Commit 2d76319c authored Apr 08, 2026 by Andi Shyti Committed by Christian König Apr 13, 2026

dma-buf: fix UAF in dma_buf_put() tracepoint



dma_buf_put() may drop the final file reference via fput(), which
can free the dma-buf. The new tracepoint invocation was added
after fput(), and DMA_BUF_TRACE() dereferences dmabuf and takes
dmabuf->name_lock.

This leads to a use-after-free on the final put, visible for
example as a spinlock bad magic fault on a poisoned 0x6b6b6b...
lock.

Move the dma_buf_put tracepoint before fput().

Reported-by: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
Fixes: 281a2263 ("dma-buf: add some tracepoints to debug.")
Signed-off-by: Andi Shyti <andi.shyti@linux.intel.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Christian König <christian.koenig@amd.com>
Link: https://lore.kernel.org/r/20260408123916.2604101-1-andi.shyti@kernel.org

parent eecdd4bd

drivers/dma-buf/dma-buf.c

+1 −2

Original line number	Diff line number	Diff line
		@@ -845,9 +845,8 @@ void dma_buf_put(struct dma_buf *dmabuf)
		if (WARN_ON(!dmabuf \|\| !dmabuf->file))
		return;

		fput(dmabuf->file);

		DMA_BUF_TRACE(trace_dma_buf_put, dmabuf);
		fput(dmabuf->file);
		}
		EXPORT_SYMBOL_NS_GPL(dma_buf_put, "DMA_BUF");