The following code has a race condition under concurrency.
if (io_state & VGA_RSRC_LEGACY_IO)
uc->io_cnt--;
in race condition:
pre: uc->io_cnt = 1
post: uc->io_cnt = 4294967295
move vga_put code below changing uc->io_cnt code.
Fixes: deb2d2ecd43d ("PCI/GPU: implement VGA arbitration on Linux")
Signed-off-by: Yuntao Liu <liuyuntao12@xxxxxxxxxx>
---
drivers/pci/vgaarb.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/pci/vgaarb.c b/drivers/pci/vgaarb.c
index 78748e8d2dba..2d0e6cf9eef8 100644
--- a/drivers/pci/vgaarb.c
+++ b/drivers/pci/vgaarb.c
@@ -1257,13 +1257,13 @@ static ssize_t vga_arb_write(struct file *file, const char __user *buf,
goto done;
}
- vga_put(pdev, io_state);
-
if (io_state & VGA_RSRC_LEGACY_IO)
uc->io_cnt--;
if (io_state & VGA_RSRC_LEGACY_MEM)
uc->mem_cnt--;
+ vga_put(pdev, io_state);
+
ret_val = count;
goto done;
} else if (strncmp(curr_pos, "trylock ", 8) == 0) {
--
2.34.1
