From: Sasha Levin <Alexander.Levin@microsoft.com>
To: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"stable@vger.kernel.org" <stable@vger.kernel.org>
Cc: Sahara <keun-o.park@darkmatter.ae>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Sasha Levin <Alexander.Levin@microsoft.com>
Subject: [PATCH AUTOSEL for 4.14 44/67] pty: cancel pty slave port buf's work in tty_release
Date: Thu, 8 Mar 2018 04:57:50 +0000 [thread overview]
Message-ID: <20180308045641.7814-44-alexander.levin@microsoft.com> (raw)
In-Reply-To: <20180308045641.7814-1-alexander.levin@microsoft.com>
From: Sahara <keun-o.park@darkmatter.ae>
[ Upstream commit 2b022ab7542df60021ab57854b3faaaf42552eaf ]
In case that CONFIG_SLUB_DEBUG is on and pty is used, races between
release_one_tty and flush_to_ldisc work threads may happen and lead
to use-after-free condition on tty->link->port. Because SLUB_DEBUG
is turned on, freed tty->link->port is filled with POISON_FREE value.
So far without SLUB_DEBUG, port was filled with zero and flush_to_ldisc
could return without a problem by checking if tty is NULL.
CPU 0 CPU 1
----- -----
release_tty pty_write
cancel_work_sync(tty) to = tty->link
tty_kref_put(tty->link) tty_schedule_flip(to->port)
<< workqueue >> ...
release_one_tty ...
pty_cleanup ...
kfree(tty->link->port) << workqueue >>
flush_to_ldisc
tty = READ_ONCE(port->itty)
tty is 0x6b6b6b6b6b6b6b6b
!!PANIC!! access tty->ldisc
Unable to handle kernel paging request at virtual address 6b6b6b6b6b6b6b93
pgd = ffffffc0eb1c3000
[6b6b6b6b6b6b6b93] *pgd=0000000000000000, *pud=0000000000000000
------------[ cut here ]------------
Kernel BUG at ffffff800851154c [verbose debug info unavailable]
Internal error: Oops - BUG: 96000004 [#1] PREEMPT SMP
CPU: 3 PID: 265 Comm: kworker/u8:9 Tainted: G W 3.18.31-g0a58eeb #1
Hardware name: Qualcomm Technologies, Inc. MSM 8996pro v1.1 + PMI8996 Carbide (DT)
Workqueue: events_unbound flush_to_ldisc
task: ffffffc0ed610ec0 ti: ffffffc0ed624000 task.ti: ffffffc0ed624000
PC is at ldsem_down_read_trylock+0x0/0x4c
LR is at tty_ldisc_ref+0x24/0x4c
pc : [<ffffff800851154c>] lr : [<ffffff800850f6c0>] pstate: 80400145
sp : ffffffc0ed627cd0
x29: ffffffc0ed627cd0 x28: 0000000000000000
x27: ffffff8009e05000 x26: ffffffc0d382cfa0
x25: 0000000000000000 x24: ffffff800a012f08
x23: 0000000000000000 x22: ffffffc0703fbc88
x21: 6b6b6b6b6b6b6b6b x20: 6b6b6b6b6b6b6b93
x19: 0000000000000000 x18: 0000000000000001
x17: 00e80000f80d6f53 x16: 0000000000000001
x15: 0000007f7d826fff x14: 00000000000000a0
x13: 0000000000000000 x12: 0000000000000109
x11: 0000000000000000 x10: 0000000000000000
x9 : ffffffc0ed624000 x8 : ffffffc0ed611580
x7 : 0000000000000000 x6 : ffffff800a42e000
x5 : 00000000000003fc x4 : 0000000003bd1201
x3 : 0000000000000001 x2 : 0000000000000001
x1 : ffffff800851004c x0 : 6b6b6b6b6b6b6b93
Signed-off-by: Sahara <keun-o.park@darkmatter.ae>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
---
drivers/tty/tty_io.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
index 7892d0be8af9..7e77bd2118ad 100644
--- a/drivers/tty/tty_io.c
+++ b/drivers/tty/tty_io.c
@@ -1481,6 +1481,8 @@ static void release_tty(struct tty_struct *tty, int idx)
if (tty->link)
tty->link->port->itty = NULL;
tty_buffer_cancel_work(tty->port);
+ if (tty->link)
+ tty_buffer_cancel_work(tty->link->port);
tty_kref_put(tty->link);
tty_kref_put(tty);
--
2.14.1
next prev parent reply other threads:[~2018-03-08 4:57 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-08 4:57 [PATCH AUTOSEL for 4.14 01/67] Bluetooth: hci_qca: Avoid setup failure on missing rampatch Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 03/67] cpufreq: longhaul: Revert transition_delay_us to 200 ms Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 02/67] Bluetooth: btqcomsmd: Fix skb double free corruption Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 05/67] media: c8sectpfe: fix potential NULL pointer dereference in c8sectpfe_timer_interrupt Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 06/67] drm/msm: fix leak in failed get_pages Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 04/67] dt-bindings: net: add TI CC2560 Bluetooth chip Sasha Levin
2018-03-08 16:09 ` David Lechner
2018-03-09 16:38 ` Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 08/67] dm: ensure bio submission follows a depth-first tree walk Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 07/67] net: fec: add phy_reset_after_clk_enable() support Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 10/67] hv_netvsc: Fix the receive buffer size limit Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 09/67] RDMA/iwpm: Fix uninitialized error code in iwpm_send_mapinfo() Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 11/67] hv_netvsc: Fix the TX/RX buffer default sizes Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 12/67] KVM: x86: add support for emulating UMIP Sasha Levin
2018-03-08 6:46 ` Paolo Bonzini
