Re: [PATCH] mailbox: mailbox-test: fix a locking issue in mbox_test_message_write()

Lee Jones <lee@xxxxxxxxxx> · Wed, 10 May 2023 14:35:11 +0100

Good catch, thanks Dan.

On Fri, 05 May 2023, Dan Carpenter wrote:

> There was a bug where this code forgot to unlock the tdev->mutex if the
> kzalloc() failed.  Fix this issue, by moving the allocation outside the
> lock.
> 
> Fixes: 2d1e952a2b8e ("mailbox: mailbox-test: Fix potential double-free in mbox_test_message_write()")
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> ---
>  drivers/mailbox/mailbox-test.c | 10 ++++++----
>  1 file changed, 6 insertions(+), 4 deletions(-)

Reviewed-by: Lee Jones <lee@xxxxxxxxxx>

> diff --git a/drivers/mailbox/mailbox-test.c b/drivers/mailbox/mailbox-test.c
> index c4a705c30331..fc6a12a51b40 100644
> --- a/drivers/mailbox/mailbox-test.c
> +++ b/drivers/mailbox/mailbox-test.c
> @@ -98,6 +98,7 @@ static ssize_t mbox_test_message_write(struct file *filp,
>  				       size_t count, loff_t *ppos)
>  {
>  	struct mbox_test_device *tdev = filp->private_data;
> +	char *message;
>  	void *data;
>  	int ret;
>  
> @@ -113,12 +114,13 @@ static ssize_t mbox_test_message_write(struct file *filp,
>  		return -EINVAL;
>  	}
>  
> -	mutex_lock(&tdev->mutex);
> -
> -	tdev->message = kzalloc(MBOX_MAX_MSG_LEN, GFP_KERNEL);
> -	if (!tdev->message)
> +	message = kzalloc(MBOX_MAX_MSG_LEN, GFP_KERNEL);
> +	if (!message)
>  		return -ENOMEM;
>  
> +	mutex_lock(&tdev->mutex);
> +
> +	tdev->message = message;
>  	ret = copy_from_user(tdev->message, userbuf, count);
>  	if (ret) {
>  		ret = -EFAULT;
> -- 
> 2.39.2
> 

-- 
Lee Jones [李琼斯]