Skip to content

Commit

Permalink
dmabuf: fix NULL pointer dereference in dma_buf_release()
Browse files Browse the repository at this point in the history 
BugLink: https://bugs.launchpad.net/bugs/1898076

commit 19a508b upstream.

NULL pointer dereference is observed while exporting the dmabuf but
failed to allocate the 'struct file' which results into the dropping of
the allocated dentry corresponding to this file in the dmabuf fs, which
is ending up in dma_buf_release() and accessing the uninitialzed
dentry->d_fsdata.

Call stack on 5.4 is below:
 dma_buf_release+0x2c/0x254 drivers/dma-buf/dma-buf.c:88
 __dentry_kill+0x294/0x31c fs/dcache.c:584
 dentry_kill fs/dcache.c:673 [inline]
 dput+0x250/0x380 fs/dcache.c:859
 path_put+0x24/0x40 fs/namei.c:485
 alloc_file_pseudo+0x1a4/0x200 fs/file_table.c:235
 dma_buf_getfile drivers/dma-buf/dma-buf.c:473 [inline]
 dma_buf_export+0x25c/0x3ec drivers/dma-buf/dma-buf.c:585

Fix this by checking for the valid pointer in the dentry->d_fsdata.

Fixes: 4ab59c3 ("dma-buf: Move dma_buf_release() from fops to dentry_ops")
Cc: <[email protected]> [5.7+]
Signed-off-by: Charan Teja Reddy <[email protected]>
Reviewed-by: Christian König <[email protected]>
Link: https://patchwork.freedesktop.org/patch/391319/
Signed-off-by: Christian König <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

Signed-off-by: Paolo Pisati <[email protected]>
  • Loading branch information
@piso77
Charan Teja Reddy authored and piso77 committed Oct 1, 2020
1 parent 6f5e663 commit 01a48a9
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions drivers/dma-buf/dma-buf.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,8 @@ static void dma_buf_release(struct dentry *dentry)
struct dma_buf *dmabuf;

dmabuf = dentry->d_fsdata;
if (unlikely(!dmabuf))
return;

BUG_ON(dmabuf->vmapping_counter);

Expand Down

0 comments on commit 01a48a9

Please sign in to comment.