From mboxrd@z Thu Jan  1 00:00:00 1970
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S966008AbeAOMlm (ORCPT <rfc822;ralf@linux-mips.org> + 1 other);
        Mon, 15 Jan 2018 07:41:42 -0500
Received: from mail.linuxfoundation.org ([140.211.169.12]:46958 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S965884AbeAOMli (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 15 Jan 2018 07:41:38 -0500
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Viktor Slavkovic <viktors@google.com>
Subject: [PATCH 4.4 77/87] staging: android: ashmem: fix a race condition in ASHMEM_SET_SIZE ioctl
Date: Mon, 15 Jan 2018 13:35:16 +0100
Message-Id: <20180115123358.014492568@linuxfoundation.org>
X-Mailer: git-send-email 2.15.1
In-Reply-To: <20180115123349.252309699@linuxfoundation.org>
References: <20180115123349.252309699@linuxfoundation.org>
User-Agent: quilt/0.65
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Viktor Slavkovic <viktors@google.com>

commit 443064cb0b1fb4569fe0a71209da7625129fb760 upstream.

A lock-unlock is missing in ASHMEM_SET_SIZE ioctl which can result in a
race condition when mmap is called. After the !asma->file check, before
setting asma->size, asma->file can be set in mmap. That would result in
having different asma->size than the mapped memory size. Combined with
ASHMEM_UNPIN ioctl and shrinker invocation, this can result in memory
corruption.

Signed-off-by: Viktor Slavkovic <viktors@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/android/ashmem.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/staging/android/ashmem.c
+++ b/drivers/staging/android/ashmem.c
@@ -759,10 +759,12 @@ static long ashmem_ioctl(struct file *fi
 		break;
 	case ASHMEM_SET_SIZE:
 		ret = -EINVAL;
+		mutex_lock(&ashmem_mutex);
 		if (!asma->file) {
 			ret = 0;
 			asma->size = (size_t)arg;
 		}
+		mutex_unlock(&ashmem_mutex);
 		break;
 	case ASHMEM_GET_SIZE:
 		ret = asma->size;