Received: by 2002:ab2:1149:0:b0:1f3:1f8c:d0c6 with SMTP id z9csp266356lqz; Fri, 29 Mar 2024 16:37:07 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWqPedmMlGdUhyHoy7J5tRbEKWz8i3e59eCs5Qv15BCi1d4P+t8GwsW+2dNOcZrsKnUROYgrfR5ZwnLUVan48IU8QIfEUGp4Ro3ezaQtQ== X-Google-Smtp-Source: AGHT+IFHHXXCr+3a4OpkZ9jqgGCGLPcdF/b5Lj4CX5I1uhjARlcAtG+oAHfCK20sjT5Nfxnt1VV7 X-Received: by 2002:a05:6a20:748e:b0:1a6:f8da:f798 with SMTP id p14-20020a056a20748e00b001a6f8daf798mr3633817pzd.17.1711755427152; Fri, 29 Mar 2024 16:37:07 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1711755427; cv=pass; d=google.com; s=arc-20160816; b=dkOXmxZOzi+ka65eIZ98fie18xGJjUYRZpreF5NBsV0cT9BFns6Zdkza8DgM/0xDxa gyn7cD6LCoP8aaHC+jwlf0hXfIXLCLmnT7pFiTP4wc26RI+TbPMDwOzrKB56w88o1mW0 AszlgUQ8h1ku+5f7+mlsPYGa3cdaL/tbMSzNujkYLOj6Y6+6sUkXxVpquJE2vIRTySGL f2xtQbLqiOutryaIL+FPOSUPj5L0SFYFFnxftbqn2bWDh3LO0vaZwmo+tQLkRVgHn5Bo NFOhhCT+habkT0Yq+gWT4jzR7UuMn4+Yuclh9soevo7HVbqIQbsO6diT8+i02gahjvUP D9YQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=z3ws0GiqfaPCvaP9VcCCnewH75CZLc5KkLizkP97z2M=; fh=KsBT6LpWiSGejHv9WmZn/yFO98idgJ6y8SpJ0V0mykQ=; b=gKbKBISIbxhie1fybB1oanF3VEXwO4XwLptc9KX6KJDuLQgzk56HEUnUBw1Pm11La1 mqsFDZkGFiG/Q9g8fS1dSxS7rQTf8Vatlcgih+xwlE3VkNtvImAHXNmRIFYh1+LHK15y C/1r1ENJXcEUEcPqPxsWfzGP/d6qBlIHL9/6xXfns/dK1Lg77tEY1HAW8ir33JWnOWEx FJU1nwZOLZ7OOJgp3ltZeby6gjiUqymqLbWu8pPtrrsXoysBePYJzmaWbMwYsMGQrH5L 0xZQJLkmFeHdJuZXAdV5/3k4hhqIPx0THO6V124u/J+vPG/DXxf1cq0ednPZOGxPAt5o eIFA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=e7slhIF2; arc=pass (i=1 spf=pass spfdomain=google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-125531-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-125531-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1]) by mx.google.com with ESMTPS id o6-20020a63fb06000000b005dcbb6b06bbsi4353859pgh.292.2024.03.29.16.37.06 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Mar 2024 16:37:07 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-125531-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=e7slhIF2; arc=pass (i=1 spf=pass spfdomain=google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-125531-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-125531-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id AF1E8B21E92 for ; Fri, 29 Mar 2024 23:36:39 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id BF53F13E414; Fri, 29 Mar 2024 23:36:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="e7slhIF2" Received: from mail-yb1-f170.google.com (mail-yb1-f170.google.com [209.85.219.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8544F64B for ; Fri, 29 Mar 2024 23:36:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.170 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711755390; cv=none; b=B2xBJXyAF+xCt+7PkGMm+3ww9E4DVix9mHcowghTX0V/nXMhpISRxayOFPGVgpnUrpHLbXMlK7k6kdGyGEGV8ulPsOxkFYFRUYb9sXDCqDPQOyRRrEcQvDfCudZghpB/0wU2d0CM0LTGX1jGjMRl7WAq6bZNw1s6hTinT2XkJ/4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711755390; c=relaxed/simple; bh=z3ws0GiqfaPCvaP9VcCCnewH75CZLc5KkLizkP97z2M=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=KJW4Rb3Kbor/4HdKy2y3CqP7fqL3NBUHIiSEb5AQEvNG2+c4duGj1J1doGsmAgsBSZct0OoikS1/9a9ZmjOAy99KmuDwgGEHYl8OXEeG8tmgpYPJE3qRcNSJAMs0Zz9OMGUazuN4yhqLI6sqtvq7EZ+iKMZab1yttjOrLtYPfTk= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=e7slhIF2; arc=none