platform: goldfish: pipe: Prevent memory corruption from several threads writing...

Move the "pages" buffer into "struct goldfish_pipe". Since we are
locking the mutex on the pipe in transfer_max_buffers, other threads
willnot be able to write into it, but other pipe instances could be
served because they have its own buffer.

Signed-off-by: Roman Kiryanov <rkir@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/platform/goldfish/goldfish_pipe.c b/drivers/platform/goldfish/goldfish_pipe.c
index b4a484b..6ae2b00 100644 (file)
--- a/drivers/platform/goldfish/goldfish_pipe.c
+++ b/drivers/platform/goldfish/goldfish_pipe.c
@@ -163,6 +163,9 @@ struct goldfish_pipe {
 
        /* Pointer to the parent goldfish_pipe_dev instance */
        struct goldfish_pipe_dev *dev;
+
+       /* A buffer of pages, too large to fit into a stack frame */
+       struct page *pages[MAX_BUFFERS_PER_COMMAND];
 };
 
 /* The global driver data. Holds a reference to the i/o page used to
@@ -340,21 +343,23 @@ static int transfer_max_buffers(struct goldfish_pipe *pipe,
                                s32 *consumed_size,
                                int *status)
 {
-       static struct page *pages[MAX_BUFFERS_PER_COMMAND];
        unsigned long first_page = address & PAGE_MASK;
        unsigned int iter_last_page_size;
-       int pages_count = pin_user_pages(first_page, last_page,
-                                        last_page_size, is_write,
-                                        pages, &iter_last_page_size);
-
-       if (pages_count < 0)
-               return pages_count;
+       int pages_count;
 
        /* Serialize access to the pipe command buffers */
        if (mutex_lock_interruptible(&pipe->lock))
                return -ERESTARTSYS;
 
-       populate_rw_params(pages, pages_count, address, address_end,
+       pages_count = pin_user_pages(first_page, last_page,
+                                    last_page_size, is_write,
+                                    pipe->pages, &iter_last_page_size);
+       if (pages_count < 0) {
+               mutex_unlock(&pipe->lock);
+               return pages_count;
+       }
+
+       populate_rw_params(pipe->pages, pages_count, address, address_end,
                           first_page, last_page, iter_last_page_size, is_write,
                           pipe->command_buffer);
 
@@ -364,10 +369,9 @@ static int transfer_max_buffers(struct goldfish_pipe *pipe,
 
        *consumed_size = pipe->command_buffer->rw_params.consumed_size;
 
-       release_user_pages(pages, pages_count, is_write, *consumed_size);
+       release_user_pages(pipe->pages, pages_count, is_write, *consumed_size);
 
        mutex_unlock(&pipe->lock);
-
        return 0;
 }