06oSTD44Moy Xu/j+wjhg/dIC+OurYLoiguJuC/fq9qj1fFa2x7Me4sRP7+TqDF4dXQnYb1fS9N45TjN xgkWuMARc0OAiKfrEpypVgOWgBVOSeV/Z47LqhKYlMKrI7xuj9u2tyaVdtfsGacryZne 84hsPe+IfbpJwEOpaPhmI1qTHu64gAsMxbhbWFGOxEqcUv0pXnXrQg9tUunHVnvoSaQB 8XlA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733329623; x=1733934423; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=4W1li+PQJAySFeW+G0OUEYywmlbqWEh+T217K5HBe5s=; b=E+71RPcwrRBXaffaK3S6YH6tRh5b0Hs8ccwEx5Cw9lr47PWyt/qp27S+SaahwGrvx0 LN91d1waegQK5r4eEDxyf9/DBFcslibJ+ZLw46VzkAJzX/mNuQmLmEXZqkrOjxyjcXRq ymkfuIAA0siiESxe/89OFErXY0L2bIgmBGYd2WkrgHF2Zbaznm2Uw1AKvRcuQ8pMuOLR NJFer4+98YoxcVYxrfiorVeaT5RW4tpIQdS54G9iLrKZviagDrFRP8E/B0TxKuYYbrmR z4pzj1F0H2sV2ezTCsid6nsKQEyNQp3Ivq0wcXGwvAmvAj8gY6dyYJC8vMkUByv5PKAN KcOg== X-Forwarded-Encrypted: i=1; AJvYcCU7l8MdUYxr4dCIoU0yTYpz+w8wTt0U1nM3C2mmMIuf/3Q4n+2/mPe7rzzxAcRgwe2pvOqiu20ECcwfjxQ=@vger.kernel.org X-Gm-Message-State: AOJu0Yxmr3Oh+B1X0p5XwGFqWgRy/ZciMFBHfQhEev6v8cwiFAmbokMv U2FuarhcA4C41hnvz8pFdk8pAbaj8Z3lsOPZcMyrVuItRDGSyn/AOHtxpF8P0w== X-Gm-Gg: ASbGncuzwBoJVAdYSJuAtcQeVdgyg0uAEzUODWkMpPZeuO9i+y8TgmMau/vKEbcq8rE BmvJ0HdFs290bNtbE93QxWwZcQy6mAzfxL1udNTwdgV8fD0yAfaDiiCww3zMVHU0xH1QKe8Ou1y hvZOYbtimyTmd6lFuVBV+pF2bq5rzeGtp4Xxvdni/EzBhPaTq0x0MhGIk2tV5ZtysrdPysEqBzw unTDM8wcRKibIrJcHAb4V5Wvzo7jhHksU37DY4= X-Google-Smtp-Source: AGHT+IFxTlGmGXtO+gti6IDe6nN/9i5MoY6EIkDL/S+U10Uwbut4N21TN5+9JMZjadgnuQEdINJ5lg== X-Received: by 2002:a05:600c:138c:b0:434:9d76:5031 with SMTP id 5b1f17b1804b1-434d52a1a87mr1200535e9.1.1733329622396; Wed, 04 Dec 2024 08:27:02 -0800 (PST) Received: from localhost ([2a00:79e0:9d:4:4606:5fa1:8ade:6950]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-385e391656csm13529589f8f.47.2024.12.04.08.27.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Dec 2024 08:27:01 -0800 (PST) From: Jann Horn Date: Wed, 04 Dec 2024 17:26:21 +0100 Subject: [PATCH v2 3/3] udmabuf: fix memory leak on last export_udmabuf() error path Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20241204-udmabuf-fixes-v2-3-23887289de1c@google.com> References: <20241204-udmabuf-fixes-v2-0-23887289de1c@google.com> In-Reply-To: <20241204-udmabuf-fixes-v2-0-23887289de1c@google.com> To: Gerd Hoffmann , Vivek Kasireddy , Sumit Semwal , =?utf-8?q?Christian_K=C3=B6nig?= , Simona Vetter , John Stultz , Andrew Morton , "Joel Fernandes (Google)" Cc: dri-devel@lists.freedesktop.org, linux-media@vger.kernel.org, linaro-mm-sig@lists.linaro.org, linux-kernel@vger.kernel.org, Jann Horn X-Mailer: b4 0.15-dev X-Developer-Signature: v=1; a=ed25519-sha256; t=1733329589; l=2920; i=jannh@google.com; s=20240730; h=from:subject:message-id; bh=mvwHL7Jb84Pbju4MjxbJaCZAU90KwtuuZ/LtjIuw+f8=; b=fcP3sbdyj//3/2F+j7CV5MfjiClV4Op+98VqArx+dvhb/6GkinHSzqeg9LJqzsq7iAU0UxgUh QpLwT4usxp1DhuRdSWGAKD7NSw4TKBtLSJfIgmMudebJ46OZuQdrIzb X-Developer-Key: