From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A43B9C77B7C for ; Thu, 4 May 2023 08:32:21 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230396AbjEDIcT (ORCPT ); Thu, 4 May 2023 04:32:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43884 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230190AbjEDIb7 (ORCPT ); Thu, 4 May 2023 04:31:59 -0400 Received: from smtp-out2.suse.de (smtp-out2.suse.de [IPv6:2001:67c:2178:6::1d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EEF617AAE; Thu, 4 May 2023 01:28:58 -0700 (PDT) Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id DD8C62097B; Thu, 4 May 2023 08:28:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1683188936; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=30lCJ5iRI0rRhzC2loXRpex/n1l+HSk0YaCzEl11E4E=; b=BBck4RD22FF3fRahgkzPtMfKrA/pfX9GLDg4RAOv5fhSsHyT+a5teMomoSaIJRE64IwAXu 1cDRe5UN0KuGhtyJX7NTroKCEEJovbKFyXQfW0dnvFlWGbf8IOF8oX9fM6MTrrWJ3zFHBh 05ytJSih6bBJWmJHupn3vKdtrHk09ck= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1683188936; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=30lCJ5iRI0rRhzC2loXRpex/n1l+HSk0YaCzEl11E4E=; b=ol0bRq/VjWfAAjuodPVP1Sfvx38nIjHzFCyiTzh/JY21tPaSL7jUl9jhiEQy14csRgPG0n 2nsuOs0X8c9ULGDg== Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id B46CA133F7; Thu, 4 May 2023 08:28:56 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id uOUaK8hsU2SwNgAAMHmgww (envelope-from ); Thu, 04 May 2023 08:28:56 +0000 Date: Thu, 04 May 2023 10:28:56 +0200 Message-ID: <875y98mref.wl-tiwai@suse.de> From: Takashi Iwai To: mchehab@kernel.org Cc: Yu Hao , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: BUG: WARNING in dvb_frontend_get_event In-Reply-To: <87bkj9u57j.wl-tiwai@suse.de> References: <87bkj9u57j.wl-tiwai@suse.de> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/27.2 Mule/6.0 MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue") Content-Type: text/plain; charset=US-ASCII Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 27 Apr 2023 09:58:24 +0200, Takashi Iwai wrote: > > On Tue, 18 Apr 2023 06:50:07 +0200, > Yu Hao wrote: > > > > Hello, > > > > We found the following issue using syzkaller on Linux v6.2.0. > > > > In the function `dvb_frontend_get_event`, function > > `wait_event_interruptible` is called > > and the condition is `dvb_frontend_test_event(fepriv, events)`. > > In the function `dvb_frontend_test_event`, function > > `down(&fepriv->sem);` is called. > > However, function `wait_event_interruptible` would put the process to sleep. > > And function `down(&fepriv->sem);` may block the process. > > So there is the issue with "do not call blocking ops when !TASK_RUNNING". > > > > The full report including the Syzkaller reproducer & C reproducer: > > https://gist.github.com/ZHYfeng/4c5f8be6adc63b73dba68230d15ece2c > > FYI, CVE-2023-31084 was assigned to this bug, and I was involved now > though distro's bug report. > > So, the use of semaphore together with wait_event*() macro doesn't > look like a good idea. A possible easy workaround would be to > open-code the wait loop like below. > > Mauro, let me know if it's an acceptable workaround. Then I'll submit > a proper patch. A gentle ping. Can anyone please check whether the suggested change is OK or not? thanks, Takashi > > > thanks, > > Takashi > > -- 8< -- > --- a/drivers/media/dvb-core/dvb_frontend.c > +++ b/drivers/media/dvb-core/dvb_frontend.c > @@ -293,14 +293,22 @@ static int dvb_frontend_get_event(struct dvb_frontend *fe, > } > > if (events->eventw == events->eventr) { > - int ret; > + struct wait_queue_entry wait; > + int ret = 0; > > if (flags & O_NONBLOCK) > return -EWOULDBLOCK; > > - ret = wait_event_interruptible(events->wait_queue, > - dvb_frontend_test_event(fepriv, events)); > - > + init_waitqueue_entry(&wait, current); > + add_wait_queue(&events->wait_queue, &wait); > + while (!dvb_frontend_test_event(fepriv, events)) { > + wait_woken(&wait, TASK_INTERRUPTIBLE, 0); > + if (signal_pending(current)) { > + ret = -ERESTARTSYS; > + break; > + } > + } > + remove_wait_queue(&events->wait_queue, &wait); > if (ret < 0) > return ret; > }