Oops: general protection fault in dma_buf_put

Oops: general protection fault in dma_buf_put

[Krzysztofik, Janusz]

Since commit 281a226314238 ("dma-buf: add some tracepoints to qdebug.") 
we've been observing UAF reports triggered from inside dma_buf_put:

<0> [402.939643] BUG: spinlock bad magic on CPU#7, kworker/u32:5/132
<4> [402.939661] Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b759b: 0000 [#1] SMP NOPTI
<4> [402.939669] CPU: 7 UID: 0 PID: 132 Comm: kworker/u32:5 Tainted: G S   U       L   N  7.0.0-rc7-CI_DRM_18283-g0255f4a35fec+ #1 PREEMPT(lazy) 
<4> [402.939676] Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER, [L]=SOFTLOCKUP, [N]=TEST
<4> [402.939679] Hardware name: Intel(R) Client Systems NUC11TNHi5/, BIOS TNTGL357.0042.2020.1221.1743 12/21/2020
<4> [402.939683] Workqueue: i915 __i915_gem_free_work [i915]
<4> [402.939872] RIP: 0010:spin_bug+0x77/0xe0
<4> [402.939878] Code: 83 65 8b 15 5f cf ae 02 44 8b 81 30 0a 00 00 48 81 c1 20 0d 00 00 49 83 fd ff 74 4e e8 02 67 01 00 44 8b 4b 08 4d 85 ed 74 58 <45> 8b 85 30 0a 00 00 49 8d 8d 20 0d 00 00 8b 53 04 48 89 de 48 c7
<4> [402.939885] RSP: 0018:ffffc90001557d08 EFLAGS: 00010202
<4> [402.939888] RAX: 0000000000000033 RBX: ffff8881c136b250 RCX: 0000000000000000
<4> [402.939891] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
<4> [402.939894] RBP: ffffc90001557d20 R08: 0000000000000000 R09: 000000006b6b6b6b
<4> [402.939898] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff831c6f3a
<4> [402.939901] R13: 6b6b6b6b6b6b6b6b R14: ffff888119249570 R15: ffff888108c14640
<4> [402.939904] FS:  0000000000000000(0000) GS:ffff88851c217000(0000) knlGS:0000000000000000
<4> [402.939909] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
<4> [402.939912] CR2: 00007cca7e5d7d78 CR3: 000000011c0ab001 CR4: 0000000000f72ef0
<4> [402.939915] PKRU: 55555554
<4> [402.939917] Call Trace:
<4> [402.939919]  <TASK>
<4> [402.939922]  do_raw_spin_lock+0x86/0xe0
<4> [402.939926]  _raw_spin_lock+0x37/0x60
<4> [402.939931]  ? dma_buf_put+0x30/0x120
<4> [402.939936]  dma_buf_put+0x30/0x120
<4> [402.939940]  drm_prime_gem_destroy+0x38/0x50
<4> [443.672003]  __i915_gem_free_object+0x5e/0x1d0 [i915]
...


See also https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/15647.


I don't think DRM or drivers can do anything about that.  Please fix it.

Thanks,
Janusz
---------------------------------------------------------------------
Intel Technology Poland sp. z o.o.
ul. Slowackiego 173 | 80-298 Gdansk | Sad Rejonowy Gdansk Polnoc | VII Wydzial Gospodarczy Krajowego Rejestru Sadowego - KRS 101882 | NIP 957-07-52-316 | Kapital zakladowy 200.000 PLN.
Spolka oswiadcza, ze posiada status duzego przedsiebiorcy w rozumieniu ustawy z dnia 8 marca 2013 r. o przeciwdzialaniu nadmiernym opoznieniom w transakcjach handlowych.

Ta wiadomosc wraz z zalacznikami jest przeznaczona dla okreslonego adresata i moze zawierac informacje poufne. W razie przypadkowego otrzymania tej wiadomosci, prosimy o powiadomienie nadawcy oraz trwale jej usuniecie; jakiekolwiek przegladanie lub rozpowszechnianie jest zabronione.
This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). If you are not the intended recipient, please contact the sender and delete all copies; any review or distribution by others is strictly prohibited.

