[PATCH] dma-buf: Fix possible UAF in dma_buf_export
cuigaosheng
cuigaosheng1 at huawei.com
Thu Nov 24 12:49:21 UTC 2022
> I was already wondering why the order is this way.
>
> Why is dma_buf_stats_setup() needing the file in the first place?
dmabuf->file will be used in dma_buf_stats_setup(), the
dma_buf_stats_setup() as follows:
> 171 int dma_buf_stats_setup(struct dma_buf *dmabuf)
> 172 {
> 173 struct dma_buf_sysfs_entry *sysfs_entry;
> 174 int ret;
> 175
> 176 if (!dmabuf || !dmabuf->file)
> 177 return -EINVAL;
> 178
> 179 if (!dmabuf->exp_name) {
> 180 pr_err("exporter name must not be empty if stats
> needed\n");
> 181 return -EINVAL;
> 182 }
> 183
> 184 sysfs_entry = kzalloc(sizeof(struct dma_buf_sysfs_entry),
> GFP_KERNEL);
> 185 if (!sysfs_entry)
> 186 return -ENOMEM;
> 187
> 188 sysfs_entry->kobj.kset = dma_buf_per_buffer_stats_kset;
> 189 sysfs_entry->dmabuf = dmabuf;
> 190
> 191 dmabuf->sysfs_entry = sysfs_entry;
> 192
> 193 /* create the directory for buffer stats */
> 194 ret = kobject_init_and_add(&sysfs_entry->kobj,
> &dma_buf_ktype, NULL,
> 195 "%lu",
> file_inode(dmabuf->file)->i_ino);
> 196 if (ret)
> 197 goto err_sysfs_dmabuf;
> 198
> 199 return 0;
> 200
> 201 err_sysfs_dmabuf:
> 202 kobject_put(&sysfs_entry->kobj);
> 203 dmabuf->sysfs_entry = NULL;
> 204 return ret;
> 205 }
Did I miss something?
Thanks.
On 2022/11/24 20:37, Christian König wrote:
>
>
> Am 24.11.22 um 13:05 schrieb cuigaosheng:
>> Some tips:
>> Before we call the dma_buf_stats_setup(), we have to finish
>> creating the file,
>> otherwise dma_buf_stats_setup() will return -EINVAL, maybe we need to
>> think about
>> this when making a new patch.
>
> I was already wondering why the order is this way.
>
> Why is dma_buf_stats_setup() needing the file in the first place?
>
> Thanks,
> Christian.
>
>>
>> Hope these tips are useful, thanks!
>>
>> On 2022/11/24 13:56, Charan Teja Kalla wrote:
>>> Thanks T.J and Christian for the inputs.
>>>
>>> On 11/19/2022 7:00 PM, Christian König wrote:
>>>>> Yes, exactly that's the idea.
>>>>>
>>>>> The only alternatives I can see would be to either move
>>>>> allocating
>>>>> the
>>>>> file and so completing the dma_buf initialization last again
>>>>> or just
>>>>> ignore errors from sysfs.
>>>>>
>>>>> > If we still want to avoid calling
>>>>> dmabuf->ops->release(dmabuf) in
>>>>> > dma_buf_release like the comment says I guess we could use
>>>>> sysfs_entry
>>>>> > and ERR_PTR to flag that, otherwise it looks like we'd need
>>>>> a bit
>>>>> > somewhere.
>>>>>
>>>>> No, this should be dropped as far as I can see. The sysfs
>>>>> cleanup
>>>>> code
>>>>> looks like it can handle not initialized kobj pointers.
>>>>>
>>>>>
>>>>> Yeah there is also the null check in dma_buf_stats_teardown() that
>>>>> would prevent it from running, but I understood the comment to be
>>>>> referring to the release() dma_buf_ops call into the exporter which
>>>>> comes right after the teardown call. That looks like it's preventing
>>>>> the fput task work calling back into the exporter after the exporter
>>>>> already got an error from dma_buf_export(). Otherwise the exporter
>>>>> sees a release() for a buffer that it doesn't know about / thinks
>>>>> shouldn't exist. So I could imagine an exporter trying to double
>>>>> free:
>>>>> once for the failed dma_buf_export() call, and again when the
>>>>> release() op is called later.
>>>>
>>>> Oh, very good point as well. Yeah, then creating the file should
>>>> probably come last.
>>>>
>>> @Gaosheng: Could you please make these changes or you let me to do?
>>>
>>>> Regards,
>>>> Christian.
>>> .
>
> .
More information about the dri-devel
mailing list