From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Raghavendra Rao Ananta <rananta@codeaurora.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
linuxppc-dev@lists.ozlabs.org, Sasha Levin <sashal@kernel.org>
Subject: [PATCH AUTOSEL 5.7 146/388] tty: hvc: Fix data abort due to race in hvc_open
Date: Wed, 17 Jun 2020 21:04:03 -0400 [thread overview]
Message-ID: <20200618010805.600873-146-sashal@kernel.org> (raw)
In-Reply-To: <20200618010805.600873-1-sashal@kernel.org>
From: Raghavendra Rao Ananta <rananta@codeaurora.org>
[ Upstream commit e2bd1dcbe1aa34ff5570b3427c530e4332ecf0fe ]
Potentially, hvc_open() can be called in parallel when two tasks calls
open() on /dev/hvcX. In such a scenario, if the hp->ops->notifier_add()
callback in the function fails, where it sets the tty->driver_data to
NULL, the parallel hvc_open() can see this NULL and cause a memory abort.
Hence, serialize hvc_open and check if tty->private_data is NULL before
proceeding ahead.
The issue can be easily reproduced by launching two tasks simultaneously
that does nothing but open() and close() on /dev/hvcX.
For example:
$ ./simple_open_close /dev/hvc0 & ./simple_open_close /dev/hvc0 &
Signed-off-by: Raghavendra Rao Ananta <rananta@codeaurora.org>
Link: https://lore.kernel.org/r/20200428032601.22127-1-rananta@codeaurora.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/hvc/hvc_console.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/drivers/tty/hvc/hvc_console.c b/drivers/tty/hvc/hvc_console.c
index cdcc64ea2554..f8e43a6faea9 100644
--- a/drivers/tty/hvc/hvc_console.c
+++ b/drivers/tty/hvc/hvc_console.c
@@ -75,6 +75,8 @@ static LIST_HEAD(hvc_structs);
*/
static DEFINE_MUTEX(hvc_structs_mutex);
+/* Mutex to serialize hvc_open */
+static DEFINE_MUTEX(hvc_open_mutex);
/*
* This value is used to assign a tty->index value to a hvc_struct based
* upon order of exposure via hvc_probe(), when we can not match it to
@@ -346,16 +348,24 @@ static int hvc_install(struct tty_driver *driver, struct tty_struct *tty)
*/
static int hvc_open(struct tty_struct *tty, struct file * filp)
{
- struct hvc_struct *hp = tty->driver_data;
+ struct hvc_struct *hp;
unsigned long flags;
int rc = 0;
+ mutex_lock(&hvc_open_mutex);
+
+ hp = tty->driver_data;
+ if (!hp) {
+ rc = -EIO;
+ goto out;
+ }
+
spin_lock_irqsave(&hp->port.lock, flags);
/* Check and then increment for fast path open. */
if (hp->port.count++ > 0) {
spin_unlock_irqrestore(&hp->port.lock, flags);
hvc_kick();
- return 0;
+ goto out;
} /* else count == 0 */
spin_unlock_irqrestore(&hp->port.lock, flags);
@@ -383,6 +393,8 @@ static int hvc_open(struct tty_struct *tty, struct file * filp)
/* Force wakeup of the polling thread */
hvc_kick();
+out:
+ mutex_unlock(&hvc_open_mutex);
return rc;
}
--
2.25.1
next prev parent reply other threads:[~2020-06-18 1:40 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20200618010805.600873-1-sashal@kernel.org>
