From 7093d4fe894b3b0f91f7a89d413ab794f05fcd36 Mon Sep 17 00:00:00 2001
From: Guangming Cao <Guangming.Cao@mediatek.com>
Date: Fri, 8 Oct 2021 15:54:20 +0800
Subject: dma-buf: acquire name lock before read/write dma_buf.name
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: 8c0fd126263730c35927cc8445727afb79219a19
Patch-mainline: v5.16-rc1
References: jsc#PED-1166 jsc#PED-1168 jsc#PED-1170 jsc#PED-1218 jsc#PED-1220 jsc#PED-1222 jsc#PED-1223 jsc#PED-1225
Because dma-buf.name can be freed in func: "dma_buf_set_name",
so, we need to acquire lock first before we read/write dma_buf.name
to prevent Use After Free(UAF) issue.
Signed-off-by: Guangming Cao <Guangming.Cao@mediatek.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Christian König <christian.koenig@amd.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20211008075420.42874-1-guangming.cao@mediatek.com
Acked-by: Patrik Jakobsson <pjakobsson@suse.de>
---
drivers/dma-buf/dma-buf.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
index 44182bd911bb..6437b2e978fb 100644
--- a/drivers/dma-buf/dma-buf.c
+++ b/drivers/dma-buf/dma-buf.c
@@ -1359,6 +1359,8 @@ static int dma_buf_debug_show(struct seq_file *s, void *unused)
if (ret)
goto error_unlock;
+
+ spin_lock(&buf_obj->name_lock);
seq_printf(s, "%08zu\t%08x\t%08x\t%08ld\t%s\t%08lu\t%s\n",
buf_obj->size,
buf_obj->file->f_flags, buf_obj->file->f_mode,
@@ -1366,6 +1368,7 @@ static int dma_buf_debug_show(struct seq_file *s, void *unused)
buf_obj->exp_name,
file_inode(buf_obj->file)->i_ino,
buf_obj->name ?: "");
+ spin_unlock(&buf_obj->name_lock);
dma_resv_for_each_fence(&cursor, buf_obj->resv, true, fence) {
seq_printf(s, "\t%s fence: %s %s %ssignalled\n",
--
2.38.1