diff options
author | Roman Kiryanov <rkir@google.com> | 2018-09-14 10:51:03 -0700 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2018-09-25 20:25:42 +0200 |
commit | 48a2d422b508e707f477f9160c795f70c5c20026 (patch) | |
tree | b90cb12a5dd626e4ff1b33317ac6a3854fbfa2a7 | |
parent | 9b9a4a3f140050797a881dec8f8c5ebb33a16ac0 (diff) | |
download | lwn-48a2d422b508e707f477f9160c795f70c5c20026.tar.gz lwn-48a2d422b508e707f477f9160c795f70c5c20026.zip |
platform: goldfish: pipe: Prevent memory corruption from several threads writing to the same variable
Move the "pages" buffer into "struct goldfish_pipe". Since we are
locking the mutex on the pipe in transfer_max_buffers, other threads
willnot be able to write into it, but other pipe instances could be
served because they have its own buffer.
Signed-off-by: Roman Kiryanov <rkir@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r-- | drivers/platform/goldfish/goldfish_pipe.c | 24 |
1 files changed, 14 insertions, 10 deletions
diff --git a/drivers/platform/goldfish/goldfish_pipe.c b/drivers/platform/goldfish/goldfish_pipe.c index b4a484bbcdaa..6ae2b00f4bff 100644 --- a/drivers/platform/goldfish/goldfish_pipe.c +++ b/drivers/platform/goldfish/goldfish_pipe.c @@ -163,6 +163,9 @@ struct goldfish_pipe { /* Pointer to the parent goldfish_pipe_dev instance */ struct goldfish_pipe_dev *dev; + + /* A buffer of pages, too large to fit into a stack frame */ + struct page *pages[MAX_BUFFERS_PER_COMMAND]; }; /* The global driver data. Holds a reference to the i/o page used to @@ -340,21 +343,23 @@ static int transfer_max_buffers(struct goldfish_pipe *pipe, s32 *consumed_size, int *status) { - static struct page *pages[MAX_BUFFERS_PER_COMMAND]; unsigned long first_page = address & PAGE_MASK; unsigned int iter_last_page_size; - int pages_count = pin_user_pages(first_page, last_page, - last_page_size, is_write, - pages, &iter_last_page_size); - - if (pages_count < 0) - return pages_count; + int pages_count; /* Serialize access to the pipe command buffers */ if (mutex_lock_interruptible(&pipe->lock)) return -ERESTARTSYS; - populate_rw_params(pages, pages_count, address, address_end, + pages_count = pin_user_pages(first_page, last_page, + last_page_size, is_write, + pipe->pages, &iter_last_page_size); + if (pages_count < 0) { + mutex_unlock(&pipe->lock); + return pages_count; + } + + populate_rw_params(pipe->pages, pages_count, address, address_end, first_page, last_page, iter_last_page_size, is_write, pipe->command_buffer); @@ -364,10 +369,9 @@ static int transfer_max_buffers(struct goldfish_pipe *pipe, *consumed_size = pipe->command_buffer->rw_params.consumed_size; - release_user_pages(pages, pages_count, is_write, *consumed_size); + release_user_pages(pipe->pages, pages_count, is_write, *consumed_size); mutex_unlock(&pipe->lock); - return 0; } |