i=jannh@google.com; a=ed25519; pk=AljNtGOzXeF6khBXDJVVvwSEkVDGnnZZYqfWhP1V+C8= In export_udmabuf(), if dma_buf_fd() fails because the FD table is full, a dma_buf owning the udmabuf has already been created; but the error handling in udmabuf_create() will tear down the udmabuf without doing anything about the containing dma_buf. This leaves a dma_buf in memory that contains a dangling pointer; though that doesn't seem to lead to anything bad except a memory leak. Fix it by moving the dma_buf_fd() call out of export_udmabuf() so that we can give it different error handling. Note that the shape of this code changed a lot in commit 5e72b2b41a21 ("udmabuf: convert udmabuf driver to use folios"); but the memory leak seems to have existed since the introduction of udmabuf. Fixes: fbb0de795078 ("Add udmabuf misc device") Acked-by: Vivek Kasireddy Signed-off-by: Jann Horn --- drivers/dma-buf/udmabuf.c | 28 +++++++++++++++++----------- 1 file changed, 17 insertions(+), 11 deletions(-) diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c index b330b99fcc7619a05bb7dc2aeeb9c82faf9a387b..cc7398cc17d67fca0634e763534= 901f8e6b454f8 100644 --- a/drivers/dma-buf/udmabuf.c +++ b/drivers/dma-buf/udmabuf.c @@ -317,12 +317,10 @@ static int check_memfd_seals(struct file *memfd) return 0; } =20 -static int export_udmabuf(struct udmabuf *ubuf, - struct miscdevice *device, - u32 flags) +static struct dma_buf *export_udmabuf(struct udmabuf *ubuf, + struct miscdevice *device) { DEFINE_DMA_BUF_EXPORT_INFO(exp_info); - struct dma_buf *buf; =20 ubuf->device =3D device; exp_info.ops =3D &udmabuf_ops; @@ -330,11 +328,7 @@ static int export_udmabuf(struct udmabuf *ubuf, exp_info.priv =3D ubuf; exp_info.flags =3D O_RDWR; =20 - buf =3D dma_buf_export(&exp_info); - if (IS_ERR(buf)) - return PTR_ERR(buf); - - return dma_buf_fd(buf, flags); + return dma_buf_export(&exp_info); } =20 static long udmabuf_pin_folios(struct udmabuf *ubuf, struct file *memfd, @@ -391,6 +385,7 @@ static long udmabuf_create(struct miscdevice *device, struct folio **folios =3D NULL; pgoff_t pgcnt =3D 0, pglimit; struct udmabuf *ubuf; + struct dma_buf *dmabuf; long ret =3D -EINVAL; u32 i, flags; =20 @@ -455,9 +450,20 @@ static long udmabuf_create(struct miscdevice *device, } =20 flags =3D head->flags & UDMABUF_FLAGS_CLOEXEC ? O_CLOEXEC : 0; - ret =3D export_udmabuf(ubuf, device, flags); - if (ret < 0) + dmabuf =3D export_udmabuf(ubuf, device); + if (IS_ERR(dmabuf)) { + ret =3D PTR_ERR(dmabuf); goto err; + } + /* + * Ownership of ubuf is held by the dmabuf from here. + * If the following dma_buf_fd() fails, dma_buf_put() cleans up both the + * dmabuf and the ubuf (through udmabuf_ops.release). + */ + + ret =3D dma_buf_fd(dmabuf, flags); + if (ret < 0) + dma_buf_put(dmabuf); =20 kvfree(folios); return ret; --=20 2.47.0.338.g60cca15819-goog