Commit 740a5759 authored Feb 28, 2018 by Yisheng Xie Committed by Greg Kroah-Hartman Mar 06, 2018

staging: android: ashmem: Fix possible deadlock in ashmem_ioctl

ashmem_mutex may create a chain of dependencies like:

CPU0                                    CPU1
 mmap syscall                           ioctl syscall
 -> mmap_sem (acquired)                 -> ashmem_ioctl
 -> ashmem_mmap                            -> ashmem_mutex (acquired)
    -> ashmem_mutex (try to acquire)       -> copy_from_user
                                              -> mmap_sem (try to acquire)

There is a lock odering problem between mmap_sem and ashmem_mutex causing
a lockdep splat[1] during a syzcaller test. This patch fixes the problem
by move copy_from_user out of ashmem_mutex.

[1] https://www.spinics.net/lists/kernel/msg2733200.html



Fixes: ce8a3a9e (staging: android: ashmem: Fix a race condition in pin ioctls)
Reported-by:  <syzbot+d7a918a7a8e1c952bc36@syzkaller.appspotmail.com>
Signed-off-by: Yisheng Xie <xieyisheng1@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent a42ae590

drivers/staging/android/ashmem.c

+3 −5

Original line number	Diff line number	Diff line
		@@ -701,16 +701,14 @@ static int ashmem_pin_unpin(struct ashmem_area *asma, unsigned long cmd,
		size_t pgstart, pgend;
		int ret = -EINVAL;

		if (unlikely(copy_from_user(&pin, p, sizeof(pin))))
		return -EFAULT;

		mutex_lock(&ashmem_mutex);

		if (unlikely(!asma->file))
		goto out_unlock;

		if (unlikely(copy_from_user(&pin, p, sizeof(pin)))) {
		ret = -EFAULT;
		goto out_unlock;
		}

		/* per custom, you can pass zero for len to mean "everything onward" */
		if (!pin.len)
		pin.len = PAGE_ALIGN(asma->size) - pin.offset;