From 9eaf56f04e3cd78c0ac691fb8b25ee8e81d07023 Mon Sep 17 00:00:00 2001
From: Viktor Slavkovic <viktors@google.com>
Date: Mon, 2 Oct 2017 10:26:45 -0700
Subject: [PATCH] staging: android: ashmem: fix a race condition in
 ASHMEM_SET_SIZE ioctl

A lock-unlock is missing in ASHMEM_SET_SIZE ioctl which can result in a
race condition when mmap is called. After the !asma->file check, before
setting asma->size, asma->file can be set in mmap. That would result in
having different asma->size than the mapped memory size. Combined with
ASHMEM_UNPIN ioctl and shrinker invocation, this can result in memory
corruption.

Bug: 66954097
Signed-off-by: Viktor Slavkovic <viktors@google.com>
Change-Id: Ia52312a75ade30bc94be6b94420f17f34e0c1f86
Signed-off-by: Francisco Franco <franciscofranco.1990@gmail.com>
---
 drivers/staging/android/ashmem.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ashmem.c
index 29e889ea6cf3..66d1feea5ce2 100644
--- a/drivers/staging/android/ashmem.c
+++ b/drivers/staging/android/ashmem.c
@@ -694,10 +694,12 @@ static long ashmem_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
 		break;
 	case ASHMEM_SET_SIZE:
 		ret = -EINVAL;
+		mutex_lock(&ashmem_mutex);
 		if (!asma->file) {
 			ret = 0;
 			asma->size = (size_t) arg;
 		}
+		mutex_unlock(&ashmem_mutex);
 		break;
 	case ASHMEM_GET_SIZE:
 		ret = asma->size;