From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Ian Abbott <abbotti@mev.co.uk>
Subject: [ 34/99] staging: comedi: fix a race between do_cmd_ioctl() and read/write
Date: Fri, 2 Aug 2013 18:07:47 +0800 [thread overview]
Message-ID: <20130802100230.824972799@linuxfoundation.org> (raw)
In-Reply-To: <20130802100225.478715166@linuxfoundation.org>
3.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Abbott <abbotti@mev.co.uk>
commit 4b18f08be01a7b3c7b6df497137b6e3cb28adaa3 upstream.
`do_cmd_ioctl()` is called with the comedi device's mutex locked to
process the `COMEDI_CMD` ioctl to set up comedi's asynchronous command
handling on a comedi subdevice. `comedi_read()` and `comedi_write()`
are the `read` and `write` handlers for the comedi device, but do not
lock the mutex (for performance reasons, as some things can hold the
mutex for quite a long time).
There is a race condition if `comedi_read()` or `comedi_write()` is
running at the same time and for the same file object and comedi
subdevice as `do_cmd_ioctl()`. `do_cmd_ioctl()` sets the subdevice's
`busy` pointer to the file object way before it sets the `SRF_RUNNING` flag
in the subdevice's `runflags` member. `comedi_read() and
`comedi_write()` check the subdevice's `busy` pointer is pointing to the
current file object, then if the `SRF_RUNNING` flag is not set, will call
`do_become_nonbusy()` to shut down the asyncronous command. Bad things
can happen if the asynchronous command is being shutdown and set up at
the same time.
To prevent the race, don't set the `busy` pointer until
after the `SRF_RUNNING` flag has been set. Also, make sure the mutex is
held in `comedi_read()` and `comedi_write()` while calling
`do_become_nonbusy()` in order to avoid moving the race condition to a
point within that function.
Change some error handling `goto cleanup` statements in `do_cmd_ioctl()`
to simple `return -ERRFOO` statements as a result of changing when the
`busy` pointer is set.
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/comedi/comedi_fops.c | 25 +++++++++++++++----------
1 file changed, 15 insertions(+), 10 deletions(-)
--- a/drivers/staging/comedi/comedi_fops.c
+++ b/drivers/staging/comedi/comedi_fops.c
@@ -1401,22 +1401,19 @@ static int do_cmd_ioctl(struct comedi_de
DPRINTK("subdevice busy\n");
return -EBUSY;
}
- s->busy = file;
/* make sure channel/gain list isn't too long */
if (cmd.chanlist_len > s->len_chanlist) {
DPRINTK("channel/gain list too long %u > %d\n",
cmd.chanlist_len, s->len_chanlist);
- ret = -EINVAL;
- goto cleanup;
+ return -EINVAL;
}
/* make sure channel/gain list isn't too short */
if (cmd.chanlist_len < 1) {
DPRINTK("channel/gain list too short %u < 1\n",
cmd.chanlist_len);
- ret = -EINVAL;
- goto cleanup;
+ return -EINVAL;
}
async->cmd = cmd;
@@ -1426,8 +1423,7 @@ static int do_cmd_ioctl(struct comedi_de
kmalloc(async->cmd.chanlist_len * sizeof(int), GFP_KERNEL);
if (!async->cmd.chanlist) {
DPRINTK("allocation failed\n");
- ret = -ENOMEM;
- goto cleanup;
+ return -ENOMEM;
}
if (copy_from_user(async->cmd.chanlist, user_chanlist,
