Received: by 2002:ac0:aed5:0:0:0:0:0 with SMTP id t21csp5891336imb; Fri, 8 Mar 2019 04:53:30 -0800 (PST) X-Google-Smtp-Source: APXvYqzwkhiiJfuTmVYv6zA+0C2ILtP71Bckpp/+dCI3B8DMXFQUbV63ogW9ndFEcTyJySiB8xr+ X-Received: by 2002:a17:902:e192:: with SMTP id cd18mr19006013plb.309.1552049609947; Fri, 08 Mar 2019 04:53:29 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1552049609; cv=none; d=google.com; s=arc-20160816; b=wHxrq4kAfaWKQ4DozcyXgalWX0qta2wMdTAwPrcxRrw2iw/rVCK8ULawOFPz9nV7p1 prETtsmLnqXvWnx5vUS8nbgqpg6Gpx2poFVkVkmIygZUNRDDkVYmZFTYzp17l87pm123 INpoSUNQbrkdn71yCAbMENdb1JRp+kVxVuW3lpPyKpI8dfzkFJFahFdsMhRQ/H1w2fns R4vC93w2Q1yBZC3AQOjY48iAPNicu0wqGtwGeF/KBJfg5TMKUxItMbPf6CVomO0gLg6j hqilQmP4KprV738hkGOWr6LAvePNymmbNb1tFOx06iPNq8kBJcXl8AX2m1wKHUDY2fv0 5nQA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=jNOQb5i4KbHn06NfKZzFkgZvAkaxrLljkRu/6dvgp0o=; b=b75oM+e5ioxUj2z6WJzu6uCex4pZ0QeyU3/kxbdXDJU6gwQfznezXcEfRdSj5PbJrK fbHYgtMBwcdDNrgBsaKDFZvI9WgCAtMCYHpJTt0iBLun3jN6X31xgu4an1UOuwGjn63/ XB5Smd9/Pj8gJt8jxHUG/eYOgRsUwFlnivG3TRpqutAxjBTP7P2eZAtpqsgyTGUfqYYE mBgnQFDgEGD+OimJQXAHm4FIJyBlh2jAsfQ8ewSLE1C66uPrphvELbj+TyX6EVGN8ICO Nha0DCjDYVUW2JNmNrgonX/gxstgSbW7hWoj0vpcKQVsVeD0fJm3SlfMUDvPyDDgOYQG C+FA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=mQN1gkpn; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l9si7147500plb.216.2019.03.08.04.53.14; Fri, 08 Mar 2019 04:53:29 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=mQN1gkpn; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726706AbfCHMvX (ORCPT + 99 others); Fri, 8 Mar 2019 07:51:23 -0500 Received: from mail.kernel.org ([198.145.29.99]:54430 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726518AbfCHMvW (ORCPT ); Fri, 8 Mar 2019 07:51:22 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 4A61220684; Fri, 8 Mar 2019 12:51:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1552049480; bh=TEhuuFoEdZw6p7lmk9+YeF1vIUmTgsdOUXTn3EJq7bQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=mQN1gkpn+QK31xEnlEMlnSurGBLakE2yZcoPAQQfWjF9rayO+ogUolcvdRSl2r/3s URQMHrTS+EkaYdNSeptNBo27iNIsZNqISGK71AkPHXCJwyuiMpF/vBVh6A6hgWfuDi ZCfH2snpIddoGUNRC3DC1yE0HnqC24es0FAQEyN0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Tetsuo Handa , Joel Fernandes Subject: [PATCH 5.0 16/46] staging: android: ashmem: Avoid range_alloc() allocation with ashmem_mutex held. Date: Fri, 8 Mar 2019 13:49:49 +0100 Message-Id: <20190308124903.294691449@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190308124902.257040783@linuxfoundation.org> References: <20190308124902.257040783@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 5.0-stable review patch. If anyone has any objections, please let me know. ------------------ From: Tetsuo Handa commit ecd182cbf4e107928077866399100228d2359c60 upstream. ashmem_pin() is calling range_shrink() without checking whether range_alloc() succeeded. Also, doing memory allocation with ashmem_mutex held should be avoided because ashmem_shrink_scan() tries to hold it. Therefore, move memory allocation for range_alloc() to ashmem_pin_unpin() and make range_alloc() not to fail. This patch is mostly meant for backporting purpose for fuzz testing on stable/distributor kernels, for there is a plan to remove this code in near future. Signed-off-by: Tetsuo Handa Cc: stable@vger.kernel.org Reviewed-by: Joel Fernandes Signed-off-by: