From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 5B3E7C43334
	for <linux-mm@archiver.kernel.org>; Thu,  2 Jun 2022 02:49:13 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 3E45B6B0071; Wed,  1 Jun 2022 22:49:12 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 3BE6B6B0072; Wed,  1 Jun 2022 22:49:12 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 2D3136B0073; Wed,  1 Jun 2022 22:49:12 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17])
	by kanga.kvack.org (Postfix) with ESMTP id 1EF2E6B0071
	for <linux-mm@kvack.org>; Wed,  1 Jun 2022 22:49:12 -0400 (EDT)
Received: from smtpin13.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay09.hostedemail.com (Postfix) with ESMTP id DEDE735770
	for <linux-mm@kvack.org>; Thu,  2 Jun 2022 02:49:11 +0000 (UTC)
X-FDA: 79531764102.13.14E3DD5
Received: from mail3-165.sinamail.sina.com.cn (mail3-165.sinamail.sina.com.cn [202.108.3.165])
	by imf14.hostedemail.com (Postfix) with SMTP id E2887100008
	for <linux-mm@kvack.org>; Thu,  2 Jun 2022 02:49:09 +0000 (UTC)
Received: from unknown (HELO localhost.localdomain)([114.249.57.134])
	by sina.com (172.16.97.32) with ESMTP
	id 629824E100013629; Thu, 2 Jun 2022 10:48:03 +0800 (CST)
X-Sender: hdanton@sina.com
X-Auth-ID: hdanton@sina.com
X-SMAIL-MID: 352417628759
From: Hillf Danton <hdanton@sina.com>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: ChenBigNB <chennbnbnb@gmail.com>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Jiri Slaby <jirislaby@kernel.org>,
	linux-mm@kvack.org,
	linux-kernel@vger.kernel.org
Subject: CVE-2022-1462: race condition vulnerability in drivers/tty/tty_buffers.c
Date: Thu,  2 Jun 2022 10:48:57 +0800
Message-Id: <20220602024857.4808-1-hdanton@sina.com>
In-Reply-To: <20220601183426.GD2168@kadam>
References: 
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Rspamd-Server: rspam01
X-Rspamd-Queue-Id: E2887100008
Authentication-Results: imf14.hostedemail.com;
	dkim=none;
	dmarc=none;
	spf=pass (imf14.hostedemail.com: domain of hdanton@sina.com designates 202.108.3.165 as permitted sender) smtp.mailfrom=hdanton@sina.com
X-Stat-Signature: 69n53mnbtgykfmwszd86arriz6hzr835
X-Rspam-User: 
X-HE-Tag: 1654138149-177421
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Wed, 1 Jun 2022 21:34:26 +0300 Dan Carpenter wrote:
> Hi Greg, Jiri,
> 
> I searched lore.kernel.org and it seemed like CVE-2022-1462 might not
> have ever been reported to you?  Here is the original email with the
> syzkaller reproducer.
> 
> https://seclists.org/oss-sec/2022/q2/155
> 
> The reporter proposed a fix, but it won't work.  Smatch says that some
> of the callers are already holding the port->lock.  For example,
> sci_dma_rx_complete() will deadlock.

Hi Dan

To erase the deadlock above, we need to add another helper folding
tty_insert_flip_string() and tty_flip_buffer_push() into one nutshell,
with buf->tail covered by port->lock.

The diff attached in effect reverts
71a174b39f10 ("pty: do tty_flip_buffer_push without port->lock in pty_write").

Only for thoughts now.

Hillf

+++ b/drivers/tty/pty.c
@@ -116,15 +116,8 @@ static int pty_write(struct tty_struct *
 	if (tty->flow.stopped)
 		return 0;
 
-	if (c > 0) {
-		spin_lock_irqsave(&to->port->lock, flags);
-		/* Stuff the data into the input queue of the other end */
-		c = tty_insert_flip_string(to->port, buf, c);
-		spin_unlock_irqrestore(&to->port->lock, flags);
-		/* And shovel */
-		if (c)
-			tty_flip_buffer_push(to->port);
-	}
+	if (c > 0)
+		c = tty_flip_insert_and_push_buffer(to->port, buf, c);
 	return c;
 }
 
+++ b/drivers/tty/tty_buffer.c
@@ -554,6 +554,26 @@ void tty_flip_buffer_push(struct tty_por
 }
 EXPORT_SYMBOL(tty_flip_buffer_push);
 
+int tty_flip_insert_and_push_buffer(struct tty_port *port, const unsigned char *string, int cnt)
+{
+	struct tty_bufhead *buf = &port->buf;
+	unsigned long flags;
+
+	spin_lock_irqsave(&port->lock, flags);
+	cnt = tty_insert_flip_string(port, string, cnt);
+	if (cnt) {
+		/*
+		 * Paired w/ acquire in flush_to_ldisc(); ensures flush_to_ldisc() sees
+		 * buffer data.
+		 */
+		smp_store_release(&buf->tail->commit, buf->tail->used);
+	}
+	spin_unlock_irqrestore(&port->lock, flags);
+	queue_work(system_unbound_wq, &buf->work);
+	return cnt;
+}
+EXPORT_SYMBOL(tty_flip_insert_and_push_buffer);
+
 /**
  * tty_buffer_init		-	prepare a tty buffer structure
  * @port: tty port to initialise