On Thu, Jul 06, 2017 at 10:57:48AM -0700, Eric Biggers wrote:
> From: Eric Biggers <ebigg...@google.com>
>
> fscrypt_initialize(), which allocates the global bounce page pool when
> an encrypted file is first accessed, uses "double-checked locking" to
> try to avoid locking fscrypt_init_mutex. However, it doesn't use any
> memory barriers, so it's theoretically possible for a thread to observe
> a bounce page pool which has not been fully initialized. This is a
> classic bug with "double-checked locking".
>
> While "only a theoretical issue" in the latest kernel, in pre-4.8
> kernels the pointer that was checked was not even the last to be
> initialized, so it was easily possible for a crash (NULL pointer
> dereference) to happen. This was changed only incidentally by the large
> refactor to use fs/crypto/.
>
> Solve both problems in a trivial way that can easily be backported: just
> always take the mutex. It's theoretically less efficient, but it
> shouldn't be noticeable in practice as the mutex is only acquired very
> briefly once per encrypted file.
>
> Later I'd like to make this use a helper macro like DO_ONCE(). However,
> DO_ONCE() runs in atomic context, so we'd need to add a new macro that
> allows blocking.
>
> Cc: sta...@vger.kernel.org # v4.1+
> Signed-off-by: Eric Biggers <ebigg...@google.com>
Applied, thanks. Sorry for the delay; this slipped through the
cracks, and then I had a crazy travel/conference schedule.
- Ted
