Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit daee5bd6 authored by Charan Teja Reddy's avatar Charan Teja Reddy Committed by Gerrit - the friendly Code Review server
Browse files

dma-buf: fix race while reading the dma_buf in dmabuffs_dname 



The following race occurs while reading the dma_buf:
P1				P2
dma_buf_release()          dmabuffs_dname()[say from /proc/pid/fd/num]

			   read dmabuf stored in dentry->fsdata
Free the dmabuf object
			   Start accessing the dmabuf structure

As said above, we access the dmabuf structure after we free the dmabuf
object resulting into the below 'use-after-free' issue.
__mutex_lock_common+0x174/0x1020
mutex_lock_nested+0x40/0x50
dmabuffs_dname+0x48/0xc8
d_path+0x84/0x290
proc_pid_readlink+0xb4/0x1c8
vfs_readlink+0x128/0x130
do_readlinkat+0xc8/0x148
__arm64_sys_readlinkat+0x24/0x38
el0_svc_common+0xa4/0x178
el0_svc_handler+0x6c/0x88
el0_svc+0x8/0xc.

Fixes: bf93f26 ("UPSTREAM: dma-buf: add DMA_BUF_SET_NAME ioctls")
Change-Id: Ie0a833f185687f4cc7ab8189b17fde3516270572
Signed-off-by: default avatarCharan Teja Reddy <charante@codeaurora.org>
Signed-off-by: default avatarNaitik Bharadiya <bharad@codeaurora.org>
parent be1961a6
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment