Kernel/linux-next
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git synced 2025-01-09 23:39:18 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
linux-next/drivers
History
Vegard Nossum 925bb1ce47 tty: fix port buffer locking 
tty_insert_flip_string_fixed_flag() is racy against itself when called
from the ioctl(TCXONC, TCION/TCIOFF) path [1] and the flush_to_ldisc()
workqueue path [2].

The problem is that port->buf.tail->used is modified without consistent
locking; the ioctl path takes tty->atomic_write_lock, whereas the workqueue
path takes ldata->output_lock.

We cannot simply take ldata->output_lock, since that is specific to the
N_TTY line discipline.

It might seem natural to try to take port->buf.lock inside
tty_insert_flip_string_fixed_flag() and friends (where port->buf is
actually used/modified), but this creates problems for flush_to_ldisc()
which takes it before grabbing tty->ldisc_sem, o_tty->termios_rwsem,
and ldata->output_lock.

Therefore, the simplest solution for now seems to be to take
tty->atomic_write_lock inside tty_port_default_receive_buf(). This lock
is also used in the write path [3] with a consistent ordering.

[1]: Call Trace:
 tty_insert_flip_string_fixed_flag
 pty_write
 tty_send_xchar                     // down_read(&o_tty->termios_rwsem)
                                    // mutex_lock(&tty->atomic_write_lock)
 n_tty_ioctl_helper
 n_tty_ioctl
 tty_ioctl                          // down_read(&tty->ldisc_sem)
 do_vfs_ioctl
 SyS_ioctl

[2]: Workqueue: events_unbound flush_to_ldisc
Call Trace:
 tty_insert_flip_string_fixed_flag
 pty_write
 tty_put_char
 __process_echoes
 commit_echoes                      // mutex_lock(&ldata->output_lock)
 n_tty_receive_buf_common
 n_tty_receive_buf2
 tty_ldisc_receive_buf              // down_read(&o_tty->termios_rwsem)
 tty_port_default_receive_buf       // down_read(&tty->ldisc_sem)
 flush_to_ldisc                     // mutex_lock(&port->buf.lock)
 process_one_work

[3]: Call Trace:
 tty_insert_flip_string_fixed_flag
 pty_write
 n_tty_write                        // mutex_lock(&ldata->output_lock)
                                    // down_read(&tty->termios_rwsem)
 do_tty_write (inline)              // mutex_lock(&tty->atomic_write_lock)
 tty_write                          // down_read(&tty->ldisc_sem)
 __vfs_write
 vfs_write
 SyS_write

The bug can result in about a dozen different crashes depending on what
exactly gets corrupted when port->buf.tail->used points outside the
buffer.

The patch passes my LOCKDEP/PROVE_LOCKING testing but more testing is
always welcome.

Found using syzkaller.