2020-06-18 1:01 ` [PATCH AUTOSEL 5.7 013/388] ASoC: fsl_esai: Disable exception interrupt before scheduling tasklet Sasha Levin
2020-06-18 1:02 ` [PATCH AUTOSEL 5.7 032/388] powerpc/kasan: Fix stack overflow by increasing THREAD_SHIFT Sasha Levin
2020-06-18 1:02 ` [PATCH AUTOSEL 5.7 058/388] ps3disk: use the default segment boundary Sasha Levin
2020-06-18 1:02 ` [PATCH AUTOSEL 5.7 065/388] powerpc/book3s64/radix/tlb: Determine hugepage flush correctly Sasha Levin
2020-06-18 1:02 ` [PATCH AUTOSEL 5.7 072/388] powerpc/ptdump: Add _PAGE_COHERENT flag Sasha Levin
2020-06-18 1:02 ` [PATCH AUTOSEL 5.7 080/388] powerpc/perf/hv-24x7: Fix inconsistent output values incase multiple hv-24x7 events run Sasha Levin
2020-06-18 1:03 ` [PATCH AUTOSEL 5.7 086/388] powerpc/crashkernel: Take "mem=" option into account Sasha Levin
2020-06-18 1:03 ` [PATCH AUTOSEL 5.7 107/388] scsi: ibmvscsi: Don't send host info in adapter info MAD after LPM Sasha Levin
2020-06-18 1:03 ` [PATCH AUTOSEL 5.7 110/388] ibmvnic: Flush existing work items before device removal Sasha Levin
2020-06-18 1:04 ` Sasha Levin [this message]
2020-06-18 1:05 ` [PATCH AUTOSEL 5.7 205/388] powerpc/64: Don't initialise init_task->thread.regs Sasha Levin
2020-06-18 1:05 ` [PATCH AUTOSEL 5.7 218/388] powerpc/64s/exception: Fix machine check no-loss idle wakeup Sasha Levin
2020-06-18 1:05 ` [PATCH AUTOSEL 5.7 219/388] powerpc/64s/exceptions: Machine check reconcile irq state Sasha Levin
2020-06-18 1:05 ` [PATCH AUTOSEL 5.7 220/388] powerpc/pseries/ras: Fix FWNMI_VALID off by one Sasha Levin
2020-06-18 1:05 ` [PATCH AUTOSEL 5.7 226/388] powerpc/ps3: Fix kexec shutdown hang Sasha Levin
2020-06-18 1:05 ` [PATCH AUTOSEL 5.7 249/388] powerpc/powernv: add NULL check after kzalloc Sasha Levin
2020-06-18 1:05 ` [PATCH AUTOSEL 5.7 250/388] powerpc/64s/pgtable: fix an undefined behaviour Sasha Levin
2020-06-18 1:05 ` [PATCH AUTOSEL 5.7 251/388] powerpc/kasan: Fix error detection on memory allocation Sasha Levin
2020-06-18 1:06 ` [PATCH AUTOSEL 5.7 277/388] powerpc/32s: Don't warn when mapping RO data ROX Sasha Levin
2020-06-18 1:06 ` [PATCH AUTOSEL 5.7 278/388] powerpc/8xx: Drop CONFIG_8xx_COPYBACK option Sasha Levin
2020-06-18 1:06 ` [PATCH AUTOSEL 5.7 287/388] KVM: PPC: Book3S HV: Ignore kmemleak false positives Sasha Levin
2020-06-18 1:06 ` [PATCH AUTOSEL 5.7 288/388] KVM: PPC: Book3S: Fix some RCU-list locks Sasha Levin
2020-06-18 1:06 ` [PATCH AUTOSEL 5.7 289/388] KVM: PPC: Book3S HV: Relax check on H_SVM_INIT_ABORT Sasha Levin
2020-06-18 1:06 ` [PATCH AUTOSEL 5.7 302/388] powerpc/4xx: Don't unmap NULL mbase Sasha Levin
2020-06-18 1:06 ` [PATCH AUTOSEL 5.7 303/388] powerpc/64s/kuap: Add missing isync to KUAP restore paths Sasha Levin
2020-06-18 1:06 ` [PATCH AUTOSEL 5.7 306/388] ASoC: fsl_asrc_dma: Fix dma_chan leak when config DMA channel failed Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200618010805.600873-146-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=rananta@codeaurora.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).