gpu: nvgpu: Mark fds with O_CLOEXEC

There shouldn't be an usecase that an fd, installed by nvgpu, must be shared on exec with the new process. This doesn't only lead to excessive number of fds in the exec process, but also can lead to potential security issues. This patch marks the fds with O_CLOEXEC, so that they get closed on exec. Bug 3583628 Change-Id: I3499b1429ac512b2c172e9e628d0a7a1417d72e3 Signed-off-by: Martin Radev <mradev@nvidia.com> Reviewed-on: https://git-master.nvidia.com/r/c/linux-nvgpu/+/2704350 Reviewed-by: svc-mobile-coverity <svc-mobile-coverity@nvidia.com> Reviewed-by: svc-mobile-cert <svc-mobile-cert@nvidia.com> Reviewed-by: Sagar Kamble <skamble@nvidia.com> Reviewed-by: Konsta Holtta <kholtta@nvidia.com> Reviewed-by: Alex Waterman <alexw@nvidia.com> GVS: Gerrit_Virtual_Submit
2025-12-24 02:22:34 +03:00 · 2022-04-28 14:21:45 +03:00
parent c30afdce02
commit 657daaee9e
5 changed files with 10 additions and 10 deletions
--- a/drivers/gpu/nvgpu/os/linux/ioctl_channel.c
+++ b/drivers/gpu/nvgpu/os/linux/ioctl_channel.c
@@ -583,7 +583,7 @@ int gk20a_channel_open_ioctl(struct gk20a *g, struct nvgpu_cdev *cdev,
 	char name[64];
 	s32 runlist_id = args->in.runlist_id;

-	err = get_unused_fd_flags(O_RDWR);
+	err = get_unused_fd_flags(O_RDWR | O_CLOEXEC);
 	if (err < 0)
 		return err;
 	fd = err;
@@ -901,7 +901,7 @@ static int gk20a_ioctl_channel_submit_gpfifo(

 	/* Try and allocate an fd here*/
 	if (flag_fence_get && flag_sync_fence) {
-		fd = get_unused_fd_flags(O_RDWR);
+		fd = get_unused_fd_flags(O_RDWR | O_CLOEXEC);
 		if (fd < 0)
 			return fd;
 	}