Greg Kroah-Hartman --- drivers/staging/android/ashmem.c | 42 ++++++++++++++++++++++----------------- 1 file changed, 24 insertions(+), 18 deletions(-) --- a/drivers/staging/android/ashmem.c +++ b/drivers/staging/android/ashmem.c @@ -171,19 +171,15 @@ static inline void lru_del(struct ashmem * @end: The ending page (inclusive) * * This function is protected by ashmem_mutex. - * - * Return: 0 if successful, or -ENOMEM if there is an error */ -static int range_alloc(struct ashmem_area *asma, - struct ashmem_range *prev_range, unsigned int purged, - size_t start, size_t end) +static void range_alloc(struct ashmem_area *asma, + struct ashmem_range *prev_range, unsigned int purged, + size_t start, size_t end, + struct ashmem_range **new_range) { - struct ashmem_range *range; - - range = kmem_cache_zalloc(ashmem_range_cachep, GFP_KERNEL); - if (!range) - return -ENOMEM; + struct ashmem_range *range = *new_range; + *new_range = NULL; range->asma = asma; range->pgstart = start; range->pgend = end; @@ -193,8 +189,6 @@ static int range_alloc(struct ashmem_are if (range_on_lru(range)) lru_add(range); - - return 0; } /** @@ -596,7 +590,8 @@ static int get_name(struct ashmem_area * * * Caller must hold ashmem_mutex. */ -static int ashmem_pin(struct ashmem_area *asma, size_t pgstart, size_t pgend) +static int ashmem_pin(struct ashmem_area *asma, size_t pgstart, size_t pgend, + struct ashmem_range **new_range) { struct ashmem_range *range, *next; int ret = ASHMEM_NOT_PURGED; @@ -649,7 +644,7 @@ static int ashmem_pin(struct ashmem_area * second half and adjust the first chunk's endpoint. */ range_alloc(asma, range, range->purged, - pgend + 1, range->pgend); + pgend + 1, range->pgend, new_range); range_shrink(range, range->pgstart, pgstart - 1); break; } @@ -663,7 +658,8 @@ static int ashmem_pin(struct ashmem_area * * Caller must hold ashmem_mutex. */ -static int ashmem_unpin(struct ashmem_area *asma, size_t pgstart, size_t pgend) +static int ashmem_unpin(struct ashmem_area *asma, size_t pgstart, size_t pgend, + struct ashmem_range **new_range) { struct ashmem_range *range, *next; unsigned int purged = ASHMEM_NOT_PURGED; @@ -689,7 +685,8 @@ restart: } } - return range_alloc(asma, range, purged, pgstart, pgend); + range_alloc(asma, range, purged, pgstart, pgend, new_range); + return 0; } /* @@ -722,10 +719,17 @@ static int ashmem_pin_unpin(struct ashme struct ashmem_pin pin; size_t pgstart, pgend; int ret = -EINVAL; + struct ashmem_range *range = NULL; if (copy_from_user(&pin, p, sizeof(pin))) return -EFAULT; + if (cmd == ASHMEM_PIN || cmd == ASHMEM_UNPIN) { + range = kmem_cache_zalloc(ashmem_range_cachep, GFP_KERNEL); + if (!range) + return -ENOMEM; + } + mutex_lock(&ashmem_mutex); wait_event(ashmem_shrink_wait, !atomic_read(&ashmem_shrink_inflight)); @@ -750,10 +754,10 @@ static int ashmem_pin_unpin(struct ashme switch (cmd) { case ASHMEM_PIN: - ret = ashmem_pin(asma, pgstart, pgend); + ret = ashmem_pin(asma, pgstart, pgend, &range); break; case ASHMEM_UNPIN: - ret = ashmem_unpin(asma, pgstart, pgend); + ret = ashmem_unpin(asma, pgstart, pgend, &range); break; case ASHMEM_GET_PIN_STATUS: ret = ashmem_get_pin_status(asma, pgstart, pgend); @@ -762,6 +766,8 @@ static int ashmem_pin_unpin(struct ashme out_unlock: mutex_unlock(&ashmem_mutex); + if (range) + kmem_cache_free(ashmem_range_cachep, range); return ret; }