git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Jann Horn <jannh@google.com>
	Wed, 4 Dec 2024 16:26:19 +0000 (17:26 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Fri, 27 Dec 2024 13:02:18 +0000 (14:02 +0100)
commit	93f08e5c393fa648a2e3e7ad2d37dd6a16cd726d
tree	04305957d5459ceee22c2e8907a4149452de75f8	tree
parent	ff561987ff12b6a3233431ff659b5d332e22f153	commit \| diff

udmabuf: fix racy memfd sealing check

commit 9cb189a882738c1d28b349d4e7c6a1ef9b3d8f87 upstream.

The current check_memfd_seals() is racy: Since we first do
check_memfd_seals() and then udmabuf_pin_folios() without holding any
relevant lock across both, F_SEAL_WRITE can be set in between.
This is problematic because we can end up holding pins to pages in a
write-sealed memfd.

Fix it using the inode lock, that's probably the easiest way.
In the future, we might want to consider moving this logic into memfd,
especially if anyone else wants to use memfd_pin_folios().

Reported-by: Julian Orth <ju.orth@gmail.com>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219106
Closes: https://lore.kernel.org/r/CAG48ez0w8HrFEZtJkfmkVKFDhE5aP7nz=obrimeTgpD+StkV9w@mail.gmail.com
Fixes: fbb0de795078 ("Add udmabuf misc device")
Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: Joel Fernandes (Google) <joel@joelfernandes.org>
Acked-by: Vivek Kasireddy <vivek.kasireddy@intel.com>
Signed-off-by: Vivek Kasireddy <vivek.kasireddy@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20241204-udmabuf-fixes-v2-1-23887289de1c@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>