mirror of
https://github.com/torvalds/linux.git
synced 2024-12-12 14:12:51 +00:00
e5834d620d
Problem:
There exists a path in ashmem driver that could lead to acquistion
of mm->mmap_sem, ashmem_mutex in reverse order. This could lead
to deadlock in the system.
For Example, assume that mmap is called on a ashmem region
in the context of a thread say T1.
sys_mmap_pgoff (1. acquires mm->mmap_sem)
|
--> mmap_region
|
----> ashmem_mmap (2. acquires asmem_mutex)
Now if there is a context switch after 1 and before 2,
and if another thread T2 (that shares the mm struct) invokes an
ioctl say ASHMEM_GET_NAME, this can lead to the following path
ashmem_ioctl
|
-->get_name (3. acquires ashmem_mutex)
|
---> copy_to_user (4. acquires the mm->mmap_sem)
Note that the copy_to_user could lead to a valid fault if no
physical page is allocated yet for the user address passed.
Now T1 has mmap_sem and is waiting for ashmem_mutex.
and T2 has the ashmem_mutex and is waiting for mmap_sem
Thus leading to deadlock.
Solution:
Do not call copy_to_user or copy_from_user while holding the
ahsmem_mutex. Instead copy this to a local buffer that lives
in the stack while holding this lock. This will maintain data
integrity as well never reverse the lock order.
Testing:
Created a unit test case to reproduce the problem.
Used the same to test this fix on kernel version 3.4.0
Ported the same patch to 3.8
Signed-off-by: Shankar Brahadeeswaran <shankoo77@gmail.com>
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|---|---|---|
| .. | ||
| trace | ||
| alarm-dev.c | ||
| android_alarm.h | ||
| ashmem.c | ||
| ashmem.h | ||
| binder_trace.h | ||
| binder.c | ||
| binder.h | ||
| Kconfig | ||
| logger.c | ||
| logger.h | ||
| lowmemorykiller.c | ||
| Makefile | ||
| ram_console.h | ||
| sw_sync.c | ||
| sw_sync.h | ||
| sync.c | ||
| sync.h | ||
| timed_gpio.c | ||
| timed_gpio.h | ||
| timed_output.c | ||
| timed_output.h | ||
| TODO | ||