From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 4A7BCC43334
	for <linux-mm@archiver.kernel.org>; Wed, 22 Jun 2022 14:27:16 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id E539A8E00BA; Wed, 22 Jun 2022 10:27:15 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id E01748E00AB; Wed, 22 Jun 2022 10:27:15 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id CCA468E00BA; Wed, 22 Jun 2022 10:27:15 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12])
	by kanga.kvack.org (Postfix) with ESMTP id BF23D8E00AB
	for <linux-mm@kvack.org>; Wed, 22 Jun 2022 10:27:15 -0400 (EDT)
Received: from smtpin12.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay10.hostedemail.com (Postfix) with ESMTP id 8DF8D120A
	for <linux-mm@kvack.org>; Wed, 22 Jun 2022 14:27:15 +0000 (UTC)
X-FDA: 79606099230.12.E879A1A
Received: from mail-ed1-f49.google.com (mail-ed1-f49.google.com [209.85.208.49])
	by imf26.hostedemail.com (Postfix) with ESMTP id 2467A140018
	for <linux-mm@kvack.org>; Wed, 22 Jun 2022 14:27:10 +0000 (UTC)
Received: by mail-ed1-f49.google.com with SMTP id e2so13231682edv.3
        for <linux-mm@kvack.org>; Wed, 22 Jun 2022 07:27:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=sender:date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:content-transfer-encoding:in-reply-to;
        bh=47AoC0v2wILDvcUXFYwOTE5vORkj5ZcOTwRsnbRawOo=;
        b=j8oZdB6ZZ75uWTGBqbX8WgBapmrnSRJXitIoqCp6Xoe2R+8SRod75BXuMkUeCX2pxl
         2k+8Z8vItisu7trL7y99LrLx2gBGM6gPDbpp2VAKPRWIsopgwZNmeuxVNV/CYKYm+pl7
         DXuNahLSZ9HuBu0vAHvbA/D1s12gdL6/K47tcdQHjaFJMEfWhX7Enwh7DNq5dCCWn2Ma
         0ks5Nn9/apA5X2pqU+25XggaL2dbK6Gks0TEU2XXMyb9FNth5gL2H9Pf99ZvpjUvTBJ/
         uB8eeeP6YAWc83DOhyy/hpYA2mL7ozcureerq3kP6tsuH6Rm4YCJxer750F2dyr79Y+b
         aB6g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:sender:date:from:to:cc:subject:message-id
         :references:mime-version:content-disposition
         :content-transfer-encoding:in-reply-to;
        bh=47AoC0v2wILDvcUXFYwOTE5vORkj5ZcOTwRsnbRawOo=;
        b=K+NmTs8RjSh7jWsusMkDjjIySCBCfJH5JVoFyAKXLSYuieq+yStkGxmTYypbbukKcx
         5FfTNU8L6SPnrUAEziy4VVzA5oSfFAIe1hDivV0X8whIHTqCgqffgNMqSgr3Vzk5ro/p
         QNb6fAazF0BEnf8eRNcHpW+zg6/3ZAhNB4w8Fp/ukDWCeFFHK6LE0ysyf/7PCoU7NNIA
         vQo49nM6wQO0+f0k9kX/RAfJtBP7hz6pIRF0Mz97t8hZZjU2ZnSwxBMOCVS1GUEni3OD
         lXv0uYy+93cnNzlnqQ3RaLGQdSjARUL4m3siEl9iZalrGIIIeXUe7urqgxxPCV/dyQSF
         xAAw==
X-Gm-Message-State: AJIora/bhdIQg1oKgn3GVsUIdTXoUwAlft9TIbXUVlxwdhOcdT/DywNX
	XVj4PAuQh9wdlmyqvj20fzw=
X-Google-Smtp-Source: AGRyM1tfSuPe7F4pQuhHw2yfoXYHX05iuT6bACWWy7kat4VpIRwVkU5t89Rc1Bw1Fb6+DEayZgY1+w==
X-Received: by 2002:a05:6402:4301:b0:42d:e8fb:66f7 with SMTP id m1-20020a056402430100b0042de8fb66f7mr4467435edc.229.1655908029834;
        Wed, 22 Jun 2022 07:27:09 -0700 (PDT)
Received: from eldamar (c-82-192-242-114.customer.ggaweb.ch. [82.192.242.114])
        by smtp.gmail.com with ESMTPSA id w1-20020a170906480100b006fe9f9d0938sm9525240ejq.175.2022.06.22.07.27.09
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 22 Jun 2022 07:27:09 -0700 (PDT)
Date: Wed, 22 Jun 2022 16:27:08 +0200
From: Salvatore Bonaccorso <carnil@debian.org>
To: Jiri Slaby <jirislaby@kernel.org>
Cc: Hillf Danton <hdanton@sina.com>,
	Dan Carpenter <dan.carpenter@oracle.com>,
	ChenBigNB <chennbnbnb@gmail.com>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>, linux-mm@kvack.org,
	linux-kernel@vger.kernel.org
Subject: Re: CVE-2022-1462: race condition vulnerability in
 drivers/tty/tty_buffers.c
Message-ID: <YrMmvAoCAKmr7UhZ@eldamar.lan>
References: <20220602024857.4808-1-hdanton@sina.com>
 <0dc35f2e-746c-bcec-160c-645055a6f8d2@kernel.org>
 <ca7fdc92-b94e-56e8-3d4a-739535cdf8c3@kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <ca7fdc92-b94e-56e8-3d4a-739535cdf8c3@kernel.org>
ARC-Authentication-Results: i=1;
	imf26.hostedemail.com;
	dkim=pass header.d=gmail.com header.s=20210112 header.b=j8oZdB6Z;
	spf=pass (imf26.hostedemail.com: domain of salvatore.bonaccorso@gmail.com designates 209.85.208.49 as permitted sender) smtp.mailfrom=salvatore.bonaccorso@gmail.com;
	dmarc=none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1655908031;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=47AoC0v2wILDvcUXFYwOTE5vORkj5ZcOTwRsnbRawOo=;
	b=yaA+bbTUAfhy5OuPQaz0rEzq3dVIm/ZSUiI0zX2I2fyffFHy5sW7P7cuVqPy4sUsc8XciI
	QV8OblpYhEYG+tt7Lhdl0HA1yjIsJ+97MplnFCWltroGKgmIBtHId1rHDiItAarhlQ2QiJ
	KPTE2g9OvbAPgY2Vjl/WVN0DYzH4HJw=
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1655908031; a=rsa-sha256;
	cv=none;
	b=35kNo2sHemSN+6uMO8rNBxpecAFrFTtFpW7rzeioErcM4z+R5q/0+B59F5xOdmRg5nbvwH
	nwO1OVjodBB3T+GEkgAgznKfYcliMAezz7k3ZCC1WkqECEic2meUm80D2EcBVCAQjbG0IF
	SbTlNsuZlM085TU76zD0dNcaGF4ZuDg=
X-Stat-Signature: g3rhtrnxzo18gqikmxz1yteokq9wp6mr
X-Rspam-User: 
X-Rspamd-Server: rspam07
Authentication-Results: imf26.hostedemail.com;
	dkim=pass header.d=gmail.com header.s=20210112 header.b=j8oZdB6Z;
	spf=pass (imf26.hostedemail.com: domain of salvatore.bonaccorso@gmail.com designates 209.85.208.49 as permitted sender) smtp.mailfrom=salvatore.bonaccorso@gmail.com;
	dmarc=none
X-Rspamd-Queue-Id: 2467A140018
X-HE-Tag: 1655908030-590187
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