@@ -1479,6 +1475,9 @@ static int do_cmd_ioctl(struct comedi_de
comedi_set_subdevice_runflags(s, ~0, SRF_USER | SRF_RUNNING);
+ /* set s->busy _after_ setting SRF_RUNNING flag to avoid race with
+ * comedi_read() or comedi_write() */
+ s->busy = file;
ret = s->do_cmd(dev, s);
if (ret == 0)
return 0;
@@ -2041,11 +2040,13 @@ static ssize_t comedi_write(struct file
if (!comedi_is_subdevice_running(s)) {
if (count == 0) {
+ mutex_lock(&dev->mutex);
if (comedi_is_subdevice_in_error(s))
retval = -EPIPE;
else
retval = 0;
do_become_nonbusy(dev, s);
+ mutex_unlock(&dev->mutex);
}
break;
}
@@ -2144,11 +2145,13 @@ static ssize_t comedi_read(struct file *
if (n == 0) {
if (!comedi_is_subdevice_running(s)) {
+ mutex_lock(&dev->mutex);
do_become_nonbusy(dev, s);
if (comedi_is_subdevice_in_error(s))
retval = -EPIPE;
else
retval = 0;
+ mutex_unlock(&dev->mutex);
break;
}
if (file->f_flags & O_NONBLOCK) {
@@ -2186,9 +2189,11 @@ static ssize_t comedi_read(struct file *
buf += n;
break; /* makes device work like a pipe */
}
- if (comedi_is_subdevice_idle(s) &&
- async->buf_read_count - async->buf_write_count == 0) {
- do_become_nonbusy(dev, s);
+ if (comedi_is_subdevice_idle(s)) {
+ mutex_lock(&dev->mutex);
+ if (async->buf_read_count - async->buf_write_count == 0)
+ do_become_nonbusy(dev, s);
+ mutex_unlock(&dev->mutex);
}
set_current_state(TASK_RUNNING);
remove_wait_queue(&async->wait_head, &wait);
next prev parent reply other threads:[~2013-08-02 10:09 UTC|newest]
Thread overview: 106+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-02 10:07 [ 00/99] 3.10.5-stable review Greg Kroah-Hartman
2013-08-02 10:07 ` [ 01/99] mm: fix the TLB range flushed when __tlb_remove_page() runs out of slots Greg Kroah-Hartman
2013-08-02 10:07 ` [ 02/99] iser-target: Fix isert_put_reject payload buffer post Greg Kroah-Hartman
2013-08-02 10:07 ` [ 03/99] iscsi-target: Fix tfc_tpg_nacl_auth_cit configfs length overflow Greg Kroah-Hartman
2013-08-02 10:07 ` [ 04/99] iser-target: Fix session reset bug with RDMA_CM_EVENT_DISCONNECTED Greg Kroah-Hartman
2013-08-02 10:07 ` [ 05/99] iscsi-target: Fix ISCSI_OP_SCSI_TMFUNC handling for iser Greg Kroah-Hartman
2013-08-02 10:07 ` [ 06/99] USB: storage: Add MicroVault Flash Drive to unusual_devs Greg Kroah-Hartman
2013-08-02 10:07 ` [ 07/99] ALSA: hda - Yet another Dell headset mic quirk Greg Kroah-Hartman
2013-08-02 10:07 ` [ 08/99] ALSA: hda - Guess what, its two more Dell headset mic quirks Greg Kroah-Hartman
2013-08-02 10:07 ` [ 09/99] firewire: fix libdc1394/FlyCap2 iso event regression Greg Kroah-Hartman
2013-08-02 10:07 ` [ 10/99] ASoC: sglt5000: Fix the default value of CHIP_SSS_CTRL Greg Kroah-Hartman
2013-08-02 10:07 ` [ 11/99] ASoC: max98088 - fix element type of the register cache Greg Kroah-Hartman
2013-08-02 10:07 ` [ 12/99] ASoC: tegra: correct playback_dma_data setup Greg Kroah-Hartman
2013-08-02 10:07 ` [ 13/99] ASoC: wm8962: Remove remaining direct register cache accesses Greg Kroah-Hartman
2013-08-02 10:07 ` [ 14/99] ARM: 7722/1: zImage: Convert 32bits memory size and address from ATAG to 64bits DTB Greg Kroah-Hartman
