CVE-2022-50819

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> udmabuf: Set ubuf-&gt;sg = NULL if the creation of sg table fails<br /> <br /> When userspace tries to map the dmabuf and if for some reason<br /> (e.g. OOM) the creation of the sg table fails, ubuf-&gt;sg needs to be<br /> set to NULL. Otherwise, when the userspace subsequently closes the<br /> dmabuf fd, we&amp;#39;d try to erroneously free the invalid sg table from<br /> release_udmabuf resulting in the following crash reported by syzbot:<br /> <br /> general protection fault, probably for non-canonical address<br /> 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN<br /> KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]<br /> CPU: 0 PID: 3609 Comm: syz-executor487 Not tainted<br /> 5.19.0-syzkaller-13930-g7ebfc85e2cd7 #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS<br /> Google 07/22/2022<br /> RIP: 0010:dma_unmap_sgtable include/linux/dma-mapping.h:378 [inline]<br /> RIP: 0010:put_sg_table drivers/dma-buf/udmabuf.c:89 [inline]<br /> RIP: 0010:release_udmabuf+0xcb/0x4f0 drivers/dma-buf/udmabuf.c:114<br /> Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 2b 04 00 00 48 8d 7d 0c 4c<br /> 8b 63 30 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 b6 14<br /> 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 e2<br /> RSP: 0018:ffffc900037efd30 EFLAGS: 00010246<br /> RAX: dffffc0000000000 RBX: ffffffff8cb67800 RCX: 0000000000000000<br /> RDX: 0000000000000000 RSI: ffffffff84ad27e0 RDI: 0000000000000000<br /> RBP: fffffffffffffff4 R08: 0000000000000005 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 000000000008c07c R12: ffff88801fa05000<br /> R13: ffff888073db07e8 R14: ffff888025c25440 R15: 0000000000000000<br /> FS: 0000555555fc4300(0000) GS:ffff8880b9a00000(0000)<br /> knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007fc1c0ce06e4 CR3: 00000000715e6000 CR4: 00000000003506f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> dma_buf_release+0x157/0x2d0 drivers/dma-buf/dma-buf.c:78<br /> __dentry_kill+0x42b/0x640 fs/dcache.c:612<br /> dentry_kill fs/dcache.c:733 [inline]<br /> dput+0x806/0xdb0 fs/dcache.c:913<br /> __fput+0x39c/0x9d0 fs/file_table.c:333<br /> task_work_run+0xdd/0x1a0 kernel/task_work.c:177<br /> ptrace_notify+0x114/0x140 kernel/signal.c:2353<br /> ptrace_report_syscall include/linux/ptrace.h:420 [inline]<br /> ptrace_report_syscall_exit include/linux/ptrace.h:482 [inline]<br /> syscall_exit_work kernel/entry/common.c:249 [inline]<br /> syscall_exit_to_user_mode_prepare+0x129/0x280 kernel/entry/common.c:276<br /> __syscall_exit_to_user_mode_work kernel/entry/common.c:281 [inline]<br /> syscall_exit_to_user_mode+0x9/0x50 kernel/entry/common.c:294<br /> do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> RIP: 0033:0x7fc1c0c35b6b<br /> Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24<br /> 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 3d 00<br /> f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44<br /> RSP: 002b:00007ffd78a06090 EFLAGS: 00000293 ORIG_RAX: 0000000000000003<br /> RAX: 0000000000000000 RBX: 0000000000000007 RCX: 00007fc1c0c35b6b<br /> RDX: 0000000020000280 RSI: 0000000040086200 RDI: 0000000000000006<br /> RBP: 0000000000000007 R08: 0000000000000000 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 0000000000000293 R12: 000000000000000c<br /> R13: 0000000000000003 R14: 00007fc1c0cfe4a0 R15: 00007ffd78a06140<br /> <br /> Modules linked in:<br /> ---[ end trace 0000000000000000 ]---<br /> RIP: 0010:dma_unmap_sgtable include/linux/dma-mapping.h:378 [inline]<br /> RIP: 0010:put_sg_table drivers/dma-buf/udmabuf.c:89 [inline]<br /> RIP: 0010:release_udmabuf+0xcb/0x4f0 drivers/dma-buf/udmabuf.c:114