Skip to content

Commit 740a575

Browse files
Yisheng Xiegregkh
authored andcommitted
staging: android: ashmem: Fix possible deadlock in ashmem_ioctl
ashmem_mutex may create a chain of dependencies like: CPU0 CPU1 mmap syscall ioctl syscall -> mmap_sem (acquired) -> ashmem_ioctl -> ashmem_mmap -> ashmem_mutex (acquired) -> ashmem_mutex (try to acquire) -> copy_from_user -> mmap_sem (try to acquire) There is a lock odering problem between mmap_sem and ashmem_mutex causing a lockdep splat[1] during a syzcaller test. This patch fixes the problem by move copy_from_user out of ashmem_mutex. [1] https://www.spinics.net/lists/kernel/msg2733200.html Fixes: ce8a3a9 (staging: android: ashmem: Fix a race condition in pin ioctls) Reported-by: syzbot+d7a918a7a8e1c952bc36@syzkaller.appspotmail.com Signed-off-by: Yisheng Xie <xieyisheng1@huawei.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
1 parent a42ae59 commit 740a575

File tree

1 file changed

+3
-5
lines changed

1 file changed

+3
-5
lines changed

drivers/staging/android/ashmem.c

Lines changed: 3 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -701,16 +701,14 @@ static int ashmem_pin_unpin(struct ashmem_area *asma, unsigned long cmd,
701701
size_t pgstart, pgend;
702702
int ret = -EINVAL;
703703

704+
if (unlikely(copy_from_user(&pin, p, sizeof(pin))))
705+
return -EFAULT;
706+
704707
mutex_lock(&ashmem_mutex);
705708

706709
if (unlikely(!asma->file))
707710
goto out_unlock;
708711

709-
if (unlikely(copy_from_user(&pin, p, sizeof(pin)))) {
710-
ret = -EFAULT;
711-
goto out_unlock;
712-
}
713-
714712
/* per custom, you can pass zero for len to mean "everything onward" */
715713
if (!pin.len)
716714
pin.len = PAGE_ALIGN(asma->size) - pin.offset;

0 commit comments

Comments
 (0)