[ALPS05388629] BACKPORT: dma-buf: Move dma_buf_release() from fops
1.Backport patch: dma-buf: Move dma_buf_release() from fops to dentry_ops 2.Workaround for race condition caused by this patch in dma_buf_debug_show() Charan Teja reported a use-after-free in dmabuffs_dname [1], which happens if the dma_buf_release() is called while the userspace is accessing the dma_buf pseudo fss dmabuffs_dname() in another process, and dma_buf_release() releases the dmabuf object when the last reference to the struct file goes away. I discussed with Arnd Bergmann, and he suggested that rather than tying the dma_buf_release() to the file_operations release(), we can tie it to the dentry_operations d_release(), which will be called when the last ref to the dentry is removed. The path exercised by __fput() calls f_op->release() first, and then calls dput, which eventually calls d_op->d_release(). In the normal case, when no userspace access is happening via dma_buf pseudo fs, there should be exactly one fd, file, dentry and inode, so closing the fd will kill of everything right away. In the presented case, the dentrys d_release() will be called only when the dentrys last ref is released. Therefore, lets move dma_buf_release() from fops->release() to d_ops->d_release() Many thanks to Arnd for his FS insights :) [1]: https://lore.kernel.org/patchwork/patch/1238278/ Fixes: bb2bb90 ("dma-buf: add DMA_BUF_SET_NAME ioctls") Reported-by:<syzbot+3643a18836bce555bff6@syzkaller.appspotmail.com> Cc: <stable@vger.kernel.org> [5.3+] Cc: Arnd Bergmann <arnd@arndb.de> Reported-by:
Loading
Please register or sign in to comment