From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755290AbcCAXy2 (ORCPT ); Tue, 1 Mar 2016 18:54:28 -0500 Received: from mail333.us4.mandrillapp.com ([205.201.137.77]:44579 "EHLO mail333.us4.mandrillapp.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755239AbcCAXyW (ORCPT ); Tue, 1 Mar 2016 18:54:22 -0500 DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=mandrill; d=linuxfoundation.org; b=XMj5t2VHYtDqMesvGXG77y34NyzcUZO9brqcFvXogVH2fc+Q9n1DIaP52MSvnmGomAJWOvQ9c7/Y hpEG+QIArCI0zvdNLRXw/o+25ouKdLyBI1ZVmMDkeT3ZW4QqiWSZ+GEjz+ajyACnq6RbgG16bjep cKQbzcYy7/I6s17MrVI=; From: Greg Kroah-Hartman Subject: [PATCH 3.14 118/130] rfkill: fix rfkill_fop_read wait_event usage X-Mailer: git-send-email 2.7.2 To: Cc: Greg Kroah-Hartman , , Dmitry Vyukov , Johannes Berg Message-Id: <20160301234503.948410103@linuxfoundation.org> In-Reply-To: <20160301234459.768886030@linuxfoundation.org> References: <20160301234459.768886030@linuxfoundation.org> X-Report-Abuse: Please forward a copy of this message, including all headers, to abuse@mandrill.com X-Report-Abuse: You can also report abuse here: http://mandrillapp.com/contact/abuse?id=30481620.4829ccdb39244e2c8a952ece3abc11f4 X-Mandrill-User: md_30481620 Date: Tue, 01 Mar 2016 23:53:44 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Johannes Berg commit 6736fde9672ff6717ac576e9bba2fd5f3dfec822 upstream. The code within wait_event_interruptible() is called with !TASK_RUNNING, so mustn't call any functions that can sleep, like mutex_lock(). Since we re-check the list_empty() in a loop after the wait, it's safe to simply use list_empty() without locking. This bug has existed forever, but was only discovered now because all userspace implementations, including the default 'rfkill' tool, use poll() or select() to get a readable fd before attempting to read. Fixes: c64fb01627e24 ("rfkill: create useful userspace interface") Reported-by: Dmitry Vyukov Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman --- net/rfkill/core.c | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) --- a/net/rfkill/core.c +++ b/net/rfkill/core.c @@ -1078,17 +1078,6 @@ static unsigned int rfkill_fop_poll(stru return res; } -static bool rfkill_readable(struct rfkill_data *data) -{ - bool r; - - mutex_lock(&data->mtx); - r = !list_empty(&data->events); - mutex_unlock(&data->mtx); - - return r; -} - static ssize_t rfkill_fop_read(struct file *file, char __user *buf, size_t count, loff_t *pos) { @@ -1105,8 +1094,11 @@ static ssize_t rfkill_fop_read(struct fi goto out; } mutex_unlock(&data->mtx); + /* since we re-check and it just compares pointers, + * using !list_empty() without locking isn't a problem + */ ret = wait_event_interruptible(data->read_wait, - rfkill_readable(data)); + !list_empty(&data->events)); mutex_lock(&data->mtx); if (ret)