6.12-stable review patch. If anyone has any objections, please let me know. ------------------ From: Jann Horn <jannh@xxxxxxxxxx> commit 9cb189a882738c1d28b349d4e7c6a1ef9b3d8f87 upstream. The current check_memfd_seals() is racy: Since we first do check_memfd_seals() and then udmabuf_pin_folios() without holding any relevant lock across both, F_SEAL_WRITE can be set in between. This is problematic because we can end up holding pins to pages in a write-sealed memfd. Fix it using the inode lock, that's probably the easiest way. In the future, we might want to consider moving this logic into memfd, especially if anyone else wants to use memfd_pin_folios(). Reported-by: Julian Orth <ju.orth@xxxxxxxxx> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219106 Closes: https://lore.kernel.org/r/CAG48ez0w8HrFEZtJkfmkVKFDhE5aP7nz=obrimeTgpD+StkV9w@xxxxxxxxxxxxxx Fixes: fbb0de795078 ("Add udmabuf misc device") Cc: stable@xxxxxxxxxxxxxxx Signed-off-by: Jann Horn <jannh@xxxxxxxxxx> Acked-by: Joel Fernandes (Google) <joel@xxxxxxxxxxxxxxxxx> Acked-by: Vivek Kasireddy <vivek.kasireddy@xxxxxxxxx> Signed-off-by: Vivek Kasireddy <vivek.kasireddy@xxxxxxxxx> Link: https://patchwork.freedesktop.org/patch/msgid/20241204-udmabuf-fixes-v2-1-23887289de1c@xxxxxxxxxx Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/dma-buf/udmabuf.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) --- a/drivers/dma-buf/udmabuf.c +++ b/drivers/dma-buf/udmabuf.c @@ -394,14 +394,19 @@ static long udmabuf_create(struct miscde goto err; } + /* + * Take the inode lock to protect against concurrent + * memfd_add_seals(), which takes this lock in write mode. + */ + inode_lock_shared(file_inode(memfd)); ret = check_memfd_seals(memfd); - if (ret < 0) { - fput(memfd); - goto err; - } + if (ret) + goto out_unlock; ret = udmabuf_pin_folios(ubuf, memfd, list[i].offset, list[i].size); +out_unlock: + inode_unlock_shared(file_inode(memfd)); fput(memfd); if (ret) goto err;
