From: Dan Carpenter <dan.carpenter@oracle.com>
To: Shankar Brahadeeswaran <shankoo77@gmail.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
linux-kernel@vger.kernel.org, devel@driverdev.osuosl.org,
Hugh Dickins <hughd@google.com>,
Konstantin Khlebnikov <khlebnikov@openvz.org>,
Cruz Julian Bishop <cruzjbishop@gmail.com>,
Andrew Morton <akpm@linux-foundation.org>
Subject: Re: [PATCH 1/1] staging: android: ashmem: get_name,set_name not to hold ashmem_mutex
Date: Wed, 20 Feb 2013 15:31:59 +0300 [thread overview]
Message-ID: <20130220123159.GD9138@mwanda> (raw)
In-Reply-To: <1361363039-11984-2-git-send-email-shankoo77@gmail.com>
On Wed, Feb 20, 2013 at 05:53:59PM +0530, Shankar Brahadeeswaran wrote:
> static int set_name(struct ashmem_area *asma, void __user *name)
> {
> int ret = 0;
> -
> - mutex_lock(&ashmem_mutex);
> + char local_name[ASHMEM_NAME_LEN];
>
> /* cannot change an existing mapping's name */
> if (unlikely(asma->file)) {
> @@ -423,9 +422,22 @@ static int set_name(struct ashmem_area *asma, void __user *name)
> goto out;
You're not holding the lock here so you can return directly.
Otherwise it's a double unlock.
> }
>
> - if (unlikely(copy_from_user(asma->name + ASHMEM_NAME_PREFIX_LEN,
> - name, ASHMEM_NAME_LEN)))
> + /*
> + * Holding the ashmem_mutex while doing a copy_from_user might cause
> + * an data abourt which would try to access mmap_sem. If another
> + * thread has invoked ashmem_mmap then it will be holding the
> + * semaphore and will be waiting for ashmem_mutex, there by leading to
> + * deadlock. We'll release the mutex and take the name to a local
> + * variable that does not need protection and later copy the local
> + * variable to the structure member with lock held.
> + */
> + if (unlikely(copy_from_user(local_name, name, ASHMEM_NAME_LEN))) {
> ret = -EFAULT;
> + return ret;
return -EFAULT;
These weren't there in the original, only when you redid it at my
request. :/ Sorry for that.
regards,
dan carpenter
next prev parent reply other threads:[~2013-02-20 12:32 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-02-20 12:23 [PATCH 1/1] staging: android: ashmem: get_name,set_name not to hold ashmem_mutex Shankar Brahadeeswaran
2013-02-20 12:23 ` Shankar Brahadeeswaran
2013-02-20 12:31 ` Dan Carpenter [this message]
2013-02-20 14:27 ` [PATCH V2 " Shankar Brahadeeswaran
2013-02-20 14:27 ` Shankar Brahadeeswaran
2013-02-20 14:48 ` Dan Carpenter
2013-02-20 18:11 ` [PATCH V3 1/1] staging: android: ashmem: get_name,set_name not to Shankar Brahadeeswaran
2013-02-20 18:11 ` [PATCH V3 1/1] staging: android: ashmem: get_name,set_name not to hold ashmem_mutex Shankar Brahadeeswaran
2013-02-20 19:24 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130220123159.GD9138@mwanda \
--to=dan.carpenter@oracle.com \
--cc=akpm@linux-foundation.org \
--cc=cruzjbishop@gmail.com \
--cc=devel@driverdev.osuosl.org \
--cc=gregkh@linuxfoundation.org \
--cc=hughd@google.com \
--cc=khlebnikov@openvz.org \
--cc=linux-kernel@vger.kernel.org \
--cc=shankoo77@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.