[PATCH] dma-buf: Fix possible UAF in dma_buf_export
Gaosheng Cui
cuigaosheng1 at huawei.com
Thu Nov 17 06:21:52 UTC 2022
Smatch report warning as follows:
drivers/dma-buf/dma-buf.c:681 dma_buf_export() warn:
'&dmabuf->list_node' not removed from list
If dma_buf_stats_setup() fails in dma_buf_export(), goto err_sysfs
and dmabuf will be freed, but dmabuf->list_node will not be removed
from db_list.head, then list traversal may cause UAF.
Fix by removeing it from db_list.head before free().
Fixes: ef3a6b70507a ("dma-buf: call dma_buf_stats_setup after dmabuf is in valid list")
Signed-off-by: Gaosheng Cui <cuigaosheng1 at huawei.com>
---
drivers/dma-buf/dma-buf.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
index b809513b03fe..6848f50226d5 100644
--- a/drivers/dma-buf/dma-buf.c
+++ b/drivers/dma-buf/dma-buf.c
@@ -675,6 +675,9 @@ struct dma_buf *dma_buf_export(const struct dma_buf_export_info *exp_info)
return dmabuf;
err_sysfs:
+ mutex_lock(&db_list.lock);
+ list_del(&dmabuf->list_node);
+ mutex_unlock(&db_list.lock);
/*
* Set file->f_path.dentry->d_fsdata to NULL so that when
* dma_buf_release() gets invoked by dentry_ops, it exits
--
2.25.1
More information about the dri-devel
mailing list