From: Jiri Slaby <jirislaby@kernel.org>
To: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
Daniel Starke <daniel.starke@siemens.com>
Cc: syzbot <syzbot+cf155def4e717db68a12@syzkaller.appspotmail.com>,
gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com
Subject: Re: [PATCH] tty: n_gsm: initialize more members at gsm_alloc_mux()
Date: Mon, 29 Aug 2022 09:10:03 +0200 [thread overview]
Message-ID: <89830d6e-fe70-eb68-84fe-1b60657ac3d8@kernel.org> (raw)
In-Reply-To: <2110618e-57f0-c1ce-b2ad-b6cacef3f60e@I-love.SAKURA.ne.jp>
On 27. 08. 22, 15:47, Tetsuo Handa wrote:
> syzbot is reporting use of uninitialized spinlock at gsmld_write() [1], for
> commit 32dd59f96924f45e ("tty: n_gsm: fix race condition in gsmld_write()")
> allows accessing gsm->tx_lock before gsm_activate_mux() initializes it.
>
> Since object initialization should be done right after allocation in order
> to avoid accessing uninitialized memory, move initialization of
> timer/work/waitqueue/spinlock from gsmld_open()/gsm_activate_mux() to
> gsm_alloc_mux().
LGTM, I wonder why this was not like this forever.
Acked-by: Jiri Slaby <jirislaby@kernel.org>
> Link: https://syzkaller.appspot.com/bug?extid=cf155def4e717db68a12 [1]
> Reported-by: syzbot <syzbot+cf155def4e717db68a12@syzkaller.appspotmail.com>
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> Tested-by: syzbot <syzbot+cf155def4e717db68a12@syzkaller.appspotmail.com>
> Fixes: 32dd59f96924f45e ("tty: n_gsm: fix race condition in gsmld_write()")
> ---
> drivers/tty/n_gsm.c | 17 ++++++-----------
> 1 file changed, 6 insertions(+), 11 deletions(-)
>
> diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c
> index caa5c14ed57f..70cd90474679 100644
> --- a/drivers/tty/n_gsm.c
> +++ b/drivers/tty/n_gsm.c
> @@ -2501,13 +2501,6 @@ static int gsm_activate_mux(struct gsm_mux *gsm)
> if (dlci == NULL)
> return -ENOMEM;
>
> - timer_setup(&gsm->kick_timer, gsm_kick_timer, 0);
> - timer_setup(&gsm->t2_timer, gsm_control_retransmit, 0);
> - INIT_WORK(&gsm->tx_work, gsmld_write_task);
> - init_waitqueue_head(&gsm->event);
> - spin_lock_init(&gsm->control_lock);
> - spin_lock_init(&gsm->tx_lock);
> -
> if (gsm->encoding == 0)
> gsm->receive = gsm0_receive;
> else
> @@ -2612,6 +2605,12 @@ static struct gsm_mux *gsm_alloc_mux(void)
> kref_init(&gsm->ref);
> INIT_LIST_HEAD(&gsm->tx_ctrl_list);
> INIT_LIST_HEAD(&gsm->tx_data_list);
> + timer_setup(&gsm->kick_timer, gsm_kick_timer, 0);
> + timer_setup(&gsm->t2_timer, gsm_control_retransmit, 0);
> + INIT_WORK(&gsm->tx_work, gsmld_write_task);
> + init_waitqueue_head(&gsm->event);
> + spin_lock_init(&gsm->control_lock);
> + spin_lock_init(&gsm->tx_lock);
>
> gsm->t1 = T1;
> gsm->t2 = T2;
> @@ -2946,10 +2945,6 @@ static int gsmld_open(struct tty_struct *tty)
>
> gsmld_attach_gsm(tty, gsm);
>
> - timer_setup(&gsm->kick_timer, gsm_kick_timer, 0);
> - timer_setup(&gsm->t2_timer, gsm_control_retransmit, 0);
> - INIT_WORK(&gsm->tx_work, gsmld_write_task);
> -
> return 0;
> }
>
--
js
suse labs
prev parent reply other threads:[~2022-08-29 7:10 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-08 7:34 [syzbot] INFO: trying to register non-static key in gsmld_write syzbot
2022-08-08 13:21 ` syzbot
2022-08-09 7:33 ` Jiri Slaby
2022-08-27 13:47 ` [PATCH] tty: n_gsm: initialize more members at gsm_alloc_mux() Tetsuo Handa
2022-08-29 7:10 ` Jiri Slaby [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=89830d6e-fe70-eb68-84fe-1b60657ac3d8@kernel.org \
--to=jirislaby@kernel.org \
--cc=daniel.starke@siemens.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=syzbot+cf155def4e717db68a12@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.