From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:49558 "EHLO
        shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1750738AbeBDCGb (ORCPT
        <rfc822;stable@vger.kernel.org>); Sat, 3 Feb 2018 21:06:31 -0500
Date: Sun, 4 Feb 2018 02:06:27 +0000
From: Ben Hutchings <ben@decadent.org.uk>
To: devel@driverdev.osuosl.org
Cc: stable@vger.kernel.org
Message-ID: <20180204020626.GB8564@decadent.org.uk>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
        protocol="application/pgp-signature"; boundary="0eh6TmSyL6TZE2Uz"
Content-Disposition: inline
Subject: [PATCH] staging: android: ashmem: Fix a race condition in pin ioctls
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>


--0eh6TmSyL6TZE2Uz
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

ashmem_pin_unpin() reads asma->file and asma->size before taking the
ashmem_mutex, so it can race with other operations that modify them.

Build-tested only.

Cc: stable@vger.kernel.org
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/staging/android/ashmem.c | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ash=
mem.c
index 372ce9913e6d..e7541dc90473 100644
--- a/drivers/staging/android/ashmem.c
+++ b/drivers/staging/android/ashmem.c
@@ -710,30 +710,32 @@ static int ashmem_pin_unpin(struct ashmem_area *asma,=
 unsigned long cmd,
 	size_t pgstart, pgend;
 	int ret =3D -EINVAL;
=20
+	mutex_lock(&ashmem_mutex);
+
 	if (unlikely(!asma->file))
-		return -EINVAL;
+		goto out_unlock;
=20
-	if (unlikely(copy_from_user(&pin, p, sizeof(pin))))
-		return -EFAULT;
+	if (unlikely(copy_from_user(&pin, p, sizeof(pin)))) {
+		ret =3D -EFAULT;
+		goto out_unlock;
+	}
=20
 	/* per custom, you can pass zero for len to mean "everything onward" */
 	if (!pin.len)
 		pin.len =3D PAGE_ALIGN(asma->size) - pin.offset;
=20
 	if (unlikely((pin.offset | pin.len) & ~PAGE_MASK))
-		return -EINVAL;
+		goto out_unlock;
=20
 	if (unlikely(((__u32)-1) - pin.offset < pin.len))
-		return -EINVAL;
+		goto out_unlock;
=20
 	if (unlikely(PAGE_ALIGN(asma->size) < pin.offset + pin.len))
-		return -EINVAL;
+		goto out_unlock;
=20
 	pgstart =3D pin.offset / PAGE_SIZE;
 	pgend =3D pgstart + (pin.len / PAGE_SIZE) - 1;
=20
-	mutex_lock(&ashmem_mutex);
-
 	switch (cmd) {
 	case ASHMEM_PIN:
 		ret =3D ashmem_pin(asma, pgstart, pgend);
@@ -746,6 +748,7 @@ static int ashmem_pin_unpin(struct ashmem_area *asma, u=
nsigned long cmd,
 		break;
 	}
=20
+out_unlock:
 	mutex_unlock(&ashmem_mutex);
=20
 	return ret;

--0eh6TmSyL6TZE2Uz
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBWnZqoue/yOyVhhEJAQrQ+xAAvryB9F08QbSMblnV12/ZGZos1gxZc92D
9tC7b/xhQWmisgG/9FKf6NdHr4eF9fopoAo4dvn1yfQWu/5K8D6DoOqnOdyaEMT4
fVvNR/BoVDhKMRP/WMd4OCaFdztcwk+JhGv1hV4mrVkt1mWDzC5e82RM9vU+YZdS
XlcLUs1U0vinrA6Gs2aB8Ggm1h5hHp4Ofm+zUNm5XvPp8OOeYwbr0CqeR9c9567Z
BUbBpprScabtAifpV5KO1mBgry6Gk1CSKaT4nxjj40gMBpWMufsGw6jfIqzh/9PO
oEuneJ7k2b4vnTBO1QxIxcM5y2vmWw98lLzGU6dRNJoEcmgN2pwwAUwt+vePaZo+
vFbVRq/KSC6KNKHmNkZ8lIviASrLW9/xOCMaoqhGQuo9lvupuTAi6Su47+mfH6r8
suh1u5rZewdFuRPi++4tvwz8f1ZJqr1AuecR822a6F4+l4h8tFdMphkuc0DTT7B2
jrcwqZupHgIkZ7tJZrpOd38i9/HXGXpPzk/7SHTfQVcLbznIHYR5XSZuxCZfv5Qz
qmicbxj2qGE0eST3XfIgykA0QQNdbAHLareXmsInEIusxuT7CnmQIQMUBqA7WFtR
oWumUqnWOt6/T79FdbSXXFXKfdMj4jNNwgxRiGQOUzRTZ3YywjLxup6Pa7EtadKC
UGA8Mvk27Vs=
=8sOG
-----END PGP SIGNATURE-----

--0eh6TmSyL6TZE2Uz--