leandrof/linux
1
0
Fork 0
forked from Minki/linux
Code Issues Pull Requests Packages Projects Releases Wiki Activity
4b18f08be0
linux/drivers/staging
History
Ian Abbott 4b18f08be0 staging: comedi: fix a race between do_cmd_ioctl() and read/write 
`do_cmd_ioctl()` is called with the comedi device's mutex locked to
process the `COMEDI_CMD` ioctl to set up comedi's asynchronous command
handling on a comedi subdevice.  `comedi_read()` and `comedi_write()`
are the `read` and `write` handlers for the comedi device, but do not
lock the mutex (for performance reasons, as some things can hold the
mutex for quite a long time).

There is a race condition if `comedi_read()` or `comedi_write()` is
running at the same time and for the same file object and comedi
subdevice as `do_cmd_ioctl()`.  `do_cmd_ioctl()` sets the subdevice's
`busy` pointer to the file object way before it sets the `SRF_RUNNING` flag
in the subdevice's `runflags` member.  `comedi_read() and
`comedi_write()` check the subdevice's `busy` pointer is pointing to the
current file object, then if the `SRF_RUNNING` flag is not set, will call
`do_become_nonbusy()` to shut down the asyncronous command.  Bad things
can happen if the asynchronous command is being shutdown and set up at
the same time.

To prevent the race, don't set the `busy` pointer until
after the `SRF_RUNNING` flag has been set.  Also, make sure the mutex is
held in `comedi_read()` and `comedi_write()` while calling
`do_become_nonbusy()` in order to avoid moving the race condition to a
point within that function.

Change some error handling `goto cleanup` statements in `do_cmd_ioctl()`
to simple `return -ERRFOO` statements as a result of changing when the
`busy` pointer is set.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-07-23 14:30:54 -07:00
..
android Merge branch 'akpm' (updates from Andrew Morton) 2013-07-03 17:12:13 -07:00
asus_oled
bcm
btmtk_usb
ced1401
comedi staging: comedi: fix a race between do_cmd_ioctl() and read/write 2013-07-23 14:30:54 -07:00
cptm1217
crystalhd
cxt1e1
dgrp drivers: avoid format string in dev_set_name 2013-07-03 16:07:41 -07:00
dwc2 staging: dwc2: fix thinko in dwc2_hc_set_even_odd_frame() 2013-06-24 15:56:10 -07:00
echo
et131x
frontier staging: frontier: Fix typo in staging/frontier 2013-06-24 15:56:09 -07:00
ft1000 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2013-07-09 18:24:39 -07:00
fwserial IEEE 1394 (FireWire) subsystem changes post v3.10: 2013-07-10 11:02:58 -07:00
gdm72xx
goldfish
iio iio staging: fix lis3l02dq, read error handling 2013-07-09 22:11:53 +01:00
imx-drm Merge branch 'drm-next' of git://people.freedesktop.org/~airlied/linux 2013-07-09 16:04:31 -07:00
keucr staging: keucr: removed unnecessary variables and comments 2013-06-17 14:46:18 -07:00
line6 staging: line6: Fix unlocked snd_pcm_stop() call 2013-07-15 21:25:14 +02:00
lustre mode_t whack-a-mole... 2013-07-06 23:04:23 +04:00
media Merge branch 'v4l_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media 2013-07-13 12:09:57 -07:00
netlogic staging: netlogic: Fix typo in staging/netlogic 2013-06-24 15:56:09 -07:00
nvec staging: nvec: move device tree parsing to its own function 2013-06-24 15:59:03 -07:00
octeon MIPS: OCTEON: Rename Kconfig CAVIUM_OCTEON_REFERENCE_BOARD to CAVIUM_OCTEON_SOC 2013-06-10 18:01:25 +02:00
octeon-usb staging: octeon-usb: octeon-hcd: eliminate printk()s 2013-06-18 11:17:04 -07:00
olpc_dcon
ozwpan staging: ozwpan: remove event tracing code. 2013-06-17 14:48:12 -07:00
panel
phison
quickstart
rtl8187se staging/rtl8187se: Convert __list_for_each use to list_for_each 2013-06-18 11:22:58 -07:00
rtl8192e
rtl8192u Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2013-07-09 18:24:39 -07:00
rtl8712 drivers: avoid parsing names as kthread_run() format strings 2013-07-03 16:07:41 -07:00
rts5139
sb105x
sbe-2t3e3
sep
serqt_usb2 Staging tree merge for 3.11-rc1 2013-07-02 11:40:23 -07:00
silicom Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2013-07-09 18:24:39 -07:00
slicoss
sm7xxfb
speakup
ste_rmi4
tidspbridge clean up scary strncpy(dst, src, strlen(src)) uses 2013-07-03 16:07:41 -07:00
usbip
vme
vt6655 Staging: vt6655: aes_ccmp: fixed a brace coding style 2013-06-24 15:57:40 -07:00
vt6656 staging: vt6656: mac.c MACvDisableKeyEntry remove dead code wOffset 2013-06-17 14:55:32 -07:00
winbond
wlags49_h2
wlags49_h25
wlan-ng
xgifb
zcache
zram zram: allow request end to coincide with disksize 2013-06-24 16:08:32 -07:00
zsmalloc
Kconfig staging: csr: remove driver 2013-07-16 22:37:09 -07:00
Makefile staging: csr: remove driver 2013-07-16 22:37:09 -07:00
staging.c