This is a note to let you know that I've just added the patch titled
dmabuf: fix NULL pointer dereference in dma_buf_release()
to the 5.8-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
dmabuf-fix-null-pointer-dereference-in-dma_buf_release.patch
and it can be found in the queue-5.8 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 19a508bd1ad8e444de86873bf2f2b2ab8edd6552 Mon Sep 17 00:00:00 2001
From: Charan Teja Reddy <charante@xxxxxxxxxxxxxx>
Date: Fri, 18 Sep 2020 16:02:31 +0530
Subject: dmabuf: fix NULL pointer dereference in dma_buf_release()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
From: Charan Teja Reddy <charante@xxxxxxxxxxxxxx>
commit 19a508bd1ad8e444de86873bf2f2b2ab8edd6552 upstream.
NULL pointer dereference is observed while exporting the dmabuf but
failed to allocate the 'struct file' which results into the dropping of
the allocated dentry corresponding to this file in the dmabuf fs, which
is ending up in dma_buf_release() and accessing the uninitialzed
dentry->d_fsdata.
Call stack on 5.4 is below:
dma_buf_release+0x2c/0x254 drivers/dma-buf/dma-buf.c:88
__dentry_kill+0x294/0x31c fs/dcache.c:584
dentry_kill fs/dcache.c:673 [inline]
dput+0x250/0x380 fs/dcache.c:859
path_put+0x24/0x40 fs/namei.c:485
alloc_file_pseudo+0x1a4/0x200 fs/file_table.c:235
dma_buf_getfile drivers/dma-buf/dma-buf.c:473 [inline]
dma_buf_export+0x25c/0x3ec drivers/dma-buf/dma-buf.c:585
Fix this by checking for the valid pointer in the dentry->d_fsdata.
Fixes: 4ab59c3c638c ("dma-buf: Move dma_buf_release() from fops to dentry_ops")
Cc: <stable@xxxxxxxxxxxxxxx> [5.7+]
Signed-off-by: Charan Teja Reddy <charante@xxxxxxxxxxxxxx>
Reviewed-by: Christian König <christian.koenig@xxxxxxx>
Link: https://patchwork.freedesktop.org/patch/391319/
Signed-off-by: Christian König <christian.koenig@xxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/dma-buf/dma-buf.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/dma-buf/dma-buf.c
+++ b/drivers/dma-buf/dma-buf.c
@@ -59,6 +59,8 @@ static void dma_buf_release(struct dentr
struct dma_buf *dmabuf;
dmabuf = dentry->d_fsdata;
+ if (unlikely(!dmabuf))
+ return;
BUG_ON(dmabuf->vmapping_counter);
Patches currently in stable-queue which might be from charante@xxxxxxxxxxxxxx are
queue-5.8/dmabuf-fix-null-pointer-dereference-in-dma_buf_release.patch
