debugfs: fix race in u32_array_read and allocate array at open
u32_array_open() is racy when multiple threads read from a file with a seek position of zero, i.e. when two or more simultaneous reads are occurring after the non-seekable files are created. It is possible that file->private_data is double-freed because the threads races between kfree(file->private-data); and file->private_data = NULL; The fix is to only do format_array_alloc() when the file is opened and free it when it is closed. Note that because the file has always been non-seekable, you can't open it and read it multiple times anyway, so the data has always been generated just once. The difference is that now it is generated at open time rather than at the time of the first read, and that avoids the race. Reported-by: Dave Jones <davej@redhat.com> Acked-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Tested-by: Raghavendra <raghavendra.kt@linux.vnet.ibm.com> Signed-off-by: David Rientjes <rientjes@google.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
Родитель
c46de2263f
Коммит
36048853c5
|
@ -526,12 +526,6 @@ struct array_data {
|
|||
u32 elements;
|
||||
};
|
||||
|
||||
static int u32_array_open(struct inode *inode, struct file *file)
|
||||
{
|
||||
file->private_data = NULL;
|
||||
return nonseekable_open(inode, file);
|
||||
}
|
||||
|
||||
static size_t format_array(char *buf, size_t bufsize, const char *fmt,
|
||||
u32 *array, u32 array_size)
|
||||
{
|
||||
|
@ -573,26 +567,21 @@ static char *format_array_alloc(const char *fmt, u32 *array,
|
|||
return ret;
|
||||
}
|
||||
|
||||
static int u32_array_open(struct inode *inode, struct file *file)
|
||||
{
|
||||
struct array_data *data = inode->i_private;
|
||||
|
||||
file->private_data = format_array_alloc("%u", data->array,
|
||||
data->elements);
|
||||
if (!file->private_data)
|
||||
return -ENOMEM;
|
||||
return nonseekable_open(inode, file);
|
||||
}
|
||||
|
||||
static ssize_t u32_array_read(struct file *file, char __user *buf, size_t len,
|
||||
loff_t *ppos)
|
||||
{
|
||||
struct inode *inode = file->f_path.dentry->d_inode;
|
||||
struct array_data *data = inode->i_private;
|
||||
size_t size;
|
||||
|
||||
if (*ppos == 0) {
|
||||
if (file->private_data) {
|
||||
kfree(file->private_data);
|
||||
file->private_data = NULL;
|
||||
}
|
||||
|
||||
file->private_data = format_array_alloc("%u", data->array,
|
||||
data->elements);
|
||||
}
|
||||
|
||||
size = 0;
|
||||
if (file->private_data)
|
||||
size = strlen(file->private_data);
|
||||
size_t size = strlen(file->private_data);
|
||||
|
||||
return simple_read_from_buffer(buf, len, ppos,
|
||||
file->private_data, size);
|
||||
|
|
Загрузка…
Ссылка в новой задаче