Received: by 10.223.185.116 with SMTP id b49csp6379399wrg; Wed, 28 Feb 2018 08:27:05 -0800 (PST) X-Google-Smtp-Source: AH8x227CMjtLtwrd77nEnHP6so2TFwfs6dOtAwEbs3R4HpkkmesZmVYmPZUJeBKathdhFWLpIW3+ X-Received: by 10.101.90.10 with SMTP id y10mr14652193pgs.34.1519835225640; Wed, 28 Feb 2018 08:27:05 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519835225; cv=none; d=google.com; s=arc-20160816; b=ElPDewClXktS2AYoSsR3anBuXx4cPgCbaLAmmE82tI2k405j0+FQ5hqb3inLZcrvP1 HnCbEXLwfhPBNj/NaDB5UFnP/Zwh2RPd6LCKyeRwSLh3pbYXlDw1Slxj81vEKe9PCmch H7LHVFc7U3XM+y/L7rwEQqOLJKVS2C+VeZYk5uRZd7Wn8TEPZtDAxkKD2FLGsLwveJcM EzkFPEGrXg+lQ8h9STOirwsrgpaBjstUVX2PLmJS8py5Kk8jx0scKGloNvv88f7FxkRm R0CZm64cBWbf4ThxVOV5QALq0Zeyr+HQ19EnZ/Bhd9BMHmERaqGLaEEoPY2piMD6TcKh algA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition :arc-authentication-results; bh=CQj/lbL7yKb0tJyIFALgCbIFbxBRTqRmFz9akKX7kio=; b=IfjPW2FrBJiDZ1qkUzZvdVOBImBHwWkVDLWc99aQ4JZeFbAV/KQStYyVjEfbIQk1df TkAFpp9uNKUuunLg4sr8+g1JxuX+wjRHD8yBOgy5/PHKeCw8iRDQFnBqueZtggA5OXeT hyOX+aFZyDym038OuGHqOtLzDTdNhFOx5zXfKRFyVcM1/mlr6eap0MrihdnBz+iZLSKS 4xGDBeTr5Ggf2Jcpnn38MXcV2XZkZjvJ+sazGHQDdfi6zpHGd2Q3lLl0ltSlqJ9DT0yb DhoH8VTcRZcaWEY68SLUXFZCdOi5AC1hePFrasxWBAlTUr+fqvxCAd05FBQLoTJzpgDg 6irg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k67si1457697pfj.298.2018.02.28.08.26.49; Wed, 28 Feb 2018 08:27:05 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S935117AbeB1QUZ (ORCPT + 99 others); Wed, 28 Feb 2018 11:20:25 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:35339 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S935024AbeB1QUW (ORCPT ); Wed, 28 Feb 2018 11:20:22 -0500 Received: from [2a02:8011:400e:2:6f00:88c8:c921:d332] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1er3Yq-0006Xd-Kb; Wed, 28 Feb 2018 15:22:28 +0000 Received: from ben by deadeye with local (Exim 4.90_1) (envelope-from ) id 1er3Yj-0000Ep-Ag; Wed, 28 Feb 2018 15:22:21 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Greg Kroah-Hartman" , "" , "Pete Zaitcev" Date: Wed, 28 Feb 2018 15:20:18 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 190/254] USB: fix usbmon BUG trigger In-Reply-To: X-SA-Exim-Connect-IP: 2a02:8011:400e:2:6f00:88c8:c921:d332 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.55-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Pete Zaitcev commit 46eb14a6e1585d99c1b9f58d0e7389082a5f466b upstream. Automated tests triggered this by opening usbmon and accessing the mmap while simultaneously resizing the buffers. This bug was with us since 2006, because typically applications only size the buffers once and thus avoid racing. Reported by Kirill A. Shutemov. Reported-by: Signed-off-by: Pete Zaitcev Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings --- drivers/usb/mon/mon_bin.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) --- a/drivers/usb/mon/mon_bin.c +++ b/drivers/usb/mon/mon_bin.c @@ -1000,7 +1000,9 @@ static long mon_bin_ioctl(struct file *f break; case MON_IOCQ_RING_SIZE: + mutex_lock(&rp->fetch_lock); ret = rp->b_size; + mutex_unlock(&rp->fetch_lock); break; case MON_IOCT_RING_SIZE: @@ -1227,12 +1229,16 @@ static int mon_bin_vma_fault(struct vm_a unsigned long offset, chunk_idx; struct page *pageptr; + mutex_lock(&rp->fetch_lock); offset = vmf->pgoff << PAGE_SHIFT; - if (offset >= rp->b_size) + if (offset >= rp->b_size) { + mutex_unlock(&rp->fetch_lock); return VM_FAULT_SIGBUS; + } chunk_idx = offset / CHUNK_SIZE; pageptr = rp->b_vec[chunk_idx].pg; get_page(pageptr); + mutex_unlock(&rp->fetch_lock); vmf->page = pageptr; return 0; }