2013-08-02 10:07 ` [ 15/99] SCSI: isci: Fix a race condition in the SSP task management path Greg Kroah-Hartman
2013-08-02 10:07 ` [ 16/99] SCSI: sd: fix crash when UA received on DIF enabled device Greg Kroah-Hartman
2013-08-02 10:07 ` [ 17/99] SCSI: qla2xxx: Properly set the tagging for commands Greg Kroah-Hartman
2013-08-02 10:07 ` [ 18/99] tracing: Fix error handling to ensure instances can always be removed Greg Kroah-Hartman
2013-08-02 10:07 ` [ 19/99] tracing: Miscellaneous fixes for trace_array ref counting Greg Kroah-Hartman
2013-08-02 10:07 ` [ 20/99] tracing: Kill the unbalanced tr->ref++ in tracing_buffers_open() Greg Kroah-Hartman
2013-08-02 10:07 ` [ 21/99] tracing: Remove locking trace_types_lock from tracing_reset_all_online_cpus() Greg Kroah-Hartman
2013-08-02 10:07 ` [ 22/99] usb: host: xhci: Enable XHCI_SPURIOUS_SUCCESS for all controllers with xhci 1.0 Greg Kroah-Hartman
2013-08-02 10:07 ` [ 23/99] xhci: fix null pointer dereference on ring_doorbell_for_active_rings Greg Kroah-Hartman
2013-08-02 10:07 ` [ 24/99] xhci: Avoid NULL pointer deref when host dies Greg Kroah-Hartman
2013-08-02 10:07 ` [ 25/99] USB: EHCI: Fix resume signalling on remote wakeup Greg Kroah-Hartman
2013-08-02 10:07 ` [ 26/99] USB: mos7840: fix memory leak in open Greg Kroah-Hartman
2013-08-02 10:07 ` [ 27/99] usb: dwc3: fix the error returned with usb3_phy failure Greg Kroah-Hartman
2013-08-02 10:07 ` [ 28/99] usb: dwc3: fix wrong bit mask in dwc3_event_type Greg Kroah-Hartman
2013-08-02 10:07 ` [ 29/99] usb: dwc3: gadget: dont prevent gadget from being probed if we fail Greg Kroah-Hartman
2013-08-02 10:07 ` [ 30/99] USB: ti_usb_3410_5052: fix dynamic-id matching Greg Kroah-Hartman
2013-08-02 10:07 ` [ 31/99] USB: misc: Add Manhattan Hi-Speed USB DVI Converter to sisusbvga Greg Kroah-Hartman
2013-08-02 10:07 ` [ 32/99] usb: Clear both buffers when clearing a control transfer TT buffer Greg Kroah-Hartman
2013-08-02 10:07 ` [ 33/99] USB: global suspend and remote wakeup dont mix Greg Kroah-Hartman
2013-08-02 10:07 ` Greg Kroah-Hartman [this message]
2013-08-02 10:07 ` [ 35/99] staging: comedi: COMEDI_CANCEL ioctl should wake up read/write Greg Kroah-Hartman
2013-08-02 10:07 ` [ 36/99] staging: android: logger: Correct write offset reset on error Greg Kroah-Hartman
2013-08-02 10:07 ` [ 37/99] cpufreq / intel_pstate: Change to scale off of max P-state Greg Kroah-Hartman
2013-08-02 10:07 ` [ 38/99] Btrfs: fix wrong write offset when replacing a device Greg Kroah-Hartman
2013-08-02 10:07 ` [ 39/99] Btrfs: fix lock leak when resuming snapshot deletion Greg Kroah-Hartman
2013-08-02 10:07 ` [ 40/99] Btrfs: re-add root to dead root list if we stop dropping it Greg Kroah-Hartman
2013-08-02 10:07 ` [ 41/99] xen-netfront: pull on receive skb may need to happen earlier Greg Kroah-Hartman
2013-08-02 10:07 ` [ 42/99] xen/blkback: Check device permissions before allowing OP_DISCARD Greg Kroah-Hartman
2013-08-02 10:07 ` [ 43/99] x86, suspend: Handle CPUs which fail to #GP on RDMSR Greg Kroah-Hartman
2013-08-02 10:07 ` [ 44/99] x86: make sure IDT is page aligned Greg Kroah-Hartman