hi,

On Wed, Jun 15, 2022 at 12:47:20PM +0200, Jiri Slaby wrote:
> On 02. 06. 22, 6:48, Jiri Slaby wrote:
> > On 02. 06. 22, 4:48, Hillf Danton wrote:
> > > On Wed, 1 Jun 2022 21:34:26 +0300 Dan Carpenter wrote:
> > > > Hi Greg, Jiri,
> > > > 
> > > > I searched lore.kernel.org and it seemed like CVE-2022-1462 might not
> > > > have ever been reported to you?  Here is the original email with the
> > > > syzkaller reproducer.
> > > > 
> > > > https://seclists.org/oss-sec/2022/q2/155
> > > > 
> > > > The reporter proposed a fix, but it won't work.  Smatch says that some
> > > > of the callers are already holding the port->lock.  For example,
> > > > sci_dma_rx_complete() will deadlock.
> > > 
> > > Hi Dan
> > > 
> > > To erase the deadlock above, we need to add another helper folding
> > > tty_insert_flip_string() and tty_flip_buffer_push() into one nutshell,
> > > with buf->tail covered by port->lock.
> > > 
> > > The diff attached in effect reverts
> > > 71a174b39f10 ("pty: do tty_flip_buffer_push without port->lock in
> > > pty_write").
> > > 
> > > Only for thoughts now.
> > 
> > I think this the likely the best approach. Except few points inlined below.
> > 
> > Another would be to split tty_flip_buffer_push() into two and call only
> > the first one (doing smp_store_release()) inside the lock. I tried that
> > already, but it looks much worse.
> > 
> > Another would be to add flags to tty_flip_buffer_push(). Like
> > ONLY_ADVANCE and ONLY_QUEUE. Call with the first under the lock, the
> > second outside.
> > 
> > Ideas, comments?
> 
> Apparently not, so Hillf, could you resend your patch after fixing the
> comments below?

Any news here? I'm not sure if I missed the followup submission but
was not able to find it.

Regards,
Salvatore