hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/ICCYVI CVE: NA -------------------------------- Fixes: deb2d2ecd43d ("PCI/GPU: implement VGA arbitration on Linux") The following code has a race condition under concurrency. if (io_state & VGA_RSRC_LEGACY_IO) uc->io_cnt--; in race condition: pre: uc->io_cnt = 1 post: uc->io_cnt = 4294967295 move vga_put code below changing uc->io_cnt code. Signed-off-by: Yuntao Liu <liuyuntao12@huawei.com> --- drivers/gpu/vga/vgaarb.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/vga/vgaarb.c b/drivers/gpu/vga/vgaarb.c index c61b04555779..41f56e10c1d6 100644 --- a/drivers/gpu/vga/vgaarb.c +++ b/drivers/gpu/vga/vgaarb.c @@ -1123,13 +1123,13 @@ static ssize_t vga_arb_write(struct file *file, const char __user *buf, goto done; } - vga_put(pdev, io_state); - if (io_state & VGA_RSRC_LEGACY_IO) uc->io_cnt--; if (io_state & VGA_RSRC_LEGACY_MEM) uc->mem_cnt--; + vga_put(pdev, io_state); + ret_val = count; goto done; } else if (strncmp(curr_pos, "trylock ", 8) == 0) { -- 2.34.1