[PATCH] dma-buf: fix UAF in dma_buf_put() tracepoint

[Andi Shyti]

dma_buf_put() may drop the final file reference via fput(), which
can free the dma-buf. The new tracepoint invocation was added
after fput(), and DMA_BUF_TRACE() dereferences dmabuf and takes
dmabuf->name_lock.

This leads to a use-after-free on the final put, visible for
example as a spinlock bad magic fault on a poisoned 0x6b6b6b...
lock.

Move the dma_buf_put tracepoint before fput().

Reported-by: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
Fixes: 281a22631423 ("dma-buf: add some tracepoints to debug.")
Signed-off-by: Andi Shyti <andi.shyti@linux.intel.com>
Cc: Xiang Gao <gaoxiang17@xiaomi.com>
Cc: Christian König <christian.koenig@amd.com>
---
Hi,

I believe this patch fixes the issue reported by Janusz, I haven't
tested it. Perhaps we can add some more checks in DMA_BUF_TRACE.

Thanks,
Andi

 drivers/dma-buf/dma-buf.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
index a202a308c079..b72932c57cb9 100644
--- a/drivers/dma-buf/dma-buf.c
+++ b/drivers/dma-buf/dma-buf.c
@@ -845,9 +845,8 @@ void dma_buf_put(struct dma_buf *dmabuf)
 	if (WARN_ON(!dmabuf || !dmabuf->file))
 		return;
 
-	fput(dmabuf->file);
-
 	DMA_BUF_TRACE(trace_dma_buf_put, dmabuf);
+	fput(dmabuf->file);
 }
 EXPORT_SYMBOL_NS_GPL(dma_buf_put, "DMA_BUF");
 
-- 
2.53.0

[PATCH] dma-buf: fix UAF in dma_buf_put() tracepoint

[Andi Shyti]

dma_buf_put() may drop the final file reference via fput(), which
can free the dma-buf. The new tracepoint invocation was added
after fput(), and DMA_BUF_TRACE() dereferences dmabuf and takes
dmabuf->name_lock.

This leads to a use-after-free on the final put, visible for
example as a spinlock bad magic fault on a poisoned 0x6b6b6b...
lock.

Move the dma_buf_put tracepoint before fput().

Reported-by: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
Fixes: 281a22631423 ("dma-buf: add some tracepoints to debug.")
Signed-off-by: Andi Shyti <andi.shyti@linux.intel.com>
Cc: Xiang Gao <gaoxiang17@xiaomi.com>
Cc: Christian König <christian.koenig@amd.com>
---
Hi,

I believe this patch fixes the issue reported by Janusz, I haven't
tested it. Perhaps we can add some more checks in DMA_BUF_TRACE.

Thanks,
Andi

 drivers/dma-buf/dma-buf.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
index a202a308c079..b72932c57cb9 100644
--- a/drivers/dma-buf/dma-buf.c
+++ b/drivers/dma-buf/dma-buf.c
@@ -845,9 +845,8 @@ void dma_buf_put(struct dma_buf *dmabuf)
 	if (WARN_ON(!dmabuf || !dmabuf->file))
 		return;
 
-	fput(dmabuf->file);
-
 	DMA_BUF_TRACE(trace_dma_buf_put, dmabuf);
+	fput(dmabuf->file);
 }
 EXPORT_SYMBOL_NS_GPL(dma_buf_put, "DMA_BUF");
 
-- 
2.53.0

Claude review: dma-buf: fix UAF in dma_buf_put() tracepoint

[Claude Code Review Bot]

Overall Series Review

Subject: dma-buf: fix UAF in dma_buf_put() tracepoint
Author: Andi Shyti <andi.shyti@kernel.org>
Patches: 2
Reviewed: 2026-04-12T12:25:40.908159

---

This is a single-patch fix for a clear use-after-free bug in `dma_buf_put()`. The analysis is correct and the fix is straightforward: the `DMA_BUF_TRACE()` macro dereferences `dmabuf` (specifically taking `dmabuf->name_lock`) and was placed **after** `fput(dmabuf->file)`, which on the final reference drop can free the entire `dma_buf` structure. Moving the tracepoint before `fput()` is the right fix.

The patch is well-described with a clear commit message, proper `Fixes:` tag, and `Reported-by:` attribution.

**Verdict: The fix is correct and should be applied.**

---
Generated by Claude Code Patch Reviewer