Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp1094160pxk;
        Fri, 18 Sep 2020 03:41:45 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJySj0Sx9hx6v4Uu3+R3AIW1UKEy1FqTUm06AIeID2bxBGxrGV6Wunl4wZLxJfpvWlbpPFUg
X-Received: by 2002:a50:e3c4:: with SMTP id c4mr38808606edm.90.1600425704915;
        Fri, 18 Sep 2020 03:41:44 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1600425704; cv=none;
        d=google.com; s=arc-20160816;
        b=N+g7Y6cuzuzNMwgUPaG30JZZNEkp50nO1/Dp9ZoD0jyMS0Mak6uPRzdWJrL5eedptK
         LU1KkvbA4KUqMFQvO4s0Nb5th0Ko1Ok/3jf3B1nksiqKkaul3BzsoWdXnftOMHtieBJW
         ZLR+ZXYB5CMR8n6RezWEiw6ydm9G+TfHjkjyoFVdC6gWvP+REV5YENK9AscISPhmf62/
         i5aDv4qTZKsWKq52e0K48cDaqNGIuY8n8h8HAS3uKATWzzQ3uIRh6QznVc+vWZVnKMxl
         UBOlQCfpXKqs5wlt9rBhZ81zbmev13OA7stIrPTNr/JvYxGfFtN6CgL2HQJKtmBZRCzK
         E34g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:message-id:date:subject:cc:to:from:dmarc-filter
         :dkim-signature;
        bh=qb2WoD3uf4Yfjw2dRwpjc0+G2WvhyNMin/XBmb+tRQ4=;
        b=bbTSQfjinvMu7a5Wl8oNvqw/Tbl2UMzPOzdVPvQxtI9J7H7Bn2CW5Ksxk4n6b3MHTA
         iDBQjtQLy4pTmLnGSDwdb3qC52aakXgkXSJ/Oj4HAQ+Iq+nKKbJFRW+Uc5pQfvjdKOjU
         S53iKtHIJPhcwIjEwI0bH4byOzKi+TcGHaac1UsLaXb4wwcWFX5S6E1+WENMpuFr0Vrk
         o26tpNhDJ9uRcFNrBbuVlO8CMRdoT928hnHUHZN/oTFJxw/GJocT4EiKZ1yNzmzyreCN
         0sHy7Oy9lqqCG0rdwXQcXQVVHQVKIOVabXNN7upHPk6BQhUOna9nvorICfO83Y/AUxAJ
         7eTA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@mg.codeaurora.org header.s=smtp header.b=JIiQXW7k;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id yd22si2409410ejb.346.2020.09.18.03.41.21;
        Fri, 18 Sep 2020 03:41:44 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@mg.codeaurora.org header.s=smtp header.b=JIiQXW7k;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726260AbgIRKhu (ORCPT <rfc822;rajatbajpailinux@gmail.com>
        + 99 others); Fri, 18 Sep 2020 06:37:50 -0400
Received: from so254-54.mailgun.net ([198.61.254.54]:21011 "EHLO
        so254-54.mailgun.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1725941AbgIRKht (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 18 Sep 2020 06:37:49 -0400
X-Greylist: delayed 302 seconds by postgrey-1.27 at vger.kernel.org; Fri, 18 Sep 2020 06:37:47 EDT
DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=mg.codeaurora.org; q=dns/txt;
 s=smtp; t=1600425469; h=Message-Id: Date: Subject: Cc: To: From:
 Sender; bh=qb2WoD3uf4Yfjw2dRwpjc0+G2WvhyNMin/XBmb+tRQ4=; b=JIiQXW7kHrfhlMGbH0zzaT3FPxnnOVXY8PkP+9N9lUq1KAvp65vwzp6Z/VrSVfIWEBS/8lOI
 kjQDNwksE9e/zK7adx36yIGmugiptzpjhiw7Tzu3HHrr8qsuOlNMfvElO32Dz8GgkTETtsvc
 mS617Cq9shebQK5G9TsnZFvm4dY=
X-Mailgun-Sending-Ip: 198.61.254.54
X-Mailgun-Sid: WyI0MWYwYSIsICJsaW51eC1rZXJuZWxAdmdlci5rZXJuZWwub3JnIiwgImJlOWU0YSJd
Received: from smtp.codeaurora.org
 (ec2-35-166-182-171.us-west-2.compute.amazonaws.com [35.166.182.171]) by
 smtp-out-n04.prod.us-west-2.postgun.com with SMTP id
 5f648ccdea858627d5e3c9dc (version=TLS1.2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256); Fri, 18 Sep 2020 10:32:45
 GMT
Received: by smtp.codeaurora.org (Postfix, from userid 1001)
        id EF4A1C43391; Fri, 18 Sep 2020 10:32:44 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
        aws-us-west-2-caf-mail-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=2.0 tests=ALL_TRUSTED,BAYES_00,SPF_FAIL,
        URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0
Received: from charante-linux.qualcomm.com (unknown [202.46.22.19])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits))
        (No client certificate requested)
        (Authenticated sender: charante)
        by smtp.codeaurora.org (Postfix) with ESMTPSA id 21028C43382;
        Fri, 18 Sep 2020 10:32:40 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org 21028C43382
Authentication-Results: aws-us-west-2-caf-mail-1.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org
Authentication-Results: aws-us-west-2-caf-mail-1.web.codeaurora.org; spf=fail smtp.mailfrom=charante@codeaurora.org
From:   Charan Teja Reddy <charante@codeaurora.org>
To:     sumit.semwal@linaro.org, christian.koenig@amd.com, arnd@arndb.de
Cc:     linux-media@vger.kernel.org, dri-devel@lists.freedesktop.org,
        linaro-mm-sig@lists.linaro.org, linux-kernel@vger.kernel.org,
        vinmenon@codeaurora.org,
        Charan Teja Reddy <charante@codeaurora.org>,
        <stable@vger.kernel.org>
Subject: [PATCH] dmabuf: fix NULL pointer dereference in dma_buf_release()
Date:   Fri, 18 Sep 2020 16:02:31 +0530
Message-Id: <1600425151-27670-1-git-send-email-charante@codeaurora.org>
X-Mailer: git-send-email 1.9.1
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

