Commit 0894d80d authored by Lars-Peter Clausen's avatar Lars-Peter Clausen Committed by Jonathan Cameron
Browse files

iio:kfifo: Protect against concurrent access from userspace 



It is possible for userspace to concurrently access the buffer from multiple
threads or processes. To avoid corruption of the internal state of the buffer we
need to add proper locking. It is possible for multiple processes to try to read
from the buffer concurrently and it is also possible that one process causes a
buffer re-allocation while a different process still access the buffer. Both can
be fixed by protecting the calls to kfifo_to_user() and kfifo_alloc() by the
same mutex. In iio_read_first_n_kfifo() we also use kfifo_recsize() instead of
the buffers bytes_per_datum to avoid a race that can happen if bytes_per_datum
has been changed, but the buffer has not been reallocated yet.

Note that all access to the buffer from within the kernel is already properly
synchronized, so there is no need for extra locking in iio_store_to_kfifo().

Signed-off-by: default avatarLars-Peter Clausen <lars@metafoo.de>
Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
parent f6c23f48

drivers/iio/kfifo_buf.c

+15 −5
Original line number Diff line number Diff line
@@ -12,6 +12,7 @@ 
struct iio_kfifo {

	struct iio_buffer buffer;

	struct kfifo kf;

	struct mutex user_lock;

	int update_needed;

};
@@ -34,10 +35,12 @@ static int iio_request_update_kfifo(struct iio_buffer *r) 


	if (!buf->update_needed)

		goto error_ret;

	mutex_lock(&buf->user_lock);

	kfifo_free(&buf->kf);

	ret = __iio_allocate_kfifo(buf, buf->buffer.bytes_per_datum,

				   buf->buffer.length);

	r->stufftoread = false;

	mutex_unlock(&buf->user_lock);

error_ret:

	return ret;

}
@@ -114,12 +117,13 @@ static int iio_read_first_n_kfifo(struct iio_buffer *r, 
	int ret, copied;

	struct iio_kfifo *kf = iio_to_kfifo(r);



	if (n < r->bytes_per_datum || r->bytes_per_datum == 0)

		return -EINVAL;

	if (mutex_lock_interruptible(&kf->user_lock))

		return -ERESTARTSYS;



	if (!kfifo_initialized(&kf->kf) || n < kfifo_esize(&kf->kf))

		ret = -EINVAL;

	else

		ret = kfifo_to_user(&kf->kf, buf, n, &copied);

	if (ret < 0)

		return ret;



	if (kfifo_is_empty(&kf->kf))

		r->stufftoread = false;
@@ -127,6 +131,10 @@ static int iio_read_first_n_kfifo(struct iio_buffer *r, 
	if (!kfifo_is_empty(&kf->kf))

		r->stufftoread = true;



	mutex_unlock(&kf->user_lock);

	if (ret < 0)

		return ret;



	return copied;

}
@@ -134,6 +142,7 @@ static void iio_kfifo_buffer_release(struct iio_buffer *buffer) 
{

	struct iio_kfifo *kf = iio_to_kfifo(buffer);



	mutex_destroy(&kf->user_lock);

	kfifo_free(&kf->kf);

	kfree(kf);

}
@@ -161,6 +170,7 @@ struct iio_buffer *iio_kfifo_allocate(struct iio_dev *indio_dev) 
	kf->buffer.attrs = &iio_kfifo_attribute_group;

	kf->buffer.access = &kfifo_access_funcs;

	kf->buffer.length = 2;

	mutex_init(&kf->user_lock);

	return &kf->buffer;

}

EXPORT_SYMBOL(iio_kfifo_allocate);

CRA Git | Maintained and supported by SUSTech CRA and CCSE