On 10/14/13 16:09, Lars-Peter Clausen wrote:
> It is possible for userspace to concurrently access the buffer from multiple
> threads or processes. To avoid corruption of the internal state of the buffer we
> need to add proper locking. It is possible for multiple processes to try to read
> from the buffer concurrently and it is also possible that one process causes a
> buffer re-allocation while a different process still access the buffer. Both can
> be fixed by protecting the calls to kfifo_to_user() and kfifo_alloc() by the
> same mutex. In iio_read_first_n_kfifo() we also use kfifo_recsize() instead of
> the buffers bytes_per_datum to avoid a race that can happen if bytes_per_datum
> has been changed, but the buffer has not been reallocated yet.
>
> Note that all access to the buffer from within the kernel is already properly
> synchronized, so there is no need for extra locking in iio_store_to_kfifo().
>
> Signed-off-by: Lars-Peter Clausen <lars@xxxxxxxxxx>
One nitpick.
Amazing number of errors due to my having not thought all of this
stuff through thoroughly enough. Oops and thanks for clearing it up!
Jonathan
> ---
> drivers/iio/kfifo_buf.c | 21 ++++++++++++++++-----
> 1 file changed, 16 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/iio/kfifo_buf.c b/drivers/iio/kfifo_buf.c
> index b4ac55a..b7f4617 100644
> --- a/drivers/iio/kfifo_buf.c
> +++ b/drivers/iio/kfifo_buf.c
> @@ -12,6 +12,7 @@
> struct iio_kfifo {
> struct iio_buffer buffer;
> struct kfifo kf;
> + struct mutex user_lock;
> int update_needed;
> };
>
> @@ -34,10 +35,12 @@ static int iio_request_update_kfifo(struct iio_buffer *r)
>
> if (!buf->update_needed)
> goto error_ret;
> + mutex_lock(&buf->user_lock);
> kfifo_free(&buf->kf);
> ret = __iio_allocate_kfifo(buf, buf->buffer.bytes_per_datum,
> buf->buffer.length);
> r->stufftoread = false;
> + mutex_unlock(&buf->user_lock);
> error_ret:
> return ret;
> }
> @@ -114,12 +117,13 @@ static int iio_read_first_n_kfifo(struct iio_buffer *r,
> int ret, copied;
> struct iio_kfifo *kf = iio_to_kfifo(r);
>
> - if (n < r->bytes_per_datum || r->bytes_per_datum == 0)
> - return -EINVAL;
> + if (mutex_lock_interruptible(&kf->user_lock))
> + return -ERESTARTSYS;
>
> - ret = kfifo_to_user(&kf->kf, buf, n, &copied);
> - if (ret < 0)
> - return ret;
> + if (!kfifo_initialized(&kf->kf) || n < kfifo_esize(&kf->kf))
> + ret = -EINVAL;
> + else
> + ret = kfifo_to_user(&kf->kf, buf, n, &copied);
>
> if (kfifo_is_empty(&kf->kf))
> r->stufftoread = false;
> @@ -127,11 +131,17 @@ static int iio_read_first_n_kfifo(struct iio_buffer *r,
> if (!kfifo_is_empty(&kf->kf))
> r->stufftoread = true;
>
> + mutex_unlock(&kf->user_lock);
> + if (ret < 0)
> + return ret;
> +
> return copied;
> }
>
> static void iio_kfifo_buffer_release(struct iio_buffer *buffer)
> {
> + struct iio_kfifo *kf = iio_to_kfifo(buffer);
> + mutex_destroy(&kf->user_lock);
> kfree(iio_to_kfifo(buffer));
Given you have the pointer passed to this kfree available, would be
nice to use it for that as well.
> }
>
> @@ -158,6 +168,7 @@ struct iio_buffer *iio_kfifo_allocate(struct iio_dev *indio_dev)
> kf->buffer.attrs = &iio_kfifo_attribute_group;
> kf->buffer.access = &kfifo_access_funcs;
> kf->buffer.length = 2;
> + mutex_init(&kf->user_lock);
> return &kf->buffer;
> }
> EXPORT_SYMBOL(iio_kfifo_allocate);
>
--
To unsubscribe from this list: send the line "unsubscribe linux-iio" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
