From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+d7a918a7a8e1c952bc36@syzkaller.appspotmail.com,
Yisheng Xie <xieyisheng1@huawei.com>,
"Joel Fernandes (Google)" <joel.opensrc@gmail.com>
Subject: [PATCH 4.15 02/84] staging: android: ashmem: Fix possible deadlock in ashmem_ioctl
Date: Fri, 23 Mar 2018 10:53:16 +0100 [thread overview]
Message-ID: <20180323095412.279971390@linuxfoundation.org> (raw)
In-Reply-To: <20180323095411.913234798@linuxfoundation.org>
4.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yisheng Xie <xieyisheng1@huawei.com>
commit 740a5759bf222332fbb5eda42f89aa25ba38f9b2 upstream.
ashmem_mutex may create a chain of dependencies like:
CPU0 CPU1
mmap syscall ioctl syscall
-> mmap_sem (acquired) -> ashmem_ioctl
-> ashmem_mmap -> ashmem_mutex (acquired)
-> ashmem_mutex (try to acquire) -> copy_from_user
-> mmap_sem (try to acquire)
There is a lock odering problem between mmap_sem and ashmem_mutex causing
a lockdep splat[1] during a syzcaller test. This patch fixes the problem
by move copy_from_user out of ashmem_mutex.
[1] https://www.spinics.net/lists/kernel/msg2733200.html
Fixes: ce8a3a9e76d0 (staging: android: ashmem: Fix a race condition in pin ioctls)
Reported-by: syzbot+d7a918a7a8e1c952bc36@syzkaller.appspotmail.com
Signed-off-by: Yisheng Xie <xieyisheng1@huawei.com>
Cc: "Joel Fernandes (Google)" <joel.opensrc@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/android/ashmem.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
--- a/drivers/staging/android/ashmem.c
+++ b/drivers/staging/android/ashmem.c
@@ -709,16 +709,14 @@ static int ashmem_pin_unpin(struct ashme
size_t pgstart, pgend;
int ret = -EINVAL;
+ if (unlikely(copy_from_user(&pin, p, sizeof(pin))))
+ return -EFAULT;
+
mutex_lock(&ashmem_mutex);
if (unlikely(!asma->file))
goto out_unlock;
- if (unlikely(copy_from_user(&pin, p, sizeof(pin)))) {
- ret = -EFAULT;
- goto out_unlock;
- }
-
/* per custom, you can pass zero for len to mean "everything onward" */
if (!pin.len)
pin.len = PAGE_ALIGN(asma->size) - pin.offset;
next prev parent reply other threads:[~2018-03-23 9:56 UTC|newest]
Thread overview: 94+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-23 9:53 [PATCH 4.15 00/84] 4.15.13-stable review Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 01/84] scsi: megaraid_sas: Do not use 32-bit atomic request descriptor for Ventura controllers Greg Kroah-Hartman
2018-03-23 9:53 ` Greg Kroah-Hartman [this message]
2018-03-23 9:53 ` [PATCH 4.15 03/84] drm/amdgpu: use polling mem to set SDMA3 wptr for VF Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 04/84] Bluetooth: hci_qca: Avoid setup failure on missing rampatch Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 05/84] Bluetooth: btqcomsmd: Fix skb double free corruption Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 06/84] cpufreq: longhaul: Revert transition_delay_us to 200 ms Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 07/84] media: c8sectpfe: fix potential NULL pointer dereference in c8sectpfe_timer_interrupt Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 08/84] drm/msm: fix leak in failed get_pages Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 09/84] net: fec: add phy_reset_after_clk_enable() support Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 10/84] IB/ipoib: Warn when one port fails to initialize Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 11/84] RDMA/iwpm: Fix uninitialized error code in iwpm_send_mapinfo() Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 12/84] hv_netvsc: Fix the receive buffer size limit Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 13/84] hv_netvsc: Fix the TX/RX buffer default sizes Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 14/84] tcp: allow TLP in ECN CWR Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 15/84] spi: sh-msiof: Avoid writing to registers from spi_master.setup() Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 16/84] libbpf: prefer global symbols as bpf program name source Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 17/84] rtlwifi: rtl_pci: Fix the bug when inactiveps is enabled Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 18/84] rtlwifi: always initialize variables given to RT_TRACE() Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 19/84] media: bt8xx: Fix err bt878_probe() Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 20/84] ath10k: handling qos at STA side based on AP WMM enable/disable Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 21/84] media: [RESEND] media: dvb-frontends: Add delay to Si2168 restart Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 22/84] qmi_wwan: set FLAG_SEND_ZLP to avoid network initiated disconnect Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 23/84] tty: goldfish: Enable earlycon only if built-in Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 24/84] serial: 8250_dw: Disable clock on error Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 25/84] cros_ec: fix nul-termination for firmware build info Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 26/84] watchdog: Fix potential kref imbalance when opening watchdog Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 27/84] watchdog: Fix kref imbalance seen if handle_boot_enabled=0 Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 28/84] platform/chrome: Use proper protocol transfer function Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 29/84] dmaengine: zynqmp_dma: Fix race condition in the probe Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 30/84] drm/tilcdc: ensure nonatomic iowrite64 is not used Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 31/84] mmc: avoid removing non-removable hosts during suspend Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 32/84] mmc: block: fix logical error to avoid memory leak Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 33/84] /dev/mem: Add bounce buffer for copy-out Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 34/84] net: phy: meson-gxl: check phy_write return value Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 35/84] sfp: fix EEPROM reading in the case of non-SFF8472 SFPs Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 36/84] sfp: fix non-detection of PHY Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 37/84] media: s5p-mfc: Fix lock contention - request_firmware() once Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 38/84] rtc: ac100: Fix multiple race conditions Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 39/84] IB/ipoib: Avoid memory leak if the SA returns a different DGID Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 40/84] RDMA/cma: Use correct size when writing netlink stats Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 41/84] IB/umem: Fix use of npages/nmap fields Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 42/84] iser-target: avoid reinitializing rdma contexts for isert commands Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 43/84] bpf/cgroup: fix a verification error for a CGROUP_DEVICE type prog Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 44/84] PCI/ASPM: Calculate LTR_L1.2_THRESHOLD from device characteristics Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 45/84] vgacon: Set VGA struct resource types Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 46/84] omapdrm: panel: fix compatible vendor string for td028ttec1 Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 47/84] mmc: sdhci-xenon: wait 5ms after set 1.8V signal enable Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 48/84] drm/omap: DMM: Check for DMM readiness after successful transaction commit Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 49/84] pty: cancel pty slave port bufs work in tty_release Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 50/84] coresight: Fix disabling of CoreSight TPIU Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 51/84] PCI: designware-ep: Fix ->get_msi() to check MSI_EN bit Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 52/84] PCI: endpoint: Fix find_first_zero_bit() usage Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 53/84] PCI: rcar: Handle rcar_pcie_parse_request_of_pci_ranges() failures Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 54/84] media: davinci: fix a debug printk Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 55/84] clk: check ops pointer on clock register Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 56/84] dt-bindings: display: panel: Fix compatible string for Toshiba LT089AC29000 Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 57/84] clk: use round rate to bail out early in set_rate Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 58/84] pinctrl: Really force states during suspend/resume Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 59/84] pinctrl: rockchip: enable clock when reading pin direction register Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 60/84] iommu/vt-d: clean up pr_irq if request_threaded_irq fails Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 61/84] ip6_vti: adjust vti mtu according to mtu of lower device Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 62/84] ip_gre: fix error path when erspan_rcv failed Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 63/84] ip_gre: fix potential memory leak in erspan_rcv Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 64/84] soc: qcom: smsm: fix child-node lookup Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 65/84] scsi: lpfc: Fix SCSI LUN discovery when SCSI and NVME enabled Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 66/84] scsi: lpfc: Fix issues connecting with nvme initiator Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 67/84] RDMA/ocrdma: Fix permissions for OCRDMA_RESET_STATS Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 68/84] ARM: dts: aspeed-evb: Add unit name to memory node Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 69/84] nfsd4: permit layoutget of executable-only files Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 70/84] clk: at91: pmc: Wait for clocks when resuming Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 71/84] clk: Dont touch hardware when reparenting during registration Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 72/84] clk: axi-clkgen: Correctly handle nocount bit in recalc_rate() Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 73/84] clk: si5351: Rename internal plls to avoid name collisions Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 74/84] crypto: artpec6 - set correct iv size for gcm(aes) Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 75/84] hwrng: core - Clean up RNG list when last hwrng is unregistered Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 76/84] dmaengine: ti-dma-crossbar: Fix event mapping for TPCC_EVT_MUX_60_63 Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 77/84] IB/mlx5: Fix integer overflows in mlx5_ib_create_srq Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 78/84] IB/mlx5: Fix out-of-bounds read in create_raw_packet_qp_rq Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 79/84] RDMA/vmw_pvrdma: Fix usage of user response structures in ABI file Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 80/84] serial: 8250_pci: Dont fail on multiport card class Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 81/84] RDMA/core: Do not use invalid destination in determining port reuse Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 82/84] clk: migrate the count of orphaned clocks at init Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 83/84] RDMA/ucma: Fix access to non-initialized CM_ID object Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 84/84] RDMA/ucma: Dont allow join attempts for unsupported AF family Greg Kroah-Hartman
2018-03-23 13:40 ` [PATCH 4.15 00/84] 4.15.13-stable review kernelci.org bot
2018-03-23 14:22 ` Naresh Kamboju
2018-03-23 15:08 ` Greg Kroah-Hartman
2018-03-23 16:40 ` Greg Kroah-Hartman
2018-03-24 7:52 ` Naresh Kamboju
2018-03-24 9:05 ` Greg Kroah-Hartman
2018-03-23 20:46 ` Shuah Khan
2018-03-24 0:12 ` Guenter Roeck
2018-03-24 7:47 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180323095412.279971390@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=joel.opensrc@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+d7a918a7a8e1c952bc36@syzkaller.appspotmail.com \
--cc=xieyisheng1@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).