From: rkir@google.com
To: gregkh@linuxfoundation.org
Cc: tkjos@google.com, linux-kernel@vger.kernel.org,
Roman Kiryanov <rkir@google.com>
Subject: [PATCH 02/21] platform: goldfish: pipe: Prevent memory corruption from several threads writing to the same variable
Date: Fri, 14 Sep 2018 10:51:03 -0700 [thread overview]
Message-ID: <20180914175122.21036-2-rkir@google.com> (raw)
In-Reply-To: <20180914175122.21036-1-rkir@google.com>
From: Roman Kiryanov <rkir@google.com>
Move the "pages" buffer into "struct goldfish_pipe". Since we are
locking the mutex on the pipe in transfer_max_buffers, other threads
willnot be able to write into it, but other pipe instances could be
served because they have its own buffer.
Signed-off-by: Roman Kiryanov <rkir@google.com>
---
drivers/platform/goldfish/goldfish_pipe.c | 24 +++++++++++++----------
1 file changed, 14 insertions(+), 10 deletions(-)
diff --git a/drivers/platform/goldfish/goldfish_pipe.c b/drivers/platform/goldfish/goldfish_pipe.c
index b4a484bbcdaa..6ae2b00f4bff 100644
--- a/drivers/platform/goldfish/goldfish_pipe.c
+++ b/drivers/platform/goldfish/goldfish_pipe.c
@@ -163,6 +163,9 @@ struct goldfish_pipe {
/* Pointer to the parent goldfish_pipe_dev instance */
struct goldfish_pipe_dev *dev;
+
+ /* A buffer of pages, too large to fit into a stack frame */
+ struct page *pages[MAX_BUFFERS_PER_COMMAND];
};
/* The global driver data. Holds a reference to the i/o page used to
@@ -340,21 +343,23 @@ static int transfer_max_buffers(struct goldfish_pipe *pipe,
s32 *consumed_size,
int *status)
{
- static struct page *pages[MAX_BUFFERS_PER_COMMAND];
unsigned long first_page = address & PAGE_MASK;
unsigned int iter_last_page_size;
- int pages_count = pin_user_pages(first_page, last_page,
- last_page_size, is_write,
- pages, &iter_last_page_size);
-
- if (pages_count < 0)
- return pages_count;
+ int pages_count;
/* Serialize access to the pipe command buffers */
if (mutex_lock_interruptible(&pipe->lock))
return -ERESTARTSYS;
- populate_rw_params(pages, pages_count, address, address_end,
+ pages_count = pin_user_pages(first_page, last_page,
+ last_page_size, is_write,
+ pipe->pages, &iter_last_page_size);
+ if (pages_count < 0) {
+ mutex_unlock(&pipe->lock);
+ return pages_count;
+ }
+
+ populate_rw_params(pipe->pages, pages_count, address, address_end,
first_page, last_page, iter_last_page_size, is_write,
pipe->command_buffer);
@@ -364,10 +369,9 @@ static int transfer_max_buffers(struct goldfish_pipe *pipe,
*consumed_size = pipe->command_buffer->rw_params.consumed_size;
- release_user_pages(pages, pages_count, is_write, *consumed_size);
+ release_user_pages(pipe->pages, pages_count, is_write, *consumed_size);
mutex_unlock(&pipe->lock);
-
return 0;
}
--
2.19.0.397.gdd90340f6a-goog
next prev parent reply other threads:[~2018-09-14 17:51 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-14 17:51 [PATCH 01/21] platform: goldfish: pipe: Remove license boilerplate rkir
2018-09-14 17:51 ` rkir [this message]
2018-09-14 17:51 ` [PATCH 03/21] platform: goldfish: pipe: Remove a redundant blank line rkir
2018-09-14 17:51 ` [PATCH 04/21] platform: goldfish: pipe: Remove redundant struct declarations rkir
2018-09-14 17:51 ` [PATCH 05/21] platform: goldfish: pipe: Remove redundant header include rkir
2018-09-14 17:51 ` [PATCH 06/21] platform: goldfish: pipe: Add DMA support to goldfish pipe rkir
2018-09-25 18:31 ` Greg KH
2018-09-25 23:06 ` Roman Kiryanov
2018-09-14 17:51 ` [PATCH 07/21] platform: goldfish: pipe: Remove the goldfish_interrupt_tasklet global variable rkir
2018-09-14 17:51 ` [PATCH 08/21] platform: goldfish: pipe: Remove the goldfish_pipe_miscdev " rkir
2018-09-14 17:51 ` [PATCH 09/21] platform: goldfish: pipe: Remove the goldfish_pipe_dev " rkir
2018-09-14 17:51 ` [PATCH 10/21] platform: goldfish: pipe: Move goldfish_pipe to goldfish_pipe_v2 rkir
2018-09-14 17:51 ` [PATCH 11/21] platform: goldfish: pipe: Move memory allocation from probe to init rkir
2018-09-14 17:51 ` [PATCH 12/21] platform: goldfish: pipe: Return status from "deinit" since "remove" does not do much rkir
2018-09-14 17:51 ` [PATCH 13/21] platform: goldfish: pipe: Split the driver to v2 specific and the rest rkir
2018-09-14 17:51 ` [PATCH 14/21] platform: goldfish: pipe: Add a blank line to separate varibles and code rkir
2018-09-14 17:51 ` [PATCH 15/21] platform: goldfish: pipe: Rename the init function (add "v2") rkir
2018-09-14 17:51 ` [PATCH 16/21] platform: goldfish: pipe: Call misc_deregister if init fails rkir
2018-09-14 17:51 ` [PATCH 17/21] platform: goldfish: pipe: Add a dedicated constant for the device name rkir
2018-09-14 17:51 ` [PATCH 18/21] platform: goldfish: pipe: Rename PIPE_REG to PIPE_V2_REG rkir
2018-09-14 17:51 ` [PATCH 19/21] platform: goldfish: pipe: Add the goldfish_pipe_v1 driver rkir
2018-09-14 17:51 ` [PATCH 20/21] platform: goldfish: pipe: Remove redundant casting rkir
2018-09-14 17:51 ` [PATCH 21/21] platform: goldfish: pipe: Fix allmodconfig build rkir
2018-09-25 18:28 ` Greg KH
2018-09-26 22:27 ` Roman Kiryanov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180914175122.21036-2-rkir@google.com \
--to=rkir@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=tkjos@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).