Cc: <stable@vger.kernel.org>
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-05-18 16:43:55 +02:00
..
accessibility
acpi
More ACPI updates for v4.12-rc1
2017-05-10 09:35:42 -07:00
amba
android
ata
ARM: SoC driver updates
2017-05-09 10:01:15 -07:00
atm
auxdisplay
base
More power management updates for v4.12-rc1
2017-05-10 09:12:30 -07:00
bcma
block
virtio: fixes, cleanups, performance
2017-05-10 11:33:08 -07:00
bluetooth
Bluetooth: hci_ldisc: Add protocol check to hci_uart_tx_wakeup()
2017-04-30 12:22:14 +02:00
bus
cdrom
scsi: introduce a result field in struct scsi_request
2017-04-20 12:16:10 -06:00
char
Annotation of module parameters that specify device settings
2017-05-10 19:13:03 -07:00
clk
Sort of on the quieter side this time, which is probably due more
2017-05-10 13:38:18 -07:00
clocksource
Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
2017-05-12 10:43:25 -07:00
connector
cpufreq
Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus
2017-05-12 09:56:30 -07:00
cpuidle
Merge branches 'pm-domains', 'pm-cpuidle', 'pm-sleep' and 'powercap'
2017-05-09 23:21:46 +02:00
crypto
virtio: fixes, cleanups, performance
2017-05-10 11:33:08 -07:00
dax
Merge branch 'libnvdimm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm
2017-05-12 15:43:10 -07:00
dca
devfreq
dio
dma
dmaengine updates for 4.12-rc1
2017-05-09 15:40:28 -07:00
dma-buf
dma-buf: Rename dma-ops to prevent conflict with kunmap_atomic macro
2017-04-20 13:47:46 +05:30
edac
EDAC, ghes: Do not enable it by default
2017-04-27 14:15:38 +02:00
eisa
extcon
firewire
firmware
ARM: SoC driver updates
2017-05-09 10:01:15 -07:00
fmc
fpga
fpga fr br: update supported version numbers
2017-04-26 11:38:56 +02:00
fsi
gpio
Annotation of module parameters that specify device settings
2017-05-10 19:13:03 -07:00
gpu
drm/i915: Make vblank evade warnings optional
2017-05-12 14:28:02 +10:00
hid
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial
2017-05-02 19:09:35 -07:00
hsi
HSI: ssi_protocol: double free in ssip_pn_xmit()
2017-04-21 17:58:45 +02:00
hv
char/misc patches for 4.12-rc1
2017-05-04 19:15:35 -07:00
hwmon
hwmon: (twl4030-madc) drop driver
2017-04-30 11:45:31 -07:00
hwspinlock
hwtracing
drivers/hwtracing/intel_th/msu.c: use set_memory.h header
2017-05-08 17:15:14 -07:00
i2c
Annotation of module parameters that specify device settings
2017-05-10 19:13:03 -07:00
ide
ide: don't call memcpy with the same source and destination
2017-05-08 17:36:39 -04:00
idle
x86/intel_idle: add Gemini Lake support
2017-05-01 23:17:37 +02:00
iio
Annotation of module parameters that specify device settings
2017-05-10 19:13:03 -07:00
infiniband
Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending
2017-05-12 11:44:13 -07:00
input
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input
2017-05-13 10:25:05 -07:00
iommu
IOMMU Updates for Linux v4.12
2017-05-09 15:15:47 -07:00
ipack
irqchip
Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus
2017-05-12 09:56:30 -07:00
isdn
Annotation of module parameters that specify device settings
2017-05-10 19:13:03 -07:00
leds
scripts/spelling.txt: add "memory" pattern and fix typos
2017-05-08 17:15:13 -07:00
lguest
lightnvm
lightnvm: fix bad back free on error path
2017-05-04 07:53:04 -06:00
macintosh
DeviceTree for 4.12:
2017-05-05 19:33:07 -07:00
mailbox
mailbox: handle empty message in tx_tick
2017-04-27 16:20:04 +05:30
mcb
md
mm, vmalloc: use __GFP_HIGHMEM implicitly
2017-05-08 17:15:13 -07:00
media
Annotation of module parameters that specify device settings
2017-05-10 19:13:03 -07:00
memory
MTD updates for 4.12-rc1:
2017-05-11 10:44:22 -07:00
memstick
message
scsi: mpt: Move scsi_remove_host() out of mptscsih_remove_host()
2017-04-24 18:21:17 -04:00
mfd
mfd: axp20x: Support AXP803 variant
2017-04-27 11:54:49 +01:00
misc
Annotation of module parameters that specify device settings
2017-05-10 19:13:03 -07:00
mmc
Annotation of module parameters that specify device settings
2017-05-10 19:13:03 -07:00
mtd
This pull request contains updates for both UBI and UBIFS:
2017-05-13 10:23:12 -07:00
net
powerpc updates for 4.12 part 2
2017-05-12 10:04:09 -07:00
nfc
ntb
nubus
nubus: Clean up whitespace
2017-04-20 09:54:24 +02:00
nvdimm
Merge branch 'libnvdimm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm
2017-05-12 15:43:10 -07:00
nvme
Merge branch 'for-linus' of git://git.kernel.dk/linux-block
2017-05-11 11:01:56 -07:00
nvmem
ARM: SoC driver updates
2017-05-09 10:01:15 -07:00
of
powerpc updates for 4.12 part 2
2017-05-12 10:04:09 -07:00
oprofile
parisc
parport
Annotate hardware config module parameters in drivers/parport/
2017-04-20 12:02:32 +01:00
pci
Annotation of module parameters that specify device settings
2017-05-10 19:13:03 -07:00
pcmcia
Annotation of module parameters that specify device settings
2017-05-10 19:13:03 -07:00
perf
phy
pinctrl
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial
2017-05-02 19:09:35 -07:00
platform
char/misc patches for 4.12-rc1
2017-05-04 19:15:35 -07:00
pnp
power
power supply and reset changes for the v4.12 series (part 2)
2017-05-12 12:02:21 -07:00
powercap
powercap: intel_rapl: Add support for Gemini Lake
2017-04-28 23:56:16 +02:00
pps
ps3
ptp
Merge branch 'timers-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
2017-05-01 16:15:18 -07:00
pwm
rapidio
char/misc patches for 4.12-rc1
2017-05-04 19:15:35 -07:00
ras
regulator
Merge remote-tracking branch 'regulator/topic/vctrl' into regulator-next
2017-04-30 22:17:44 +09:00
remoteproc
virtio: fixes, cleanups, performance
2017-05-10 11:33:08 -07:00
reset
ARM: SoC driver updates
2017-05-09 10:01:15 -07:00
rpmsg
virtio: fixes, cleanups, performance
2017-05-10 11:33:08 -07:00
rtc
RTC for 4.12
2017-05-10 19:37:14 -07:00
s390
virtio: fixes, cleanups, performance
2017-05-10 11:33:08 -07:00
sbus
scsi
Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending
2017-05-12 11:44:13 -07:00
sfi
sh
sn
soc
powerpc updates for 4.12 part 2
2017-05-12 10:04:09 -07:00
spi
Merge remote-tracking branches 'spi/topic/ti-qspi' and 'spi/topic/xlp' into spi-next
2017-04-26 15:58:22 +01:00
spmi
ssb
staging
Annotation of module parameters that specify device settings
2017-05-10 19:13:03 -07:00
target
Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending
2017-05-12 11:44:13 -07:00
tc
tee
TEE driver infrastructure and OP-TEE drivers
2017-05-10 11:20:09 -07:00
thermal
Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux
2017-05-12 11:58:45 -07:00
thunderbolt
tty
tty: fix port buffer locking
2017-05-18 16:43:55 +02:00
uio
usb
DeviceTree for 4.12:
2017-05-05 19:33:07 -07:00
uwb
vfio
powerpc updates for 4.12 part 1.
2017-05-05 11:36:44 -07:00
vhost
mm: support __GFP_REPEAT in kvmalloc_node for >32kB
2017-05-08 17:15:12 -07:00
video
fbdev changes for v4.12:
2017-05-11 11:12:26 -07:00
virt
drivers/virt/fsl_hypervisor.c: use get_user_pages_unlocked()
2017-05-08 17:15:10 -07:00
virtio
virtio: allow extra context per descriptor
2017-05-02 23:41:43 +03:00
vlynq
vme
w1
watchdog
Annotation of module parameters that specify device settings
2017-05-10 19:13:03 -07:00
xen
Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2017-05-09 09:12:53 -07:00
zorro
Kconfig
Makefile
TEE driver infrastructure and OP-TEE drivers
2017-05-10 11:20:09 -07:00