Re: [syzbot] Fix use-after-free in udmabuf_create

From: syzbot
Date: Mon Jun 03 2024 - 01:42:59 EST

Next message: syzbot: "Re: [syzbot] [squashfs?] VFS: Close: file count is zero (use-after-free)"
Previous message: Nicholas Piggin: "Re: [PATCH v1 RESEND] arch/powerpc/kvm: Fix doorbell emulation by adding DPDES support"
In reply to: syzbot: "[syzbot] [squashfs?] VFS: Close: file count is zero (use-after-free)"
Next in thread: syzbot: "Re: [syzbot] Re: [syzbot] [squashfs?] VFS: Close: file count is zero (use-after-free)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

For archival purposes, forwarding an incoming command email to
linux-kernel@xxxxxxxxxxxxxxx.

***

Subject: Fix use-after-free in udmabuf_create
Author: nightu.pwn@xxxxxxxxx

please test file uaf in udmabuf_create

#syz test
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
0e1980c40b6e

--- a/drivers/dma-buf/udmabuf.c
+++ b/drivers/dma-buf/udmabuf.c
@@ -382,6 +382,7 @@ static long udmabuf_create(struct miscdevice *device,

kfree(folios);
fput(memfd);
+ memfd = NULL;
}

flags = head->flags & UDMABUF_FLAGS_CLOEXEC ? O_CLOEXEC : 0;

Next message: syzbot: "Re: [syzbot] [squashfs?] VFS: Close: file count is zero (use-after-free)"
Previous message: Nicholas Piggin: "Re: [PATCH v1 RESEND] arch/powerpc/kvm: Fix doorbell emulation by adding DPDES support"
In reply to: syzbot: "[syzbot] [squashfs?] VFS: Close: file count is zero (use-after-free)"
Next in thread: syzbot: "Re: [syzbot] Re: [syzbot] [squashfs?] VFS: Close: file count is zero (use-after-free)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]