2018-03-19 15:22 ` Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 13/67] spi: sh-msiof: Avoid writing to registers from spi_master.setup() Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 14/67] rtlwifi: rtl_pci: Fix the bug when inactiveps is enabled Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 17/67] ath10k: handling qos at STA side based on AP WMM enable/disable Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 16/67] media: bt8xx: Fix err 'bt878_probe()' Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 15/67] rtlwifi: always initialize variables given to RT_TRACE() Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 19/67] qmi_wwan: set FLAG_SEND_ZLP to avoid network initiated disconnect Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 18/67] media: [RESEND] media: dvb-frontends: Add delay to Si2168 restart Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 21/67] serial: 8250_dw: Disable clock on error Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 20/67] tty: goldfish: Enable 'earlycon' only if built-in Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 22/67] cros_ec: fix nul-termination for firmware build info Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 23/67] watchdog: Fix potential kref imbalance when opening watchdog Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 24/67] watchdog: Fix kref imbalance seen if handle_boot_enabled=0 Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 26/67] dmaengine: zynqmp_dma: Fix race condition in the probe Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 25/67] platform/chrome: Use proper protocol transfer function Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 27/67] drm/tilcdc: ensure nonatomic iowrite64 is not used Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 28/67] mmc: avoid removing non-removable hosts during suspend Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 29/67] mmc: block: fix logical error to avoid memory leak Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 30/67] /dev/mem: Add bounce buffer for copy-out Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 33/67] sfp: fix non-detection of PHY Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 31/67] net: phy: meson-gxl: check phy_write return value Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 32/67] sfp: fix EEPROM reading in the case of non-SFF8472 SFPs Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 35/67] rtc: ac100: Fix multiple race conditions Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 34/67] media: s5p-mfc: Fix lock contention - request_firmware() once Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 37/67] RDMA/cma: Use correct size when writing netlink stats Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 36/67] IB/ipoib: Avoid memory leak if the SA returns a different DGID Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 38/67] IB/umem: Fix use of npages/nmap fields Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 39/67] iser-target: avoid reinitializing rdma contexts for isert commands Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 41/67] omapdrm: panel: fix compatible vendor string for td028ttec1 Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 40/67] vgacon: Set VGA struct resource types Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 42/67] mmc: sdhci-xenon: wait 5ms after set 1.8V signal enable Sasha Levin
2018-03-08 4:57 ` Sasha Levin [this message]
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 43/67] drm/omap: DMM: Check for DMM readiness after successful transaction commit Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 45/67] coresight: Fix disabling of CoreSight TPIU Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 46/67] PCI: designware-ep: Fix ->get_msi() to check MSI_EN bit Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 47/67] PCI: endpoint: Fix find_first_zero_bit() usage Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 49/67] media: davinci: fix a debug printk Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 48/67] PCI: rcar: Handle rcar_pcie_parse_request_of_pci_ranges() failures Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 51/67] pinctrl: rockchip: enable clock when reading pin direction register Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 50/67] pinctrl: Really force states during suspend/resume Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 52/67] iommu/vt-d: clean up pr_irq if request_threaded_irq fails Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 53/67] ip6_vti: adjust vti mtu according to mtu of lower device Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 54/67] ip_gre: fix error path when erspan_rcv failed Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 55/67] ip_gre: fix potential memory leak in erspan_rcv Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 56/67] soc: qcom: smsm: fix child-node lookup Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 58/67] scsi: lpfc: Fix issues connecting with nvme initiator Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 57/67] scsi: lpfc: Fix SCSI LUN discovery when SCSI and NVME enabled Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 59/67] RDMA/ocrdma: Fix permissions for OCRDMA_RESET_STATS Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 60/67] ARM: dts: aspeed-evb: Add unit name to memory node Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 61/67] nfsd4: permit layoutget of executable-only files Sasha Levin
2018-03-08 4:57 ` [PATCH AUTOSEL for 4.14 62/67] clk: at91: pmc: Wait for clocks when resuming Sasha Levin
2018-03-08 4:58 ` [PATCH AUTOSEL for 4.14 63/67] clk: Don't touch hardware when reparenting during registration Sasha Levin
2018-03-08 4:58 ` [PATCH AUTOSEL for 4.14 65/67] clk: si5351: Rename internal plls to avoid name collisions Sasha Levin
2018-03-08 4:58 ` [PATCH AUTOSEL for 4.14 64/67] clk: axi-clkgen: Correctly handle nocount bit in recalc_rate() Sasha Levin
2018-03-08 4:58 ` [PATCH AUTOSEL for 4.14 67/67] dmaengine: ti-dma-crossbar: Fix event mapping for TPCC_EVT_MUX_60_63 Sasha Levin
2018-03-08 4:58 ` [PATCH AUTOSEL for 4.14 66/67] crypto: artpec6 - set correct iv size for gcm(aes) Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180308045641.7814-44-alexander.levin@microsoft.com \
--to=alexander.levin@microsoft.com \
--cc=gregkh@linuxfoundation.org \
--cc=keun-o.park@darkmatter.ae \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox