From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932633AbcCBAOu (ORCPT ); Tue, 1 Mar 2016 19:14:50 -0500 Received: from mail333.us4.mandrillapp.com ([205.201.137.77]:58697 "EHLO mail333.us4.mandrillapp.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932451AbcCAX6L (ORCPT ); Tue, 1 Mar 2016 18:58:11 -0500 DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=mandrill; d=linuxfoundation.org; b=Uq3kIWUpE+4ee6FKcv7PhS9WIeTzKCFwBfEfmDhltS7XEa5zAi4ifizMMSLsYKgQpKv8sD68HMs6 CKkqfhxerURYPAMLe9HpshpsIC0GZaQXlCbf/Be8iDzTt5rJk/UORVjb0SkKyF8rFj131DUzJwuB wZy5ewmOzQArbF/8ysU=; From: Greg Kroah-Hartman Subject: [PATCH 4.4 273/342] rfkill: fix rfkill_fop_read wait_event usage X-Mailer: git-send-email 2.7.2 To: Cc: Greg Kroah-Hartman , , Dmitry Vyukov , Johannes Berg Message-Id: <20160301234536.732371313@linuxfoundation.org> In-Reply-To: <20160301234527.990448862@linuxfoundation.org> References: <20160301234527.990448862@linuxfoundation.org> X-Report-Abuse: Please forward a copy of this message, including all headers, to abuse@mandrill.com X-Report-Abuse: You can also report abuse here: http://mandrillapp.com/contact/abuse?id=30481620.dd399c7cdc1c46cc901adec8c1858ced X-Mandrill-User: md_30481620 Date: Tue, 01 Mar 2016 23:55:24 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Johannes Berg commit 6736fde9672ff6717ac576e9bba2fd5f3dfec822 upstream. The code within wait_event_interruptible() is called with !TASK_RUNNING, so mustn't call any functions that can sleep, like mutex_lock(). Since we re-check the list_empty() in a loop after the wait, it's safe to simply use list_empty() without locking. This bug has existed forever, but was only discovered now because all userspace implementations, including the default 'rfkill' tool, use poll() or select() to get a readable fd before attempting to read. Fixes: c64fb01627e24 ("rfkill: create useful userspace interface") Reported-by: Dmitry Vyukov Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman --- net/rfkill/core.c | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) --- a/net/rfkill/core.c +++ b/net/rfkill/core.c @@ -1095,17 +1095,6 @@ static unsigned int rfkill_fop_poll(stru return res; } -static bool rfkill_readable(struct rfkill_data *data) -{ - bool r; - - mutex_lock(&data->mtx); - r = !list_empty(&data->events); - mutex_unlock(&data->mtx); - - return r; -} - static ssize_t rfkill_fop_read(struct file *file, char __user *buf, size_t count, loff_t *pos) { @@ -1122,8 +1111,11 @@ static ssize_t rfkill_fop_read(struct fi goto out; } mutex_unlock(&data->mtx); + /* since we re-check and it just compares pointers, + * using !list_empty() without locking isn't a problem + */ ret = wait_event_interruptible(data->read_wait, - rfkill_readable(data)); + !list_empty(&data->events)); mutex_lock(&data->mtx); if (ret)