lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 18 Aug 2021 21:02:31 +0800
From:   Wentao_Liang <Wentao_Liang_g@....com>
To:     maarten.lankhorst@...ux.intel.com
Cc:     mripard@...nel.org, tzimmermann@...e.de, airlied@...ux.ie,
        daniel@...ll.ch, sumit.semwal@...aro.org, christian.koenig@....com,
        dri-devel@...ts.freedesktop.org, linux-kernel@...r.kernel.org,
        linux-media@...r.kernel.org, linaro-mm-sig@...ts.linaro.org,
        Wentao_Liang <Wentao_Liang_g@....com>
Subject: [PATCH] drm/prime: fix a potential double put (release) bug

In line 317 (#1), drm_gem_prime_import() is called, it will call
drm_gem_prime_import_dev(). At the end of the function
drm_gem_prime_import_dev() (line 956, #2), "dma_buf_put(dma_buf);" puts
dma_buf->file and may cause it to be released. However, after
drm_gem_prime_import() returning, the dma_buf may be put again by the
same put function in lines 342, 351 and 358 (#3, #4, #5). Putting the
dma_buf improperly more than once can lead to an incorrect dma_buf-
>file put.

We believe that the put of the dma_buf in the function
drm_gem_prime_import() is unnecessary (#2). We can fix the above bug by
removing the redundant "dma_buf_put(dma_buf);" in line 956.

 314     if (dev->driver->gem_prime_import)
 315         obj = dev->driver->gem_prime_import(dev, dma_buf);
 316     else
 317         obj = drm_gem_prime_import(dev, dma_buf);
 				//#1 call to drm_gem_prime_import
				//   ->drm_gem_prime_import_dev
				//   ->dma_buf_put
 ...

 336     ret = drm_prime_add_buf_handle(&file_priv->prime,
 337             dma_buf, *handle);

 ...

 342     dma_buf_put(dma_buf);  //#3 put again
 343
 344     return 0;
 345
 346 fail:

 351     dma_buf_put(dma_buf); //#4 put again
 352     return ret;

 356 out_put:
 357     mutex_unlock(&file_priv->prime.lock);
 358     dma_buf_put(dma_buf);  //#5 put again
 359     return ret;
 360 }

 905 struct drm_gem_object *drm_gem_prime_import_dev
 							(struct drm_device *dev,
 906                         struct dma_buf *dma_buf,
 907                         struct device *attach_dev)
 908 {

 ...

 952 fail_unmap:
 953     dma_buf_unmap_attachment(attach, sgt, DMA_BIDIRECTIONAL);
 954 fail_detach:
 955     dma_buf_detach(dma_buf, attach);
 956     dma_buf_put(dma_buf);  //#2 the first put of dma_buf
								//	 (unnecessary)
 957
 958     return ERR_PTR(ret);
 959 }

Signed-off-by: Wentao_Liang <Wentao_Liang_g@....com>
---
 drivers/gpu/drm/drm_prime.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/gpu/drm/drm_prime.c b/drivers/gpu/drm/drm_prime.c
index 2a54f86856af..cef03ad0d5cd 100644
--- a/drivers/gpu/drm/drm_prime.c
+++ b/drivers/gpu/drm/drm_prime.c
@@ -953,7 +953,6 @@ struct drm_gem_object *drm_gem_prime_import_dev(struct drm_device *dev,
 	dma_buf_unmap_attachment(attach, sgt, DMA_BIDIRECTIONAL);
 fail_detach:
 	dma_buf_detach(dma_buf, attach);
-	dma_buf_put(dma_buf);
 
 	return ERR_PTR(ret);
 }
-- 
2.25.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