From: rkir@google.com
To: gregkh@linuxfoundation.org
Cc: tkjos@google.com, linux-kernel@vger.kernel.org,
Roman Kiryanov <rkir@google.com>
Subject: [PATCH 02/21] platform: goldfish: pipe: Prevent memory corruption from several threads writing to the same variable
Date: Fri, 14 Sep 2018 10:51:03 -0700 [thread overview]
Message-ID: <20180914175122.21036-2-rkir@google.com> (raw)
In-Reply-To: <20180914175122.21036-1-rkir@google.com>
From: Roman Kiryanov <rkir@google.com>
Move the "pages" buffer into "struct goldfish_pipe". Since we are
locking the mutex on the pipe in transfer_max_buffers, other threads
willnot be able to write into it, but other pipe instances could be
served because they have its own buffer.
Signed-off-by: Roman Kiryanov <rkir@google.com>
---
drivers/platform/goldfish/goldfish_pipe.c | 24 +++++++++++++----------
1 file changed, 14 insertions(+), 10 deletions(-)
diff --git a/drivers/platform/goldfish/goldfish_pipe.c b/drivers/platform/goldfish/goldfish_pipe.c
index b4a484bbcdaa..6ae2b00f4bff 100644
--- a/drivers/platform/goldfish/goldfish_pipe.c
+++ b/drivers/platform/goldfish/goldfish_pipe.c
@@ -163,6 +163,9 @@ struct goldfish_pipe {
/* Pointer to the parent goldfish_pipe_dev instance */
struct goldfish_pipe_dev *dev;
+
+ /* A buffer of pages, too large to fit into a stack frame */
+ struct page *pages[MAX_BUFFERS_PER_COMMAND];
};
/* The global driver data. Holds a reference to the i/o page used to
@@ -340,21 +343,23 @@ static int transfer_max_buffers(struct goldfish_pipe *pipe,
s32 *consumed_size,
int *status)
{
- static struct page *pages[MAX_BUFFERS_PER_COMMAND];
unsigned long first_page = address & PAGE_MASK;
unsigned int iter_last_page_size;
- int pages_count = pin_user_pages(first_page, last_page,
- last_page_size, is_write,
- pages, &iter_last_page_size);
-
- if (pages_count < 0)
- return pages_count;
+ int pages_count;
/* Serialize access to the pipe command buffers */
if (mutex_lock_interruptible(&pipe->lock))
return -ERESTARTSYS;
- populate_rw_params(pages, pages_count, address, address_end,
+ pages_count = pin_user_pages(first_page, last_page,
+ last_page_size, is_write,
+ pipe->pages, &iter_last_page_size);
+ if (pages_count < 0) {
+ mutex_unlock(&pipe->lock);
+ return pages_count;
+ }
+
+ populate_rw_params(pipe->pages, pages_count, address, address_end,
first_page, last_page, iter_last_page_size, is_write,
pipe->command_buffer);
@@ -364,10 +369,9 @@ static int transfer_max_buffers(struct goldfish_pipe *pipe,
*consumed_size = pipe->command_buffer->rw_params.consumed_size;
- release_user_pages(pages, pages_count, is_write, *consumed_size);
+ release_user_pages(pipe->pages, pages_count, is_write, *consumed_size);
mutex_unlock(&pipe->lock);
-
return 0;
}
--
2.19.0.397.gdd90340f6a-goog
next prev parent reply other threads:[~2018-09-14 17:51 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-14 17:51 [PATCH 01/21] platform: goldfish: pipe: Remove license boilerplate rkir
2018-09-14 17:51 ` rkir [this message]
2018-09-14 17:51 ` [PATCH 03/21] platform: goldfish: pipe: Remove a redundant blank line rkir
2018-09-14 17:51 ` [PATCH 04/21] platform: goldfish: pipe: Remove redundant struct declarations rkir
2018-09-14 17:51 ` [PATCH 05/21] platform: goldfish: pipe: Remove redundant header include rkir
2018-09-14 17:51 ` [PATCH 06/21] platform: goldfish: pipe: Add DMA support to goldfish pipe rkir
2018-09-25 18:31 ` Greg KH
2018-09-25 23:06 ` Roman Kiryanov
2018-09-14 17:51 ` [PATCH 07/21] platform: goldfish: pipe: Remove the goldfish_interrupt_tasklet global variable rkir
2018-09-14 17:51 ` [PATCH 08/21] platform: goldfish: pipe: Remove the goldfish_pipe_miscdev " rkir
2018-09-14 17:51 ` [PATCH 09/21] platform: goldfish: pipe: Remove the goldfish_pipe_dev " rkir
2018-09-14 17:51 ` [PATCH 10/21] platform: goldfish: pipe: Move goldfish_pipe to goldfish_pipe_v2 rkir
2018-09-14 17:51 ` [PATCH 11/21] platform: goldfish: pipe: Move memory allocation from probe to init rkir
2018-09-14 17:51 ` [PATCH 12/21] platform: goldfish: pipe: Return status from "deinit" since "remove" does not do much rkir
2018-09-14 17:51 ` [PATCH 13/21] platform: goldfish: pipe: Split the driver to v2 specific and the rest rkir
2018-09-14 17:51 ` [PATCH 14/21] platform: goldfish: pipe: Add a blank line to separate varibles and code rkir
2018-09-14 17:51 ` [PATCH 15/21] platform: goldfish: pipe: Rename the init function (add "v2") rkir
2018-09-14 17:51 ` [PATCH 16/21] platform: goldfish: pipe: Call misc_deregister if init fails rkir
2018-09-14 17:51 ` [PATCH 17/21] platform: goldfish: pipe: Add a dedicated constant for the device name rkir
2018-09-14 17:51 ` [PATCH 18/21] platform: goldfish: pipe: Rename PIPE_REG to PIPE_V2_REG rkir
2018-09-14 17:51 ` [PATCH 19/21] platform: goldfish: pipe: Add the goldfish_pipe_v1 driver rkir
2018-09-14 17:51 ` [PATCH 20/21] platform: goldfish: pipe: Remove redundant casting rkir
2018-09-14 17:51 ` [PATCH 21/21] platform: goldfish: pipe: Fix allmodconfig build rkir
2018-09-25 18:28 ` Greg KH
2018-09-26 22:27 ` Roman Kiryanov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180914175122.21036-2-rkir@google.com \
--to=rkir@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=tkjos@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.