Re: Patch "media: vb2: vb2_mmap: move lock up" has been added to the 4.20-stable tree

* Re: Patch "media: vb2: vb2_mmap: move lock up" has been added to the 4.20-stable tree
       [not found] <15480714962079@kroah.com>
@ 2019-01-21 13:42 ` Hans Verkuil
  2019-01-21 13:52   ` Greg KH
  0 siblings, 1 reply; 2+ messages in thread
From: Hans Verkuil @ 2019-01-21 13:42 UTC (permalink / raw)
  To: gregkh, hansverk, mchehab+samsung, syzbot+be93025dd45dccd8923c
  Cc: stable-commits, stable

Hi Greg,

On 01/21/2019 12:51 PM, gregkh@linuxfoundation.org wrote:
> 
> This is a note to let you know that I've just added the patch titled
> 
>     media: vb2: vb2_mmap: move lock up
> 
> to the 4.20-stable tree which can be found at:
>     http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
> 
> The filename of the patch is:
>      media-vb2-vb2_mmap-move-lock-up.patch
> and it can be found in the queue-4.20 subdirectory.
> 
> If you, or anyone else, feels it should not be added to the stable tree,
> please let <stable@vger.kernel.org> know about it.

This patch must be combined with a backport of c06ef2e9acef4cda1feee2ce055b8086e33d251a
(media: vb2: be sure to unlock mutex on errors), which fixes a bug introduced by
this patch.

It's true for all backports (3.18, 4.9, 4.14, 4.19).

Regards,

	Hans

> 
> 
> From cd26d1c4d1bc947b56ae404998ae2276df7b39b7 Mon Sep 17 00:00:00 2001
> From: Hans Verkuil <hverkuil@xs4all.nl>
> Date: Tue, 13 Nov 2018 09:06:46 -0500
> Subject: media: vb2: vb2_mmap: move lock up
> 
> From: Hans Verkuil <hverkuil@xs4all.nl>
> 
> commit cd26d1c4d1bc947b56ae404998ae2276df7b39b7 upstream.
> 
> If a filehandle is dup()ped, then it is possible to close it from one fd
> and call mmap from the other. This creates a race condition in vb2_mmap
> where it is using queue data that __vb2_queue_free (called from close())
> is in the process of releasing.
> 
> By moving up the mutex_lock(mmap_lock) in vb2_mmap this race is avoided
> since __vb2_queue_free is called with the same mutex locked. So vb2_mmap
> now reads consistent buffer data.
> 
> Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
> Reported-by: syzbot+be93025dd45dccd8923c@syzkaller.appspotmail.com
> Signed-off-by: Hans Verkuil <hansverk@cisco.com>
> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> 
> ---
>  drivers/media/common/videobuf2/videobuf2-core.c |   11 ++++++++---
>  1 file changed, 8 insertions(+), 3 deletions(-)
> 
> --- a/drivers/media/common/videobuf2/videobuf2-core.c
> +++ b/drivers/media/common/videobuf2/videobuf2-core.c
> @@ -2146,9 +2146,13 @@ int vb2_mmap(struct vb2_queue *q, struct
>  			return -EINVAL;
>  		}
>  	}
> +
> +	mutex_lock(&q->mmap_lock);
> +
>  	if (vb2_fileio_is_active(q)) {
>  		dprintk(1, "mmap: file io in progress\n");
> -		return -EBUSY;
> +		ret = -EBUSY;
> +		goto unlock;
>  	}
>  
>  	/*
> @@ -2156,7 +2160,7 @@ int vb2_mmap(struct vb2_queue *q, struct
>  	 */
>  	ret = __find_plane_by_offset(q, off, &buffer, &plane);
>  	if (ret)
> -		return ret;
> +		goto unlock;
>  
>  	vb = q->bufs[buffer];
>  
> @@ -2172,8 +2176,9 @@ int vb2_mmap(struct vb2_queue *q, struct
>  		return -EINVAL;
>  	}
>  
> -	mutex_lock(&q->mmap_lock);
>  	ret = call_memop(vb, mmap, vb->planes[plane].mem_priv, vma);
> +
> +unlock:
>  	mutex_unlock(&q->mmap_lock);
>  	if (ret)
>  		return ret;
> 
> 
> Patches currently in stable-queue which might be from hverkuil@xs4all.nl are
> 
> queue-4.20/media-vb2-vb2_mmap-move-lock-up.patch
> queue-4.20/media-vim2m-only-cancel-work-if-it-is-for-right-context.patch
> 

^ permalink raw reply	[flat|nested] 2+ messages in thread