summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRoman Kiryanov <rkir@google.com>2018-09-14 10:51:03 -0700
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2018-09-25 20:25:42 +0200
commit48a2d422b508e707f477f9160c795f70c5c20026 (patch)
treeb90cb12a5dd626e4ff1b33317ac6a3854fbfa2a7
parent9b9a4a3f140050797a881dec8f8c5ebb33a16ac0 (diff)
downloadlwn-48a2d422b508e707f477f9160c795f70c5c20026.tar.gz
lwn-48a2d422b508e707f477f9160c795f70c5c20026.zip
platform: goldfish: pipe: Prevent memory corruption from several threads writing to the same variable
Move the "pages" buffer into "struct goldfish_pipe". Since we are locking the mutex on the pipe in transfer_max_buffers, other threads willnot be able to write into it, but other pipe instances could be served because they have its own buffer. Signed-off-by: Roman Kiryanov <rkir@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r--drivers/platform/goldfish/goldfish_pipe.c24
1 files changed, 14 insertions, 10 deletions
diff --git a/drivers/platform/goldfish/goldfish_pipe.c b/drivers/platform/goldfish/goldfish_pipe.c
index b4a484bbcdaa..6ae2b00f4bff 100644
--- a/drivers/platform/goldfish/goldfish_pipe.c
+++ b/drivers/platform/goldfish/goldfish_pipe.c
@@ -163,6 +163,9 @@ struct goldfish_pipe {
/* Pointer to the parent goldfish_pipe_dev instance */
struct goldfish_pipe_dev *dev;
+
+ /* A buffer of pages, too large to fit into a stack frame */
+ struct page *pages[MAX_BUFFERS_PER_COMMAND];
};
/* The global driver data. Holds a reference to the i/o page used to
@@ -340,21 +343,23 @@ static int transfer_max_buffers(struct goldfish_pipe *pipe,
s32 *consumed_size,
int *status)
{
- static struct page *pages[MAX_BUFFERS_PER_COMMAND];
unsigned long first_page = address & PAGE_MASK;
unsigned int iter_last_page_size;
- int pages_count = pin_user_pages(first_page, last_page,
- last_page_size, is_write,
- pages, &iter_last_page_size);
-
- if (pages_count < 0)
- return pages_count;
+ int pages_count;
/* Serialize access to the pipe command buffers */
if (mutex_lock_interruptible(&pipe->lock))
return -ERESTARTSYS;
- populate_rw_params(pages, pages_count, address, address_end,
+ pages_count = pin_user_pages(first_page, last_page,
+ last_page_size, is_write,
+ pipe->pages, &iter_last_page_size);
+ if (pages_count < 0) {
+ mutex_unlock(&pipe->lock);
+ return pages_count;
+ }
+
+ populate_rw_params(pipe->pages, pages_count, address, address_end,
first_page, last_page, iter_last_page_size, is_write,
pipe->command_buffer);
@@ -364,10 +369,9 @@ static int transfer_max_buffers(struct goldfish_pipe *pipe,
*consumed_size = pipe->command_buffer->rw_params.consumed_size;
- release_user_pages(pages, pages_count, is_write, *consumed_size);
+ release_user_pages(pipe->pages, pages_count, is_write, *consumed_size);
mutex_unlock(&pipe->lock);
-
return 0;
}