git.baikalelectronics.ru Git - kernel.git/commit

author	Eric Biggers <ebiggers@google.com>
	Tue, 6 Feb 2018 23:42:08 +0000 (15:42 -0800)
committer	Linus Torvalds <torvalds@linux-foundation.org>
	Wed, 7 Feb 2018 02:32:48 +0000 (18:32 -0800)
commit	ea54486f7af6aa1050bd1e14ca6df9b19720d627
tree	2374b679e8378f22800e233b0c69883546616138	tree \| snapshot
parent	1bb16e96b97a6b008a705b9bf2d27e100a1c1fca	commit \| diff

pipe: read buffer limits atomically

The pipe buffer limits are accessed without any locking, and may be
changed at any time by the sysctl handlers.  In theory this could cause
problems for expressions like the following:

    pipe_user_pages_hard && user_bufs > pipe_user_pages_hard

...  since the assembly code might reference the 'pipe_user_pages_hard'
memory location multiple times, and if the admin removes the limit by
setting it to 0, there is a very brief window where processes could
incorrectly observe the limit to be exceeded.

Fix this by loading the limits with READ_ONCE() prior to use.

Link: http://lkml.kernel.org/r/20180111052902.14409-8-ebiggers3@gmail.com
Signed-off-by: Eric Biggers <ebiggers@google.com>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Joe Lawrence <joe.lawrence@redhat.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: Willy Tarreau <w@1wt.eu>
Cc: Mikulas Patocka <mpatocka@redhat.com>
Cc: "Luis R . Rodriguez" <mcgrof@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>