redonkable
/
alistair23-linux
1
0
Fork 0
Code Releases Activity
Fork of alistair23 Linux kernel for reMarkable from https://github.com/alistair23/linux
884,225 Commits
15 Branches
0 Tags
3.4 GiB
C 97.7%
Assembly 1.4%
Makefile 0.3%
Shell 0.2%
Python 0.1%
Other 0.1%
 
 
 
 
 
 
Go to file
Charan Teja Reddy ef8133b1b4 dmabuf: fix use-after-free of dmabuf's file->f_inode 
commit 05cd84691e upstream.

It is observed 'use-after-free' on the dmabuf's file->f_inode with the
race between closing the dmabuf file and reading the dmabuf's debug
info.

Consider the below scenario where P1 is closing the dma_buf file
and P2 is reading the dma_buf's debug info in the system:

P1						P2
					dma_buf_debug_show()
dma_buf_put()
  __fput()
    file->f_op->release()
    dput()
    ....
      dentry_unlink_inode()
        iput(dentry->d_inode)
        (where the inode is freed)
					mutex_lock(&db_list.lock)
					read 'dma_buf->file->f_inode'
					(the same inode is freed by P1)
					mutex_unlock(&db_list.lock)
      dentry->d_op->d_release()-->
        dma_buf_release()
          .....
          mutex_lock(&db_list.lock)
          removes the dmabuf from the list
          mutex_unlock(&db_list.lock)

In the above scenario, when dma_buf_put() is called on a dma_buf, it
first frees the dma_buf's file->f_inode(=dentry->d_inode) and then
removes this dma_buf from the system db_list. In between P2 traversing
the db_list tries to access this dma_buf's file->f_inode that was freed
by P1 which is a use-after-free case.

Since, __fput() calls f_op->release first and then later calls the
d_op->d_release, move the dma_buf's db_list removal from d_release() to
f_op->release(). This ensures that dma_buf's file->f_inode is not
accessed after it is released.

Cc: <stable@vger.kernel.org> # 5.4.x-
Fixes: 4ab59c3c63 ("dma-buf: Move dma_buf_release() from fops to dentry_ops")
Acked-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Charan Teja Reddy <charante@codeaurora.org>
Signed-off-by: Sumit Semwal <sumit.semwal@linaro.org>
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://patchwork.freedesktop.org/patch/msgid/1609857399-31549-1-git-send-email-charante@codeaurora.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2021-01-12 20:16:23 +01:00
Documentation x86/CPU/AMD: Save AMD NodeId as cpu_die_id 2020-12-30 11:51:47 +01:00
LICENSES LICENSES: Rename other to deprecated 2019-05-03 06:34:32 -06:00
arch x86/mm: Fix leak of pmd ptlock 2021-01-12 20:16:22 +01:00
block scsi: block: Fix a race in the runtime power management code 2021-01-06 14:48:37 +01:00
certs PKCS#7: Refactor verify_pkcs7_signature() 2019-08-05 18:40:18 -04:00
crypto crypto: asym_tpm: correct zero out potential secrets 2021-01-12 20:16:17 +01:00
drivers dmabuf: fix use-after-free of dmabuf's file->f_inode 2021-01-12 20:16:23 +01:00
fs btrfs: send: fix wrong file path when there is an inode with a pending rmdir 2021-01-12 20:16:23 +01:00
include net: sched: prevent invalid Scell_log shift count 2021-01-12 20:16:14 +01:00
init exec: Transform exec_update_mutex into a rw_semaphore 2021-01-09 13:44:55 +01:00
ipc ipc/util.c: sysvipc_find_ipc() incorrectly updates position index 2020-05-20 08:20:16 +02:00
kernel workqueue: Kick a worker based on the actual activation of delayed works 2021-01-12 20:16:09 +01:00
lib lib/genalloc: fix the overflow when size is too big 2021-01-12 20:16:10 +01:00
mm mm: don't wake kswapd prematurely when watermark boosting is disabled 2020-12-30 11:51:27 +01:00
net net/sched: sch_taprio: ensure to reset/destroy all child qdiscs 2021-01-12 20:16:16 +01:00
samples samples: bpf: Fix lwt_len_hist reusing previous BPF map 2020-12-30 11:51:12 +01:00
scripts depmod: handle the case of /sbin/depmod without /sbin in PATH 2021-01-12 20:16:10 +01:00
security ima: Don't modify file descriptor mode on the fly 2020-12-30 11:51:39 +01:00
sound ALSA: hda/realtek: Add two "Intel Reference board" SSID in the ALC256. 2021-01-12 20:16:23 +01:00
tools tools headers UAPI: Sync linux/const.h with the kernel headers 2021-01-06 14:48:37 +01:00
usr initramfs: restore default compression behavior 2020-04-08 09:08:38 +02:00
virt kvm: check tlbs_dirty directly 2021-01-12 20:16:22 +01:00
.clang-format clang-format: Update with the latest for_each macro list 2019-08-31 10:00:51 +02:00
.cocciconfig
.get_maintainer.ignore Opt out of scripts/get_maintainer.pl 2019-05-16 10:53:40 -07:00
.gitattributes .gitattributes: set git diff driver for C source code files 2016-10-07 18:46:30 -07:00
.gitignore Modules updates for v5.4 2019-09-22 10:34:46 -07:00
.mailmap ARM: SoC fixes 2019-11-10 13:41:59 -08:00
COPYING COPYING: use the new text with points to the license files 2018-03-23 12:41:45 -06:00
CREDITS MAINTAINERS: Remove Simon as Renesas SoC Co-Maintainer 2019-10-10 08:12:51 -07:00
Kbuild kbuild: do not descend to ./Kbuild when cleaning 2019-08-21 21:03:58 +09:00
Kconfig docs: kbuild: convert docs to ReST and rename to *.rst 2019-06-14 14:21:21 -06:00
MAINTAINERS Documentation/llvm: add documentation on building w/ Clang/LLVM 2020-08-26 10:40:46 +02:00
Makefile kbuild: don't hardcode depmod path 2021-01-12 20:16:16 +01:00
README Drop all 00-INDEX files from Documentation/ 2018-09-09 15:08:58 -06:00

README 

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.