Commit 32ba885e authored Mar 25, 2016 by Mitchel Humpherys Committed by Sarangdhar Joshi May 02, 2016

arm64: app_setting: Fix race on the count variable



Currently `count' is being incremented with a postfix ++ in the same
statement as the assignment of the array element that the old count
value indexes.  This is a problem for two reasons:

  (1) C doesn't guarantee that the count happens after the
      store. Postfix ++ yields a copy of the old value of the variable
      before it was incremented.  The actual incrementing of the
      variable could happen at any time before the end of the
      statement (possibly before the assignment).

  (2) Even if we fix (1) by pulling the increment out, ARM doesn't
      guarantee that the instructions won't be re-ordered.  The
      instructions could be re-ordered such that the count update
      happens before the store.

Therefore, there could be a race where count has already been
incremented but the new array element hasn't yet been updated.  Fix this
by pulling the increment out of the array index, and placing a memory
barrier between the array update and the increment.

CRs-Fixed: 997757
Change-Id: Iaccba6b5bb33ce8fa720811651692a6114deaf3a
Signed-off-by: Mitchel Humpherys <mitchelh@codeaurora.org>

parent 5a643f57

arch/arm64/kernel/app_setting.c

+7 −1

Original line number	Diff line number	Diff line
		@@ -70,7 +70,13 @@ static int set_name(const char str, struct kernel_param kp)

		mutex_lock(&mutex);
		if (count < MAX_ENTRIES) {
		lib_names[count++] = name;
		lib_names[count] = name;
		/*
		* mb to ensure that the new lib_names entry is present
		* before updating the view presented by get_lib_names
		*/
		mb();
		count++;
		} else {
		pr_err("app_setting: set name failed. Max entries reached\n");
		mutex_unlock(&mutex);