NULL pointer dereference is observed while exporting the dmabuf but
failed to allocate the 'struct file' which results into the dropping of
the allocated dentry corresponding to this file in the dmabuf fs, which
is ending up in dma_buf_release() and accessing the uninitialzed
dentry->d_fsdata.

Call stack on 5.4 is below:
 dma_buf_release+0x2c/0x254 drivers/dma-buf/dma-buf.c:88
 __dentry_kill+0x294/0x31c fs/dcache.c:584
 dentry_kill fs/dcache.c:673 [inline]
 dput+0x250/0x380 fs/dcache.c:859
 path_put+0x24/0x40 fs/namei.c:485
 alloc_file_pseudo+0x1a4/0x200 fs/file_table.c:235
 dma_buf_getfile drivers/dma-buf/dma-buf.c:473 [inline]
 dma_buf_export+0x25c/0x3ec drivers/dma-buf/dma-buf.c:585

Fix this by checking for the valid pointer in the dentry->d_fsdata.

Fixes: 4ab59c3c638c ("dma-buf: Move dma_buf_release() from fops to dentry_ops")
Cc: <stable@vger.kernel.org> [5.7+]
Signed-off-by: Charan Teja Reddy <charante@codeaurora.org>
---
 drivers/dma-buf/dma-buf.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
index 58564d82..844967f 100644
--- a/drivers/dma-buf/dma-buf.c
+++ b/drivers/dma-buf/dma-buf.c
@@ -59,6 +59,8 @@ static void dma_buf_release(struct dentry *dentry)
 	struct dma_buf *dmabuf;
 
 	dmabuf = dentry->d_fsdata;
+	if (unlikely(!dmabuf))
+		return;
 
 	BUG_ON(dmabuf->vmapping_counter);
 
-- 
QUALCOMM INDIA, on behalf of Qualcomm Innovation Center, Inc. is a
member of the Code Aurora Forum, hosted by The Linux Foundation