mirror of
https://github.com/torvalds/linux.git
synced 2024-11-30 16:11:38 +00:00
misc: fastrpc: avoid double fput() on failed usercopy
If the copy back to userland fails for the FASTRPC_IOCTL_ALLOC_DMA_BUFF
ioctl(), we shouldn't assume that 'buf->dmabuf' is still valid. In fact,
dma_buf_fd() called fd_install() before, i.e. "consumed" one reference,
leaving us with none.
Calling dma_buf_put() will therefore put a reference we no longer own,
leading to a valid file descritor table entry for an already released
'file' object which is a straight use-after-free.
Simply avoid calling dma_buf_put() and rely on the process exit code to
do the necessary cleanup, if needed, i.e. if the file descriptor is
still valid.
Fixes: 6cffd79504
("misc: fastrpc: Add support for dmabuf exporter")
Acked-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Link: https://lore.kernel.org/r/20220127130218.809261-1-minipli@grsecurity.net
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
parent
26291c54e1
commit
46963e2e06
@ -1288,7 +1288,14 @@ static int fastrpc_dmabuf_alloc(struct fastrpc_user *fl, char __user *argp)
|
||||
}
|
||||
|
||||
if (copy_to_user(argp, &bp, sizeof(bp))) {
|
||||
dma_buf_put(buf->dmabuf);
|
||||
/*
|
||||
* The usercopy failed, but we can't do much about it, as
|
||||
* dma_buf_fd() already called fd_install() and made the
|
||||
* file descriptor accessible for the current process. It
|
||||
* might already be closed and dmabuf no longer valid when
|
||||
* we reach this point. Therefore "leak" the fd and rely on
|
||||
* the process exit path to do any required cleanup.
|
||||
*/
|
||||
return -EFAULT;
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user