From patchwork Mon Nov 3 16:17:49 2008 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Geert Uytterhoeven X-Patchwork-Id: 7481 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from bombadil.infradead.org (bombadil.infradead.org [18.85.46.34]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by ozlabs.org (Postfix) with ESMTPS id A5F16DDDFA for ; Thu, 6 Nov 2008 18:47:02 +1100 (EST) Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.68 #1 (Red Hat Linux)) id 1KxzYQ-0004Ai-Nr; Thu, 06 Nov 2008 07:45:22 +0000 Received: from vervifontaine.sonytel.be ([80.88.33.193] helo=vervifontaine.sonycom.com) by bombadil.infradead.org with esmtp (Exim 4.68 #1 (Red Hat Linux)) id 1Kx27q-0006eQ-Aq for linux-mtd@lists.infradead.org; Mon, 03 Nov 2008 16:17:58 +0000 Received: from vixen.sonytel.be (piraat.sonytel.be [43.221.60.197]) by vervifontaine.sonycom.com (Postfix) with ESMTP id 7F3C758ADF; Mon, 3 Nov 2008 17:17:49 +0100 (MET) Date: Mon, 3 Nov 2008 17:17:49 +0100 (CET) From: Geert Uytterhoeven To: David Woodhouse , Richard Purdie Subject: [PATCH] jffs2: Fix race condition in jffs2_lzo_compress() Message-ID: MIME-Version: 1.0 X-Spam-Score: 0.0 (/) X-Mailman-Approved-At: Thu, 06 Nov 2008 02:45:21 -0500 Cc: linux-mtd@lists.infradead.org, Linux Kernel Development X-BeenThere: linux-mtd@lists.infradead.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Linux MTD discussion mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-mtd-bounces@lists.infradead.org Errors-To: linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org deflate_mutex protects the globals lzo_mem and lzo_compress_buf. However, jffs2_lzo_compress() unlocks deflate_mutex _before_ it has copied out the compressed data from lzo_compress_buf. Correct this by moving the mutex unlock after the copy. In addition, document what deflate_mutex actually protects. Signed-off-by: Geert Uytterhoeven --- Just noticed this when looking at the code. The patch is untested, except for a quick compile test. fs/jffs2/compr_lzo.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) With kind regards, Geert Uytterhoeven Software Architect Sony Techsoft Centre Europe The Corporate Village · Da Vincilaan 7-D1 · B-1935 Zaventem · Belgium Phone: +32 (0)2 700 8453 Fax: +32 (0)2 700 8622 E-mail: Geert.Uytterhoeven@sonycom.com Internet: http://www.sony-europe.com/ A division of Sony Europe (Belgium) N.V. VAT BE 0413.825.160 · RPR Brussels Fortis · BIC GEBABEBB · IBAN BE41293037680010 --- a/fs/jffs2/compr_lzo.c +++ b/fs/jffs2/compr_lzo.c @@ -19,7 +19,7 @@ static void *lzo_mem; static void *lzo_compress_buf; -static DEFINE_MUTEX(deflate_mutex); +static DEFINE_MUTEX(deflate_mutex); /* for lzo_mem and lzo_compress_buf */ static void free_workspace(void) { @@ -49,18 +49,21 @@ static int jffs2_lzo_compress(unsigned c mutex_lock(&deflate_mutex); ret = lzo1x_1_compress(data_in, *sourcelen, lzo_compress_buf, &compress_size, lzo_mem); - mutex_unlock(&deflate_mutex); - if (ret != LZO_E_OK) - return -1; + goto fail; if (compress_size > *dstlen) - return -1; + goto fail; memcpy(cpage_out, lzo_compress_buf, compress_size); - *dstlen = compress_size; + mutex_unlock(&deflate_mutex); + *dstlen = compress_size; return 0; + + fail: + mutex_unlock(&deflate_mutex); + return -1; } static int jffs2_lzo_decompress(unsigned char *data_in, unsigned char *cpage_out,