Commit 66665c8
committed
udmabuf: fix racy memfd sealing check
JIRA: https://issues.redhat.com/browse/RHEL-89519
Conflicts: A merge conflict due to missing upstream commit c87a126
("udmabuf: reuse folio array when pin folios")
commit 9cb189a
Author: Jann Horn <jannh@google.com>
Date: Wed, 4 Dec 2024 17:26:19 +0100
udmabuf: fix racy memfd sealing check
The current check_memfd_seals() is racy: Since we first do
check_memfd_seals() and then udmabuf_pin_folios() without holding any
relevant lock across both, F_SEAL_WRITE can be set in between.
This is problematic because we can end up holding pins to pages in a
write-sealed memfd.
Fix it using the inode lock, that's probably the easiest way.
In the future, we might want to consider moving this logic into memfd,
especially if anyone else wants to use memfd_pin_folios().
Reported-by: Julian Orth <ju.orth@gmail.com>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219106
Closes: https://lore.kernel.org/r/CAG48ez0w8HrFEZtJkfmkVKFDhE5aP7nz=obrimeTgpD+StkV9w@mail.gmail.com
Fixes: fbb0de7 ("Add udmabuf misc device")
Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: Joel Fernandes (Google) <joel@joelfernandes.org>
Acked-by: Vivek Kasireddy <vivek.kasireddy@intel.com>
Signed-off-by: Vivek Kasireddy <vivek.kasireddy@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20241204-udmabuf-fixes-v2-1-23887289de1c@google.com
Signed-off-by: Waiman Long <longman@redhat.com>1 parent 3c90d8b commit 66665c8
1 file changed
+9
-4
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
423 | 423 | | |
424 | 424 | | |
425 | 425 | | |
| 426 | + | |
| 427 | + | |
| 428 | + | |
| 429 | + | |
| 430 | + | |
426 | 431 | | |
427 | | - | |
428 | | - | |
429 | | - | |
430 | | - | |
| 432 | + | |
| 433 | + | |
431 | 434 | | |
432 | 435 | | |
433 | 436 | | |
| 437 | + | |
| 438 | + | |
434 | 439 | | |
435 | 440 | | |
436 | 441 | | |
| |||
0 commit comments