Hi Greg,
On 01/21/2019 12:51 PM, gregkh@linuxfoundation.org wrote:
This is a note to let you know that I've just added the patch titled
media: vb2: vb2_mmap: move lock upto the 4.20-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git%3Ba=su...
The filename of the patch is: media-vb2-vb2_mmap-move-lock-up.patch and it can be found in the queue-4.20 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree, please let stable@vger.kernel.org know about it.
This patch must be combined with a backport of c06ef2e9acef4cda1feee2ce055b8086e33d251a (media: vb2: be sure to unlock mutex on errors), which fixes a bug introduced by this patch.
It's true for all backports (3.18, 4.9, 4.14, 4.19).
Regards,
Hans
From cd26d1c4d1bc947b56ae404998ae2276df7b39b7 Mon Sep 17 00:00:00 2001 From: Hans Verkuil hverkuil@xs4all.nl Date: Tue, 13 Nov 2018 09:06:46 -0500 Subject: media: vb2: vb2_mmap: move lock up
From: Hans Verkuil hverkuil@xs4all.nl
commit cd26d1c4d1bc947b56ae404998ae2276df7b39b7 upstream.
If a filehandle is dup()ped, then it is possible to close it from one fd and call mmap from the other. This creates a race condition in vb2_mmap where it is using queue data that __vb2_queue_free (called from close()) is in the process of releasing.
By moving up the mutex_lock(mmap_lock) in vb2_mmap this race is avoided since __vb2_queue_free is called with the same mutex locked. So vb2_mmap now reads consistent buffer data.
Signed-off-by: Hans Verkuil hverkuil@xs4all.nl Reported-by: syzbot+be93025dd45dccd8923c@syzkaller.appspotmail.com Signed-off-by: Hans Verkuil hansverk@cisco.com Signed-off-by: Mauro Carvalho Chehab mchehab+samsung@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
drivers/media/common/videobuf2/videobuf2-core.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-)
--- a/drivers/media/common/videobuf2/videobuf2-core.c +++ b/drivers/media/common/videobuf2/videobuf2-core.c @@ -2146,9 +2146,13 @@ int vb2_mmap(struct vb2_queue *q, struct return -EINVAL; } }
- mutex_lock(&q->mmap_lock);
- if (vb2_fileio_is_active(q)) { dprintk(1, "mmap: file io in progress\n");
return -EBUSY;
ret = -EBUSY;goto unlock;/* @@ -2156,7 +2160,7 @@ int vb2_mmap(struct vb2_queue *q, struct */ ret = __find_plane_by_offset(q, off, &buffer, &plane); if (ret)
return ret;
goto unlock;vb = q->bufs[buffer]; @@ -2172,8 +2176,9 @@ int vb2_mmap(struct vb2_queue *q, struct return -EINVAL; }
- mutex_lock(&q->mmap_lock); ret = call_memop(vb, mmap, vb->planes[plane].mem_priv, vma);
+unlock: mutex_unlock(&q->mmap_lock); if (ret) return ret;
Patches currently in stable-queue which might be from hverkuil@xs4all.nl are
queue-4.20/media-vb2-vb2_mmap-move-lock-up.patch queue-4.20/media-vim2m-only-cancel-work-if-it-is-for-right-context.patch
On Mon, Jan 21, 2019 at 02:42:49PM +0100, Hans Verkuil wrote:
Hi Greg,
On 01/21/2019 12:51 PM, gregkh@linuxfoundation.org wrote:
This is a note to let you know that I've just added the patch titled
media: vb2: vb2_mmap: move lock upto the 4.20-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git%3Ba=su...
The filename of the patch is: media-vb2-vb2_mmap-move-lock-up.patch and it can be found in the queue-4.20 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree, please let stable@vger.kernel.org know about it.
This patch must be combined with a backport of c06ef2e9acef4cda1feee2ce055b8086e33d251a (media: vb2: be sure to unlock mutex on errors), which fixes a bug introduced by this patch.
It's true for all backports (3.18, 4.9, 4.14, 4.19).
Thanks for letting me know, it's now queued up.
greg k-h
linux-stable-mirror@lists.linaro.org
-
Greg KH -
Hans Verkuil