[PATCH] drivers/char/lp.c race fix

In lp_write(), copy_from_user() is called to copy data into a statically allocated kernel buffer before down_interruptible() is called. If a second thread of execution comes in between the copy_from_user() and the down_interruptible() calls, silent data corruption could result. Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>

[PATCH] drivers/char/lp.c race fix
In lp_write(), copy_from_user() is called to copy data into a statically allocated kernel buffer before down_interruptible() is called. If a second thread of execution comes in between the copy_from_user() and the down_interruptible() calls, silent data corruption could result. Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
54f1a7a7 · ken@mvista.com · Linus Torvalds · 4c6672c1 · 54f1a7a7
Commit 54f1a7a7 authored Mar 07, 2005 by ken@mvista.com Committed by Linus Torvalds Mar 07, 2005
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 4 deletions

drivers/char/lp.c drivers/char/lp.c +6 -4

No files found.
--- a/drivers/char/lp.c
+++ b/drivers/char/lp.c
@@ -314,12 +314,14 @@ static ssize_t lp_write(struct file * file, const char __user * buf,
 	if (copy_size > LP_BUFFER_SIZE)
 		copy_size = LP_BUFFER_SIZE;

-	if (copy_from_user (kbuf, buf, copy_size))
-		return -EFAULT;
-
 	if (down_interruptible (&lp_table[minor].port_mutex))
 		return -EINTR;

+	if (copy_from_user (kbuf, buf, copy_size)) {
+		retv = -EFAULT;
+		goto out_unlock;
+	}
+
 	/* Claim Parport or sleep until it becomes available
 	 */
 	lp_claim_parport_or_block (&lp_table[minor]);
@@ -398,7 +400,7 @@ static ssize_t lp_write(struct file * file, const char __user * buf,
 		lp_table[minor].current_mode = IEEE1284_MODE_COMPAT;
 		lp_release_parport (&lp_table[minor]);
 	}
-
+out_unlock:
 	up (&lp_table[minor].port_mutex);

 	return retv;