dma-buff name can be set via DMA_BUF_SET_NAME ioctl, but once set it never gets freed.
Free it in dma_buf_release().
Fixes: bb2bb9030425 ("dma-buf: add DMA_BUF_SET_NAME ioctls") Reported-by: syzbot+b2098bc44728a4efb3e9@syzkaller.appspotmail.com Acked-by: Chenbo Feng fengc@google.com Cc: Sumit Semwal sumit.semwal@linaro.org Cc: Andrew Morton akpm@linux-foundation.org Cc: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Cong Wang xiyou.wangcong@gmail.com --- drivers/dma-buf/dma-buf.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c index d4097856c86b..c343c7c10b4c 100644 --- a/drivers/dma-buf/dma-buf.c +++ b/drivers/dma-buf/dma-buf.c @@ -108,6 +108,7 @@ static int dma_buf_release(struct inode *inode, struct file *file) dma_resv_fini(dmabuf->resv);
module_put(dmabuf->owner); + kfree(dmabuf->name); kfree(dmabuf); return 0; }
On Tue, 25 Feb 2020 12:44:46 -0800 Cong Wang xiyou.wangcong@gmail.com wrote:
dma-buff name can be set via DMA_BUF_SET_NAME ioctl, but once set it never gets freed.
Free it in dma_buf_release().
...
--- a/drivers/dma-buf/dma-buf.c +++ b/drivers/dma-buf/dma-buf.c @@ -108,6 +108,7 @@ static int dma_buf_release(struct inode *inode, struct file *file) dma_resv_fini(dmabuf->resv);
module_put(dmabuf->owner);
- kfree(dmabuf->name); kfree(dmabuf); return 0;
}
ow. Is that ioctl privileged?
On Tue, Feb 25, 2020 at 5:54 PM Andrew Morton akpm@linux-foundation.org wrote:
On Tue, 25 Feb 2020 12:44:46 -0800 Cong Wang xiyou.wangcong@gmail.com wrote:
dma-buff name can be set via DMA_BUF_SET_NAME ioctl, but once set it never gets freed.
Free it in dma_buf_release().
...
--- a/drivers/dma-buf/dma-buf.c +++ b/drivers/dma-buf/dma-buf.c @@ -108,6 +108,7 @@ static int dma_buf_release(struct inode *inode, struct file *file) dma_resv_fini(dmabuf->resv);
module_put(dmabuf->owner);
kfree(dmabuf->name); kfree(dmabuf); return 0;}
ow. Is that ioctl privileged?
It looks unprivileged to me, as I don't see capable() called along the path.
Thanks.
On Thu, 27 Feb 2020 13:38:03 -0800 Cong Wang xiyou.wangcong@gmail.com wrote:
On Tue, Feb 25, 2020 at 5:54 PM Andrew Morton akpm@linux-foundation.org wrote:
On Tue, 25 Feb 2020 12:44:46 -0800 Cong Wang xiyou.wangcong@gmail.com wrote:
dma-buff name can be set via DMA_BUF_SET_NAME ioctl, but once set it never gets freed.
Free it in dma_buf_release().
...
--- a/drivers/dma-buf/dma-buf.c +++ b/drivers/dma-buf/dma-buf.c @@ -108,6 +108,7 @@ static int dma_buf_release(struct inode *inode, struct file *file) dma_resv_fini(dmabuf->resv);
module_put(dmabuf->owner);
kfree(dmabuf->name); kfree(dmabuf); return 0;}
ow. Is that ioctl privileged?
It looks unprivileged to me, as I don't see capable() called along the path.
OK, thanks. I added cc:stable to my copy.
dri-devel@lists.freedesktop.org
-
Andrew Morton -
Cong Wang