lib/error-inject: traverse list with mutex

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Traversing list without mutex in get_injectable_error_type will
race with the following code:
list_del_init(&ent->list)
kfree(ent)
in module_unload_ei_list. So fix that.

Link: https://lkml.kernel.org/r/20220620100244.82896-1-wuchi.zero@gmail.com
Signed-off-by: wuchi <wuchi.zero@gmail.com>
Cc: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Cc: Martin KaFai Lau <kafai@fb.com>
Cc: Song Liu <songliubraving@fb.com>
Cc: Yonghong Song <yhs@fb.com>
Cc: John Fastabend <john.fastabend@gmail.com>
Cc: KP Singh <kpsingh@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

authored by

wuchi and committed by

akpm 3 years ago 86e5908e f9987921

+9 -3

1 changed file

expand all

lib

error-inject.c

+9 -3

lib/error-inject.c

··· 40 40 int get_injectable_error_type(unsigned long addr) 41 41 { 42 42 struct ei_entry *ent; 43 + int ei_type = EI_ETYPE_NONE; 43 44 45 + mutex_lock(&ei_mutex); 44 46 list_for_each_entry(ent, &error_injection_list, list) { 45 - if (addr >= ent->start_addr && addr < ent->end_addr) 46 - return ent->etype; 47 + if (addr >= ent->start_addr && addr < ent->end_addr) { 48 + ei_type = ent->etype; 49 + break; 50 + } 47 51 } 48 - return EI_ETYPE_NONE; 52 + mutex_unlock(&ei_mutex); 53 + 54 + return ei_type; 49 55 } 50 56 51 57 /*