2013-08-02 10:07 ` [ 45/99] md: Remove recent change which allows devices to skip recovery Greg Kroah-Hartman
2013-08-02 10:07 ` [ 46/99] md/raid1: fix bio handling problems in process_checks() Greg Kroah-Hartman
2013-08-02 10:08 ` [ 47/99] md/raid5: fix interaction of replace and recovery Greg Kroah-Hartman
2013-08-02 10:08 ` [ 48/99] md/raid10: remove use-after-free bug Greg Kroah-Hartman
2013-08-02 10:08 ` [ 49/99] ata: Fix DVD not dectected at some platform with Wellsburg PCH Greg Kroah-Hartman
2013-08-02 10:08 ` [ 50/99] libata: make it clear that sata_inic162x is experimental Greg Kroah-Hartman
2013-08-02 10:08 ` [ 51/99] svcrdma: underflow issue in decode_write_list() Greg Kroah-Hartman
2013-08-02 10:08 ` [ 52/99] crypto: caam - Fixed the memory out of bound overwrite issue Greg Kroah-Hartman
2013-08-02 10:08 ` Greg Kroah-Hartman
2013-08-02 10:08 ` [ 53/99] powerpc/modules: Module CRC relocation fix causes perf issues Greg Kroah-Hartman
2013-08-02 10:08 ` [ 54/99] nfsd: nfsd_open: when dentry_open returns an error do not propagate as struct file Greg Kroah-Hartman
2013-08-02 10:08 ` [ 55/99] Tools: hv: KVP: Fix a bug in IPV6 subnet enumeration Greg Kroah-Hartman
2013-08-02 10:08 ` [ 56/99] Drivers: hv: balloon: Fix a bug in the hot-add code Greg Kroah-Hartman
2013-08-02 10:08 ` [ 57/99] Drivers: hv: balloon: Do not post pressure status if interrupted Greg Kroah-Hartman
2013-08-02 10:08 ` [ 58/99] regmap: cache: bail in regmap_async_complete() for bus-less maps Greg Kroah-Hartman
2013-08-02 10:08 ` [ 59/99] ACPI / scan: Always call acpi_bus_scan() for bus check notifications Greg Kroah-Hartman
2013-08-02 10:08 ` [ 60/99] ACPI / scan: Do not try to attach scan handlers to devices having them Greg Kroah-Hartman
2013-08-02 10:08 ` [ 61/99] ACPI / memhotplug: Fix a stale pointer in error path Greg Kroah-Hartman
2013-08-02 10:08 ` [ 62/99] ACPI / video: ignore BIOS initial backlight value for Fujitsu E753 Greg Kroah-Hartman
2013-08-02 10:08 ` [ 63/99] dm mpath: fix ioctl deadlock when no paths Greg Kroah-Hartman
2013-08-02 10:08 ` [ 64/99] dm ioctl: set noio flag to avoid __vmalloc deadlock Greg Kroah-Hartman
2013-08-02 10:08 ` [ 65/99] dm verity: fix inability to use a few specific devices sizes Greg Kroah-Hartman
2013-08-02 10:08 ` [ 66/99] drm/radeon/hdmi: make sure we have an afmt block assigned Greg Kroah-Hartman
2013-08-02 10:08 ` [ 67/99] drm/radeon: fix UVD fence emit Greg Kroah-Hartman
2013-08-02 10:08 ` [ 68/99] drm/radeon: allow selection of alignment in the sub-allocator Greg Kroah-Hartman
2013-08-02 10:08 ` [ 69/99] drm/radeon: fix endian issues with DP handling (v3) Greg Kroah-Hartman
2013-08-02 10:08 ` [ 70/99] drm/radeon: Another card with wrong primary dac adj Greg Kroah-Hartman
2013-08-02 10:08 ` [ 71/99] drm/radeon: fix combios tables on older cards Greg Kroah-Hartman
2013-08-02 10:08 ` [ 72/99] drm/radeon: improve dac adjust heuristics for legacy pdac Greg Kroah-Hartman
2013-08-02 10:08 ` [ 73/99] drm/i915: fix up ring cleanup for the i830/i845 CS tlb w/a Greg Kroah-Hartman
