Prev: AppArmor: LSM interface, and security module initialization
Next: [PATCH 2/2] blktrace: unlink blk directory on final trace close
From: Andy Isaacson on 15 Jul 2010 13:30
Replace open-coded racy implementation of cmpxchg with the real thing.

This bug is probably easy to maliciously trigger from userspace, and
I think it will result in memory corruption, but the race window is
small so I think it's unlikely to be triggered accidentally.

Signed-off-by: Andy Isaacson <adi(a)hexapodia.org>
---
kernel/trace/blktrace.c | 14 +++++---------
1 files changed, 5 insertions(+), 9 deletions(-)

diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c
index 638711c..347fe8e 100644
--- a/kernel/trace/blktrace.c
+++ b/kernel/trace/blktrace.c
@@ -511,11 +511,9 @@ int do_blk_trace_setup(struct request_queue *q, char *name, dev_t dev,
bt->trace_state = Blktrace_setup;

ret = -EBUSY;
- old_bt = xchg(&q->blk_trace, bt);
- if (old_bt) {
- (void) xchg(&q->blk_trace, old_bt);
+ old_bt = cmpxchg(&q->blk_trace, NULL, bt);
+ if (old_bt)
goto err;
- }

if (atomic_inc_return(&blk_probes_ref) == 1)
blk_register_tracepoints();
@@ -1464,12 +1462,10 @@ static int blk_trace_setup_queue(struct request_queue *q,

blk_trace_setup_lba(bt, bdev);

- old_bt = xchg(&q->blk_trace, bt);
- if (old_bt != NULL) {
- (void)xchg(&q->blk_trace, old_bt);
- ret = -EBUSY;
+ ret = -EBUSY;
+ old_bt = cmpxchg(&q->blk_trace, NULL, bt);
+ if (old_bt)
goto free_bt;
- }

if (atomic_inc_return(&blk_probes_ref) == 1)
blk_register_tracepoints();
--
1.7.1

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo(a)vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
 | 
Pages: 1
Prev: AppArmor: LSM interface, and security module initialization
Next: [PATCH 2/2] blktrace: unlink blk directory on final trace close