]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/blob - releases/5.0.1/staging-android-ashmem-avoid-range_alloc-allocation-with-ashmem_mutex-held.patch
projects / thirdparty / kernel / stable-queue.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
5.0-stable patches
[thirdparty/kernel/stable-queue.git] / releases / 5.0.1 / staging-android-ashmem-avoid-range_alloc-allocation-with-ashmem_mutex-held.patch
1 From ecd182cbf4e107928077866399100228d2359c60 Mon Sep 17 00:00:00 2001
2 From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
3 Date: Fri, 22 Feb 2019 20:03:55 +0900
4 Subject: staging: android: ashmem: Avoid range_alloc() allocation with ashmem_mutex held.
5
6 From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
7
8 commit ecd182cbf4e107928077866399100228d2359c60 upstream.
9
10 ashmem_pin() is calling range_shrink() without checking whether
11 range_alloc() succeeded. Also, doing memory allocation with ashmem_mutex
12 held should be avoided because ashmem_shrink_scan() tries to hold it.
13
14 Therefore, move memory allocation for range_alloc() to ashmem_pin_unpin()
15 and make range_alloc() not to fail.
16
17 This patch is mostly meant for backporting purpose for fuzz testing on
18 stable/distributor kernels, for there is a plan to remove this code in
19 near future.
20
21 Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
22 Cc: stable@vger.kernel.org
23 Reviewed-by: Joel Fernandes <joel@joelfernandes.org>
24 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
25
26 ---
27 drivers/staging/android/ashmem.c | 42 ++++++++++++++++++++++-----------------
28 1 file changed, 24 insertions(+), 18 deletions(-)
29
30 --- a/drivers/staging/android/ashmem.c
31 +++ b/drivers/staging/android/ashmem.c
32 @@ -171,19 +171,15 @@ static inline void lru_del(struct ashmem
33 * @end: The ending page (inclusive)
34 *
35 * This function is protected by ashmem_mutex.
36 - *
37 - * Return: 0 if successful, or -ENOMEM if there is an error
38 */
39 -static int range_alloc(struct ashmem_area *asma,
40 - struct ashmem_range *prev_range, unsigned int purged,
41 - size_t start, size_t end)
42 +static void range_alloc(struct ashmem_area *asma,
43 + struct ashmem_range *prev_range, unsigned int purged,
44 + size_t start, size_t end,
45 + struct ashmem_range **new_range)
46 {
47 - struct ashmem_range *range;
48 -
49 - range = kmem_cache_zalloc(ashmem_range_cachep, GFP_KERNEL);
50 - if (!range)
51 - return -ENOMEM;
52 + struct ashmem_range *range = *new_range;
53
54 + *new_range = NULL;
55 range->asma = asma;
56 range->pgstart = start;
57 range->pgend = end;
58 @@ -193,8 +189,6 @@ static int range_alloc(struct ashmem_are
59
60 if (range_on_lru(range))
61 lru_add(range);
62 -
63 - return 0;
64 }
65
66 /**
67 @@ -596,7 +590,8 @@ static int get_name(struct ashmem_area *
68 *
69 * Caller must hold ashmem_mutex.
70 */
71 -static int ashmem_pin(struct ashmem_area *asma, size_t pgstart, size_t pgend)
72 +static int ashmem_pin(struct ashmem_area *asma, size_t pgstart, size_t pgend,
73 + struct ashmem_range **new_range)
74 {
75 struct ashmem_range *range, *next;
76 int ret = ASHMEM_NOT_PURGED;
77 @@ -649,7 +644,7 @@ static int ashmem_pin(struct ashmem_area
78 * second half and adjust the first chunk's endpoint.
79 */
80 range_alloc(asma, range, range->purged,
81 - pgend + 1, range->pgend);
82 + pgend + 1, range->pgend, new_range);
83 range_shrink(range, range->pgstart, pgstart - 1);
84 break;
85 }
86 @@ -663,7 +658,8 @@ static int ashmem_pin(struct ashmem_area
87 *
88 * Caller must hold ashmem_mutex.
89 */
90 -static int ashmem_unpin(struct ashmem_area *asma, size_t pgstart, size_t pgend)
91 +static int ashmem_unpin(struct ashmem_area *asma, size_t pgstart, size_t pgend,
92 + struct ashmem_range **new_range)
93 {
94 struct ashmem_range *range, *next;
95 unsigned int purged = ASHMEM_NOT_PURGED;
96 @@ -689,7 +685,8 @@ restart:
97 }
98 }
99
100 - return range_alloc(asma, range, purged, pgstart, pgend);
101 + range_alloc(asma, range, purged, pgstart, pgend, new_range);
102 + return 0;
103 }
104
105 /*
106 @@ -722,10 +719,17 @@ static int ashmem_pin_unpin(struct ashme
107 struct ashmem_pin pin;
108 size_t pgstart, pgend;
109 int ret = -EINVAL;
110 + struct ashmem_range *range = NULL;
111
112 if (copy_from_user(&pin, p, sizeof(pin)))
113 return -EFAULT;
114
115 + if (cmd == ASHMEM_PIN || cmd == ASHMEM_UNPIN) {
116 + range = kmem_cache_zalloc(ashmem_range_cachep, GFP_KERNEL);
117 + if (!range)
118 + return -ENOMEM;
119 + }
120 +
121 mutex_lock(&ashmem_mutex);
122 wait_event(ashmem_shrink_wait, !atomic_read(&ashmem_shrink_inflight));
123
124 @@ -750,10 +754,10 @@ static int ashmem_pin_unpin(struct ashme
125
126 switch (cmd) {
127 case ASHMEM_PIN:
128 - ret = ashmem_pin(asma, pgstart, pgend);
129 + ret = ashmem_pin(asma, pgstart, pgend, &range);
130 break;
131 case ASHMEM_UNPIN:
132 - ret = ashmem_unpin(asma, pgstart, pgend);
133 + ret = ashmem_unpin(asma, pgstart, pgend, &range);
134 break;
135 case ASHMEM_GET_PIN_STATUS:
136 ret = ashmem_get_pin_status(asma, pgstart, pgend);
137 @@ -762,6 +766,8 @@ static int ashmem_pin_unpin(struct ashme
138
139 out_unlock:
140 mutex_unlock(&ashmem_mutex);
141 + if (range)
142 + kmem_cache_free(ashmem_range_cachep, range);
143
144 return ret;
145 }
Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git