lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20160202094809.GA2902@mwanda>
Date:	Tue, 2 Feb 2016 12:48:09 +0300
From:	Dan Carpenter <dan.carpenter@...cle.com>
To:	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	Christoffer Dall <christoffer.dall@...aro.org>
Cc:	Alan Cox <alan@...ux.intel.com>, Jin Qian <jinqian@...roid.com>,
	Greg Hackmann <ghackmann@...gle.com>,
	Yu Ning <yu.ning@...el.com>,
	Peter Senna Tschudin <peter.senna@...il.com>,
	Alex Bennée <alex.bennee@...aro.org>,
	Jason Hu <jia-cheng.hu@...el.com>,
	linux-kernel@...r.kernel.org, kernel-janitors@...r.kernel.org
Subject: [patch] goldfish: locking bugs in goldfish_pipe_read_write()

We recently messed up the error handling here.  We can return with the
pipe->lock held or sometimes we unlock twice by mistake.

Fixes: 2f3be88237a3 ('goldfish_pipe: Pin pages to memory while copying and other cleanups')
Signed-off-by: Dan Carpenter <dan.carpenter@...cle.com>

diff --git a/drivers/platform/goldfish/goldfish_pipe.c b/drivers/platform/goldfish/goldfish_pipe.c
index e3fab9a..839df4a 100644
--- a/drivers/platform/goldfish/goldfish_pipe.c
+++ b/drivers/platform/goldfish/goldfish_pipe.c
@@ -313,7 +313,7 @@ static ssize_t goldfish_pipe_read_write(struct file *filp, char __user *buffer,
 				     !is_write, 0, &page, NULL);
 		up_read(&current->mm->mmap_sem);
 		if (ret < 0)
-			return ret;
+			break;
 
 		if (dev->version) {
 			/* Device version 1 or newer (qemu-android) expects the
@@ -400,22 +400,16 @@ static ssize_t goldfish_pipe_read_write(struct file *filp, char __user *buffer,
 		while (test_bit(wakeBit, &pipe->flags)) {
 			if (wait_event_interruptible(
 					pipe->wake_queue,
-					!test_bit(wakeBit, &pipe->flags))) {
-				ret = -ERESTARTSYS;
-				break;
-			}
-
-			if (test_bit(BIT_CLOSED_ON_HOST, &pipe->flags)) {
-				ret = -EIO;
-				break;
-			}
+					!test_bit(wakeBit, &pipe->flags)))
+				return -ERESTARTSYS;
+
+			if (test_bit(BIT_CLOSED_ON_HOST, &pipe->flags))
+				return -EIO;
 		}
 
 		/* Try to re-acquire the lock */
-		if (mutex_lock_interruptible(&pipe->lock)) {
-			ret = -ERESTARTSYS;
-			break;
-		}
+		if (mutex_lock_interruptible(&pipe->lock))
+			return -ERESTARTSYS;
 	}
 	mutex_unlock(&pipe->lock);
 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