From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 73EADC433EF for ; Wed, 15 Jun 2022 10:47:25 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id BE4916B0075; Wed, 15 Jun 2022 06:47:24 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id B6C9B6B0074; Wed, 15 Jun 2022 06:47:24 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id A0D5E6B0075; Wed, 15 Jun 2022 06:47:24 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 8AEB66B0072 for ; Wed, 15 Jun 2022 06:47:24 -0400 (EDT) Received: from smtpin11.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id 59E0361660 for ; Wed, 15 Jun 2022 10:47:24 +0000 (UTC) X-FDA: 79580143608.11.4763EEE Received: from mail-wr1-f47.google.com (mail-wr1-f47.google.com [209.85.221.47]) by imf23.hostedemail.com (Postfix) with ESMTP id E6CE6140085 for ; Wed, 15 Jun 2022 10:47:23 +0000 (UTC) Received: by mail-wr1-f47.google.com with SMTP id o16so14815643wra.4 for ; Wed, 15 Jun 2022 03:47:23 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:from:to:cc:references:in-reply-to :content-transfer-encoding; bh=mNHpgWeKV74aPRzSS+IzpuYFhYnFvrxkOM3S9oKNbvw=; b=z1Nvdf3hQtX7f7eRXPd8tFuzs7/EQyEfJx2MXulVDDkYdFRqu53WDSIUiySWS0wfCy ml09+HrT181RDKE2PnEWe8rt/f4j1C3nuOURL6qIzVXaWNGnpI78jgVuTUHXsf8qXMWu cx2e7NVNC5f4PyMOL+p62dK+7UZOvJrsan2GKHELZ4+JrlnDNigxTSHsxVbaLNm1F+rE zeVmv6nb5/XnoP6KHsotU1kXCKLxIZL/yJUlXnrP2Dte3UGTGKsrMx6J34Jnx/dtG5g1 pxx/Dsnkb/cenhzAJj0O1odM9hrsnz4d3SURT4qTshb+JOIyvlFM1fPq6msNQZYhNrM9 kbZw== X-Gm-Message-State: AJIora8x5el+JbshQwP4BQZjIeVnLcCl1iMhwl1axbLVf73eXK7PkOKx q2z1i2Y9kohTTUfinumBiw4= X-Google-Smtp-Source: AGRyM1tj4rfhtxmvDHlvh0ad6efQQc+LKj6kjYWp3ht8Gzl7ulZ0x+5AocUzy3whYj1DTvDaoTrvew== X-Received: by 2002:adf:e991:0:b0:210:3222:cd1e with SMTP id h17-20020adfe991000000b002103222cd1emr9667729wrm.49.1655290042590; Wed, 15 Jun 2022 03:47:22 -0700 (PDT) Received: from ?IPV6:2a0b:e7c0:0:107::70f? ([2a0b:e7c0:0:107::70f]) by smtp.gmail.com with ESMTPSA id z12-20020a5d44cc000000b00219e758ff4fsm14398933wrr.59.2022.06.15.03.47.21 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 15 Jun 2022 03:47:21 -0700 (PDT) Message-ID: Date: Wed, 15 Jun 2022 12:47:20 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.10.0 Subject: Re: CVE-2022-1462: race condition vulnerability in drivers/tty/tty_buffers.c Content-Language: en-US From: Jiri Slaby To: Hillf Danton , Dan Carpenter Cc: ChenBigNB , Greg Kroah-Hartman , linux-mm@kvack.org, linux-kernel@vger.kernel.org References: <20220602024857.4808-1-hdanton@sina.com> <0dc35f2e-746c-bcec-160c-645055a6f8d2@kernel.org> In-Reply-To: <0dc35f2e-746c-bcec-160c-645055a6f8d2@kernel.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1655290044; a=rsa-sha256; cv=none; b=6z3qewwryyzo7qVR/Uw9otu4zNh83ZtqHgZIigJg9OEwUBCdXYgBuHPBbe93b74cNY6cFs xRbJ+zgl4vS/dB8lAKoUXZ0PIi3iw+I7IIBVhx9REJG6c01FVLvMf7MoOhAk4+x7m2Qj/Q YFyoB9krM70bm4kv5EqnmeNMmkT6EmM= ARC-Authentication-Results: i=1; imf23.hostedemail.com; dkim=none; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=kernel.org (policy=none); spf=pass (imf23.hostedemail.com: domain of jirislaby@gmail.com designates 209.85.221.47 as permitted sender) smtp.mailfrom=jirislaby@gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1655290044; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=mNHpgWeKV74aPRzSS+IzpuYFhYnFvrxkOM3S9oKNbvw=; b=AY/AnLtQ8hxlhocTtl2M9Juv8JZ0W4frkrdnazz6Jdh5ewSsm6fTiZZDa3Osv18ZtN5cs1 v5U3M43a9vbUWdbYazAx2O4jUsMX2eEqCio8d9TNQDwwVUYH6NJ9UZnc4KtkQ1PdFdFizp guKREjBX2cCtqOssgEOO2K+9nbRXZJQ= X-Rspamd-Queue-Id: E6CE6140085 X-Rspam-User: Authentication-Results: imf23.hostedemail.com; dkim=none; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=kernel.org (policy=none); spf=pass (imf23.hostedemail.com: domain of jirislaby@gmail.com designates 209.85.221.47 as permitted sender) smtp.mailfrom=jirislaby@gmail.com X-Rspamd-Server: rspam06 X-Stat-Signature: qn1n5fcwww134csn53jishdry96ztyh1 X-HE-Tag: 1655290043-987017 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 02. 