forked from Minki/linux
4ab59c3c63
Charan Teja reported a 'use-after-free' in dmabuffs_dname [1], which
happens if the dma_buf_release() is called while the userspace is
accessing the dma_buf pseudo fs's dmabuffs_dname() in another process,
and dma_buf_release() releases the dmabuf object when the last reference
to the struct file goes away.
I discussed with Arnd Bergmann, and he suggested that rather than tying
the dma_buf_release() to the file_operations' release(), we can tie it to
the dentry_operations' d_release(), which will be called when the last ref
to the dentry is removed.
The path exercised by __fput() calls f_op->release() first, and then calls
dput, which eventually calls d_op->d_release().
In the 'normal' case, when no userspace access is happening via dma_buf
pseudo fs, there should be exactly one fd, file, dentry and inode, so
closing the fd will kill of everything right away.
In the presented case, the dentry's d_release() will be called only when
the dentry's last ref is released.
Therefore, lets move dma_buf_release() from fops->release() to
d_ops->d_release()
Many thanks to Arnd for his FS insights :)
[1]: https://lore.kernel.org/patchwork/patch/1238278/
Fixes:
|
||
---|---|---|
.. | ||
heaps | ||
dma-buf.c | ||
dma-fence-array.c | ||
dma-fence-chain.c | ||
dma-fence.c | ||
dma-heap.c | ||
dma-resv.c | ||
Kconfig | ||
Makefile | ||
selftest.c | ||
selftest.h | ||
selftests.h | ||
seqno-fence.c | ||
st-dma-fence-chain.c | ||
st-dma-fence.c | ||
sw_sync.c | ||
sync_debug.c | ||
sync_debug.h | ||
sync_file.c | ||
sync_trace.h | ||
udmabuf.c |