From patchwork Tue Sep 29 11:02:13 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 291070 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.5 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E9C3CC4727C for ; Tue, 29 Sep 2020 11:50:47 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 926C5206CA for ; Tue, 29 Sep 2020 11:50:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1601380247; bh=LBUb+Ez86vd1KkvfpNSX7cCSCYDxuAlWhO/fvNvmpaU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=KNrM4v2aI+NOXnf+5GKra6Nv94iDrypXCPGLG3RSSz/20lftAf9YDGJzS4CH/B6Vi VZq5Ih0F5s/M6yHecCitEGXuJMYEt8oroHtp6LI7wUPSeODaYuzuzItODJrZosV7A0 67qILfh0NqrLNd+P3VhSh5SgMsXIu6KW2ZATbZTk= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731256AbgI2Lu1 (ORCPT ); Tue, 29 Sep 2020 07:50:27 -0400 Received: from mail.kernel.org ([198.145.29.99]:53150 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730784AbgI2Lti (ORCPT ); Tue, 29 Sep 2020 07:49:38 -0400 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 3B771221EF; Tue, 29 Sep 2020 11:49:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1601380177; bh=LBUb+Ez86vd1KkvfpNSX7cCSCYDxuAlWhO/fvNvmpaU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ggaUGafPDBggTLPu0ZBdZL/ix6o2TI4pod8CsVavmtl8Qxg1N2r05UrX8xsqVhkPY oCwkNBDFUeORUixLPFk99qDcp9NFyOfVZV4fdisUzP8pjNlQDbW4OfYmTKB1ILOJh4 a1A4KuGPUYpspPux0MMAtg6pbIfaimI+u0tz/gCs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Charan Teja Reddy , =?utf-8?q?Christian_K?= =?utf-8?b?w7ZuaWc=?= Subject: [PATCH 5.8 90/99] dmabuf: fix NULL pointer dereference in dma_buf_release() Date: Tue, 29 Sep 2020 13:02:13 +0200 Message-Id: <20200929105934.169560378@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200929105929.719230296@linuxfoundation.org> References: <20200929105929.719230296@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Charan Teja Reddy commit 19a508bd1ad8e444de86873bf2f2b2ab8edd6552 upstream. NULL pointer dereference is observed while exporting the dmabuf but failed to allocate the 'struct file' which results into the dropping of the allocated dentry corresponding to this file in the dmabuf fs, which is ending up in dma_buf_release() and accessing the uninitialzed dentry->d_fsdata. Call stack on 5.4 is below: dma_buf_release+0x2c/0x254 drivers/dma-buf/dma-buf.c:88 __dentry_kill+0x294/0x31c fs/dcache.c:584 dentry_kill fs/dcache.c:673 [inline] dput+0x250/0x380 fs/dcache.c:859 path_put+0x24/0x40 fs/namei.c:485 alloc_file_pseudo+0x1a4/0x200 fs/file_table.c:235 dma_buf_getfile drivers/dma-buf/dma-buf.c:473 [inline] dma_buf_export+0x25c/0x3ec drivers/dma-buf/dma-buf.c:585 Fix this by checking for the valid pointer in the dentry->d_fsdata. Fixes: 4ab59c3c638c ("dma-buf: Move dma_buf_release() from fops to dentry_ops") Cc: [5.7+] Signed-off-by: Charan Teja Reddy Reviewed-by: Christian König Link: https://patchwork.freedesktop.org/patch/391319/ Signed-off-by: Christian König Signed-off-by: Greg Kroah-Hartman --- drivers/dma-buf/dma-buf.c | 2 ++ 1 file changed, 2 insertions(+) --- a/drivers/dma-buf/dma-buf.c +++ b/drivers/dma-buf/dma-buf.c @@ -59,6 +59,8 @@ static void dma_buf_release(struct dentr struct dma_buf *dmabuf; dmabuf = dentry->d_fsdata; + if (unlikely(!dmabuf)) + return; BUG_ON(dmabuf->vmapping_counter);