subject:"\[PATCH\] dma\-buf\: free dmabuf\->name in dma_buf

Re: [PATCH] dma-buf: free dmabuf->name in dma_buf_release()

2020-02-28 Thread Cong Wang

On Tue, Feb 25, 2020 at 5:54 PM Andrew Morton  wrote:
>
> On Tue, 25 Feb 2020 12:44:46 -0800 Cong Wang  wrote:
>
> > dma-buff name can be set via DMA_BUF_SET_NAME ioctl, but once set
> > it never gets freed.
> >
> > Free it in dma_buf_release().
> >
> > ...
> >
> > --- a/drivers/dma-buf/dma-buf.c
> > +++ b/drivers/dma-buf/dma-buf.c
> > @@ -108,6 +108,7 @@ static int dma_buf_release(struct inode *inode, struct 
> > file *file)
> >   dma_resv_fini(dmabuf->resv);
> >
> >   module_put(dmabuf->owner);
> > + kfree(dmabuf->name);
> >   kfree(dmabuf);
> >   return 0;
> >  }
>
> ow.  Is that ioctl privileged?

It looks unprivileged to me, as I don't see capable() called along
the path.

Thanks.
___
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel

Re: [PATCH] dma-buf: free dmabuf->name in dma_buf_release()

2020-02-27 Thread Andrew Morton

On Thu, 27 Feb 2020 13:38:03 -0800 Cong Wang  wrote:

> On Tue, Feb 25, 2020 at 5:54 PM Andrew Morton  
> wrote:
> >
> > On Tue, 25 Feb 2020 12:44:46 -0800 Cong Wang  
> > wrote:
> >
> > > dma-buff name can be set via DMA_BUF_SET_NAME ioctl, but once set
> > > it never gets freed.
> > >
> > > Free it in dma_buf_release().
> > >
> > > ...
> > >
> > > --- a/drivers/dma-buf/dma-buf.c
> > > +++ b/drivers/dma-buf/dma-buf.c
> > > @@ -108,6 +108,7 @@ static int dma_buf_release(struct inode *inode, 
> > > struct file *file)
> > >   dma_resv_fini(dmabuf->resv);
> > >
> > >   module_put(dmabuf->owner);
> > > + kfree(dmabuf->name);
> > >   kfree(dmabuf);
> > >   return 0;
> > >  }
> >
> > ow.  Is that ioctl privileged?
> 
> It looks unprivileged to me, as I don't see capable() called along
> the path.
> 

OK, thanks.  I added cc:stable to my copy.
___
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel

[PATCH] dma-buf: free dmabuf->name in dma_buf_release()

2020-02-26 Thread Cong Wang

dma-buff name can be set via DMA_BUF_SET_NAME ioctl, but once set
it never gets freed.

Free it in dma_buf_release().

Fixes: bb2bb9030425 ("dma-buf: add DMA_BUF_SET_NAME ioctls")
Reported-by: syzbot+b2098bc44728a4efb...@syzkaller.appspotmail.com
Acked-by: Chenbo Feng 
Cc: Sumit Semwal 
Cc: Andrew Morton 
Cc: Linus Torvalds 
Signed-off-by: Cong Wang 
---
 drivers/dma-buf/dma-buf.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
index d4097856c86b..c343c7c10b4c 100644
--- a/drivers/dma-buf/dma-buf.c
+++ b/drivers/dma-buf/dma-buf.c
@@ -108,6 +108,7 @@ static int dma_buf_release(struct inode *inode, struct file 
*file)
dma_resv_fini(dmabuf->resv);
 
module_put(dmabuf->owner);
+   kfree(dmabuf->name);
kfree(dmabuf);
return 0;
 }
-- 
2.21.1

___
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel

Re: [PATCH] dma-buf: free dmabuf->name in dma_buf_release()

2020-02-25 Thread Andrew Morton

On Tue, 25 Feb 2020 12:44:46 -0800 Cong Wang  wrote:

> dma-buff name can be set via DMA_BUF_SET_NAME ioctl, but once set
> it never gets freed.
> 
> Free it in dma_buf_release().
> 
> ...
>
> --- a/drivers/dma-buf/dma-buf.c
> +++ b/drivers/dma-buf/dma-buf.c
> @@ -108,6 +108,7 @@ static int dma_buf_release(struct inode *inode, struct 
> file *file)
>   dma_resv_fini(dmabuf->resv);
>  
>   module_put(dmabuf->owner);
> + kfree(dmabuf->name);
>   kfree(dmabuf);
>   return 0;
>  }

ow.  Is that ioctl privileged?
___
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel

[PATCH] dma-buf: free dmabuf->name in dma_buf_release()

2019-12-27 Thread Cong Wang

dma-buff name can be set via DMA_BUF_SET_NAME ioctl, but once set
it never gets freed.

Free it in dma_buf_release().

Fixes: bb2bb9030425 ("dma-buf: add DMA_BUF_SET_NAME ioctls")
Reported-by: syzbot+b2098bc44728a4efb...@syzkaller.appspotmail.com
Cc: Greg Hackmann 
Cc: Chenbo Feng 
Cc: Sumit Semwal 
Signed-off-by: Cong Wang 
---
 drivers/dma-buf/dma-buf.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
index ce41cd9b758a..2427398ff22a 100644
--- a/drivers/dma-buf/dma-buf.c
+++ b/drivers/dma-buf/dma-buf.c
@@ -108,6 +108,7 @@ static int dma_buf_release(struct inode *inode, struct file 
*file)
dma_resv_fini(dmabuf->resv);
 
module_put(dmabuf->owner);
+   kfree(dmabuf->name);
kfree(dmabuf);
return 0;
 }
-- 
2.21.0

___
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel

Re: [PATCH] dma-buf: free dmabuf->name in dma_buf_release()

Re: [PATCH] dma-buf: free dmabuf->name in dma_buf_release()

[PATCH] dma-buf: free dmabuf->name in dma_buf_release()

Re: [PATCH] dma-buf: free dmabuf->name in dma_buf_release()

[PATCH] dma-buf: free dmabuf->name in dma_buf_release()

5 matches

Site Navigation

Mail list logo

Footer information