06. 22, 6:48, Jiri Slaby wrote: > On 02. 06. 22, 4:48, Hillf Danton wrote: >> On Wed, 1 Jun 2022 21:34:26 +0300 Dan Carpenter wrote: >>> Hi Greg, Jiri, >>> >>> I searched lore.kernel.org and it seemed like CVE-2022-1462 might not >>> have ever been reported to you?  Here is the original email with the >>> syzkaller reproducer. >>> >>> https://seclists.org/oss-sec/2022/q2/155 >>> >>> The reporter proposed a fix, but it won't work.  Smatch says that some >>> of the callers are already holding the port->lock.  For example, >>> sci_dma_rx_complete() will deadlock. >> >> Hi Dan >> >> To erase the deadlock above, we need to add another helper folding >> tty_insert_flip_string() and tty_flip_buffer_push() into one nutshell, >> with buf->tail covered by port->lock. >> >> The diff attached in effect reverts >> 71a174b39f10 ("pty: do tty_flip_buffer_push without port->lock in >> pty_write"). >> >> Only for thoughts now. > > I think this the likely the best approach. Except few points inlined below. > > Another would be to split tty_flip_buffer_push() into two and call only > the first one (doing smp_store_release()) inside the lock. I tried that > already, but it looks much worse. > > Another would be to add flags to tty_flip_buffer_push(). Like > ONLY_ADVANCE and ONLY_QUEUE. Call with the first under the lock, the > second outside. > > Ideas, comments? Apparently not, so Hillf, could you resend your patch after fixing the comments below? Thanks. >> Hillf >> >> +++ b/drivers/tty/pty.c >> @@ -116,15 +116,8 @@ static int pty_write(struct tty_struct * >>       if (tty->flow.stopped) >>           return 0; >> -    if (c > 0) { >> -        spin_lock_irqsave(&to->port->lock, flags); >> -        /* Stuff the data into the input queue of the other end */ >> -        c = tty_insert_flip_string(to->port, buf, c); >> -        spin_unlock_irqrestore(&to->port->lock, flags); >> -        /* And shovel */ >> -        if (c) >> -            tty_flip_buffer_push(to->port); >> -    } >> +    if (c > 0) >> +        c = tty_flip_insert_and_push_buffer(to->port, buf, c); >>       return c; >>   } >> +++ b/drivers/tty/tty_buffer.c >> @@ -554,6 +554,26 @@ void tty_flip_buffer_push(struct tty_por >>   } >>   EXPORT_SYMBOL(tty_flip_buffer_push); >> +int tty_flip_insert_and_push_buffer(struct tty_port *port, const >> unsigned char *string, int cnt) > > It should be _insert_string_, IMO. > >> +{ >> +    struct tty_bufhead *buf = &port->buf; >> +    unsigned long flags; >> + >> +    spin_lock_irqsave(&port->lock, flags); >> +    cnt = tty_insert_flip_string(port, string, cnt); >> +    if (cnt) { >> +        /* >> +         * Paired w/ acquire in flush_to_ldisc(); ensures >> flush_to_ldisc() sees >> +         * buffer data. >> +         */ >> +        smp_store_release(&buf->tail->commit, buf->tail->used); >> +    } >> +    spin_unlock_irqrestore(&port->lock, flags); >> +    queue_work(system_unbound_wq, &buf->work); > > \n here please. > >> +    return cnt; >> +} >> +EXPORT_SYMBOL(tty_flip_insert_and_push_buffer); > > No need to export this, right? > > thanks, -- js suse labs