smtp.client-ip=209.85.219.170 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com Received: by mail-yb1-f170.google.com with SMTP id 3f1490d57ef6-dcc6fc978ddso1992031276.0 for ; Fri, 29 Mar 2024 16:36:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1711755387; x=1712360187; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=z3ws0GiqfaPCvaP9VcCCnewH75CZLc5KkLizkP97z2M=; b=e7slhIF2Poej7FfS4d6SxKo+L8d3oJBxPdhX/JSz81GDut3kwXj8ACCLiiU1snlDk+ mslJZOzdPbvcwkTPviA7hUHB/tPhiQ1Xlf1BP9A7EK8vlm3xa5NBOAUzcUfSr5GFGjcL 5jV6jjvh4gWx+3TE0XLgMULCBfbEh4vJjesOqo2L2oN+zAnkKrE3uPynyFYqUBxhUTLr iKYDdgJ7bq39AeO36XKMM7zvRBuHjCgJXrJEkAyXffqAhqwPDi4M/da7tDaLaMjQL0vj kqyd+ABm5eV19N57a6hx5IgymvNtGECZ/kzCfl5iNon11htgh1MwsDVMRDFRiOrJIqJc +7sA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711755387; x=1712360187; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=z3ws0GiqfaPCvaP9VcCCnewH75CZLc5KkLizkP97z2M=; b=ZJDVVOGY0v6/R+sQ5xazvtAaIdsOGahBXqCEdiv9TKOt3yDmD0tCFsbxi3q7Ox9+Mi MVNVaDL45rdyUftIFjF986SpTNtwewO3aGSWXRyuSCrOBajDyOEqdPeZy3QLOcO5sXE+ qIRsN+t9mbYVIbToYDS2oJdUbowWNK/dUsWkKRlTn/I/mROl0lo4OVf/BtbK+OzobArk kUbZxxS//o0ZFAZ0gbI2XqR4odElbSM9+GY1BVYkfdav/4hpayDpPrPKKxqDvt92vgAW Oa3QgL/rE05zAKlhYJ4jYoQzzjK5s5z0rsWNAHErRXJdUFlLwrHc6lRkRdkaJp7GfW5q 2kKw== X-Forwarded-Encrypted: i=1; AJvYcCX1oRf6X+rz1adxHz/Rx5Aw6VZxnP/06arJ0MykOVicHcPu6cQlr2EM3K2goE2NGfJ4SGo1eu6VqahnnqM3fvfPs0CNdWQbCE/SL5E7 X-Gm-Message-State: AOJu0YwPZlEPSsE9CXIzpl9b0zwG9B6PIh58vE5bAysjrQAF7lq2FD4L 82NEkfW6+1XpfXQFdOgwLIulSaGJClWhP+3YlGnFh+Rqcey4JQBxgdLAIaokvgTNrUWyykDCGTR fnvbUMrwEWRISboXoKrappA0eVbcsWCtBP/h7 X-Received: by 2002:a25:f912:0:b0:dc7:494e:ff33 with SMTP id q18-20020a25f912000000b00dc7494eff33mr2512234ybe.7.1711755387188; Fri, 29 Mar 2024 16:36:27 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20240327022903.776-1-justinjiang@vivo.com> In-Reply-To: <20240327022903.776-1-justinjiang@vivo.com> From: "T.J. Mercier" Date: Fri, 29 Mar 2024 16:36:15 -0700 Message-ID: Subject: Re: [PATCH] dmabuf: fix dmabuf file poll uaf issue To: Zhiguo Jiang Cc: Sumit Semwal , =?UTF-8?Q?Christian_K=C3=B6nig?= , linux-media@vger.kernel.org, dri-devel@lists.freedesktop.org, linaro-mm-sig@lists.linaro.org, linux-kernel@vger.kernel.org, opensource.kernel@vivo.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, Mar 26, 2024 at 7:29=E2=80=AFPM Zhiguo Jiang = wrote: > > The issue is a UAF issue of dmabuf file fd. Throght debugging, we found > that the dmabuf file fd is added to the epoll event listener list, and > when it is released, it is not removed from the epoll list, which leads > to the UAF(Use-After-Free) issue. > > The UAF issue can be solved by checking dmabuf file->f_count value and > skipping the poll operation for the closed dmabuf file in the > dma_buf_poll(). We have tested this solved patch multiple times and > have not reproduced the uaf issue. > Hi Zhiguo, What is the most recent kernel version you've seen the bug on? You are closing the dmabuf fd from another thread while it is still part of the epoll interest list? Thanks, T.J.