2013-08-02 10:08 ` [ 74/99] drm/i915: Fix write-read race with multiple rings Greg Kroah-Hartman
2013-08-02 10:08 ` [ 75/99] Partially revert "drm/i915: unconditionally use mt forcewake on hsw/ivb" Greg Kroah-Hartman
2013-08-02 10:08 ` [ 76/99] drm/i915: Fix incoherence with fence updates on Sandybridge+ Greg Kroah-Hartman
2013-08-02 10:08 ` [ 77/99] drm/i915: fix long-standing SNB regression in power consumption after resume v2 Greg Kroah-Hartman
2013-08-02 10:08 ` [ 78/99] drm/i915: Fix dereferencing invalid connectors in is_crtc_connector_off() Greg Kroah-Hartman
2013-08-02 10:08 ` [ 79/99] drm/i915: correctly restore fences with objects attached Greg Kroah-Hartman
2013-08-02 10:08 ` [ 80/99] drm/i915: quirk no PCH_PWM_ENABLE for Dell XPS13 backlight Greg Kroah-Hartman
2013-08-02 10:08 ` [ 81/99] drm/i915: Serialize almost all register access Greg Kroah-Hartman
2013-08-02 10:08 ` [ 82/99] drm/i915: fix up gt init sequence fallout Greg Kroah-Hartman
2013-08-02 10:08 ` [ 83/99] drm/i915: fix missed hunk after GT access breakage Greg Kroah-Hartman
2013-08-02 10:08 ` [ 84/99] drm/nouveau: fix semaphore dmabuf obj Greg Kroah-Hartman
2013-08-02 10:08 ` [ 85/99] drm/radeon: fix audio dto programming on DCE4+ Greg Kroah-Hartman
2013-08-02 10:08 ` [ 86/99] drm/radeon/atom: initialize more atom interpretor elements to 0 Greg Kroah-Hartman
2013-08-02 10:08 ` [ 87/99] rtlwifi: Initialize power-setting callback for USB devices Greg Kroah-Hartman
2013-08-02 10:08 ` [ 88/99] USB: serial: ftdi_sio: add more RT Systems ftdi devices Greg Kroah-Hartman
2013-08-02 10:08 ` [ 89/99] usb: gadget: udc-core: fix the typo of udc state attribute Greg Kroah-Hartman
2013-08-02 10:08 ` [ 90/99] mm: mempolicy: fix mbind_range() && vma_adjust() interaction Greg Kroah-Hartman
2013-08-02 10:08 ` [ 91/99] tty_port: Fix refcounting leak in tty_port_tty_hangup() Greg Kroah-Hartman
2013-08-02 10:08 ` [ 92/99] livelock avoidance in sget() Greg Kroah-Hartman
2013-08-02 10:08 ` [ 93/99] xen/evtchn: avoid a deadlock when unbinding an event channel Greg Kroah-Hartman
2013-08-02 10:08 ` [ 94/99] radeon kms: do not flush uninitialized hotplug work Greg Kroah-Hartman
2013-08-02 10:08 ` [ 95/99] iscsi-target: Fix iscsit_add_reject* usage for iser Greg Kroah-Hartman
2013-08-02 10:08 ` [ 96/99] iscsi-target: Fix iscsit_sequence_cmd reject handling " Greg Kroah-Hartman
2013-08-02 10:08 ` [ 97/99] perf tools: Revert regression in configuration of Python support Greg Kroah-Hartman
2013-08-02 10:08 ` [ 98/99] drm/i915: Correct obj->mm_list link to dev_priv->dev_priv->mm.inactive_list Greg Kroah-Hartman
2013-08-02 10:08 ` [ 99/99] x86: Fix /proc/mtrr with base/size more than 44bits Greg Kroah-Hartman
2013-08-02 19:57 ` [ 00/99] 3.10.5-stable review Shuah Khan
2013-08-02 21:24 ` Greg Kroah-Hartman
2013-08-02 22:05 ` Willy Tarreau
2013-08-03 14:02 ` Guenter Roeck
2013-08-03 23:03 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130802100230.824972799@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=abbotti@mev.co.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.