From: rananta@codeaurora.org
To: Jiri Slaby <jslaby@suse.cz>
Cc: Greg KH <gregkh@linuxfoundation.org>,
andrew@daynix.com, linuxppc-dev@lists.ozlabs.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] tty: hvc: Fix data abort due to race in hvc_open
Date: Wed, 20 May 2020 06:49:04 -0700 [thread overview]
Message-ID: <bf168752b8808182f07764fb6194775e@codeaurora.org> (raw)
In-Reply-To: <cb5bd2b2-f33a-b541-ed3c-70da14c7252d@suse.cz>
On 2020-05-20 02:38, Jiri Slaby wrote:
> On 15. 05. 20, 1:22, rananta@codeaurora.org wrote:
>> On 2020-05-13 00:04, Greg KH wrote:
>>> On Tue, May 12, 2020 at 02:39:50PM -0700, rananta@codeaurora.org
>>> wrote:
>>>> On 2020-05-12 01:25, Greg KH wrote:
>>>> > On Tue, May 12, 2020 at 09:22:15AM +0200, Jiri Slaby wrote:
>>>> > > commit bdb498c20040616e94b05c31a0ceb3e134b7e829
>>>> > > Author: Jiri Slaby <jslaby@suse.cz>
>>>> > > Date: Tue Aug 7 21:48:04 2012 +0200
>>>> > >
>>>> > > TTY: hvc_console, add tty install
>>>> > >
>>>> > > added hvc_install but did not move 'tty->driver_data = NULL;' from
>>>> > > hvc_open's fail path to hvc_cleanup.
>>>> > >
>>>> > > IOW hvc_open now NULLs tty->driver_data even for another task which
>>>> > > opened the tty earlier. The same holds for
>>>> > > "tty_port_tty_set(&hp->port,
>>>> > > NULL);" there. And actually "tty_port_put(&hp->port);" is also
>>>> > > incorrect
>>>> > > for the 2nd task opening the tty.
>>>> > >
>
> ...
>
>> These are the traces you get when the issue happens:
>> [ 154.212291] hvc_install called for pid: 666
>> [ 154.216705] hvc_open called for pid: 666
>> [ 154.233657] hvc_open: request_irq failed with rc -22.
>> [ 154.238934] hvc_open called for pid: 678
>> [ 154.243012] Unable to handle kernel NULL pointer dereference at
>> virtual address 00000000000000c4
>> # hvc_install isn't called for pid: 678 as the file wasn't closed yet.
>
> Nice. Does the attached help?
Yeah, it looks good. I think it also eliminates the port.count reference
issue discussed on the v2 patch. Are you planning to mainline this?
>
> I wonder how comes the tty_port_put in hvc_open does not cause a UAF? I
> would say hvc_open fails, tty_port_put is called. It decrements the
> reference taken in hvc_install. So far so good.
>
> Now, this should happen IMO:
> tty_open
> -> hvc_open (fails)
> -> tty_port_put
hvc_console driver defines port->ops->destruct(). Upon tty_port_put(),
the
tty_port_destructor() calls port->ops->destruct(), rather than
kfree(port).
> -> tty_release
> -> tty_release_struct
> -> tty_kref_put
> -> queue_release_one_tty
> SCHEDULED WORKQUEUE
> release_one_tty
> -> hvc_cleanup
> -> tty_port_put (should die terrible death now)
Since port is not free'd, I think we should be good.
>
> What am I missing?
>
> thanks,
Thank you.
Raghavendra
next prev parent reply other threads:[~2020-05-20 13:52 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-28 3:26 [PATCH] tty: hvc: Fix data abort due to race in hvc_open Raghavendra Rao Ananta
2020-05-06 9:48 ` Greg KH
2020-05-10 1:30 ` rananta
2020-05-10 6:48 ` Greg KH
2020-05-11 7:23 ` rananta
2020-05-11 7:34 ` rananta
2020-05-11 7:41 ` Greg KH
2020-05-11 7:39 ` Greg KH
2020-05-12 7:22 ` Jiri Slaby
2020-05-12 8:25 ` Greg KH
2020-05-12 21:39 ` rananta
2020-05-13 7:04 ` Greg KH
2020-05-14 23:22 ` rananta
2020-05-15 7:30 ` Greg KH
2020-05-15 19:21 ` rananta
2020-05-20 9:38 ` Jiri Slaby
2020-05-20 13:49 ` rananta [this message]
-- strict thread matches above, loose matches on Subject: below --
2020-04-28 12:48 Markus Elfring
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bf168752b8808182f07764fb6194775e@codeaurora.org \
--to=rananta@codeaurora.org \
--cc=andrew@daynix.com \
--cc=gregkh@linuxfoundation.org \
--cc=jslaby@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).