From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Marcel Holtmann <marcel@holtmann.org>,
Johan Hedberg <johan.hedberg@gmail.com>,
Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
Rob Herring <robh@kernel.org>, Jiri Slaby <jirislaby@kernel.org>,
Zijun Hu <zijuhu@codeaurora.org>,
linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-serial@vger.kernel.org,
Sai Teja Aluvala <quic_saluvala@quicinc.com>,
Panicker Harish <quic_pharish@quicinc.com>,
Johan Hovold <johan@kernel.org>,
stable@vger.kernel.org
Subject: Re: [PATCH 1/2] serdev: ttyport: fix use-after-free on closed TTY
Date: Wed, 21 Dec 2022 18:37:59 +0100 [thread overview]
Message-ID: <e2925111-abcf-26fb-59e0-9bd4fb3f7b8e@linaro.org> (raw)
In-Reply-To: <Y6M2vLV9PM3HfXZY@kroah.com>
On 21/12/2022 17:39, Greg Kroah-Hartman wrote:
> On Wed, Dec 21, 2022 at 05:32:48PM +0100, Krzysztof Kozlowski wrote:
>> use-after-free is visible in serdev-ttyport, e.g. during system reboot
>> with Qualcomm Atheros Bluetooth. The TTY is closed, thus "struct
>> tty_struct" is being released, but the hci_uart_qca driver performs
>> writes and flushes during system shutdown in qca_serdev_shutdown().
>>
>> Unable to handle kernel paging request at virtual address 0072662f67726fd7
>> ...
>> CPU: 6 PID: 1 Comm: systemd-shutdow Tainted: G W 6.1.0-rt5-00325-g8a5f56bcfcca #8
>> Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT)
>> Call trace:
>> tty_driver_flush_buffer+0x4/0x30
>> serdev_device_write_flush+0x24/0x34
>> qca_serdev_shutdown+0x80/0x130 [hci_uart]
>> device_shutdown+0x15c/0x260
>> kernel_restart+0x48/0xac
>>
>> KASAN report:
>>
>> BUG: KASAN: use-after-free in tty_driver_flush_buffer+0x1c/0x50
>> Read of size 8 at addr ffff16270c2e0018 by task systemd-shutdow/1
>>
>> CPU: 7 PID: 1 Comm: systemd-shutdow Not tainted 6.1.0-next-20221220-00014-gb85aaf97fb01-dirty #28
>> Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT)
>> Call trace:
>> dump_backtrace.part.0+0xdc/0xf0
>> show_stack+0x18/0x30
>> dump_stack_lvl+0x68/0x84
>> print_report+0x188/0x488
>> kasan_report+0xa4/0xf0
>> __asan_load8+0x80/0xac
>> tty_driver_flush_buffer+0x1c/0x50
>> ttyport_write_flush+0x34/0x44
>> serdev_device_write_flush+0x48/0x60
>> qca_serdev_shutdown+0x124/0x274
>> device_shutdown+0x1e8/0x350
>> kernel_restart+0x48/0xb0
>> __do_sys_reboot+0x244/0x2d0
>> __arm64_sys_reboot+0x54/0x70
>> invoke_syscall+0x60/0x190
>> el0_svc_common.constprop.0+0x7c/0x160
>> do_el0_svc+0x44/0xf0
>> el0_svc+0x2c/0x6c
>> el0t_64_sync_handler+0xbc/0x140
>> el0t_64_sync+0x190/0x194
>>
>> Fixes: bed35c6dfa6a ("serdev: add a tty port controller driver")
>> Cc: <stable@vger.kernel.org>
>> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
>> ---
>> drivers/tty/serdev/serdev-ttyport.c | 24 ++++++++++++++++++++++++
>> 1 file changed, 24 insertions(+)
>>
>> diff --git a/drivers/tty/serdev/serdev-ttyport.c b/drivers/tty/serdev/serdev-ttyport.c
>> index d367803e2044..3d2bab91a988 100644
>> --- a/drivers/tty/serdev/serdev-ttyport.c
>> +++ b/drivers/tty/serdev/serdev-ttyport.c
>> @@ -91,6 +91,9 @@ static void ttyport_write_flush(struct serdev_controller *ctrl)
>> struct serport *serport = serdev_controller_get_drvdata(ctrl);
>> struct tty_struct *tty = serport->tty;
>>
>> + if (!test_bit(SERPORT_ACTIVE, &serport->flags))
>> + return;
>
> Shouldn't that be a more useful macro/function instead?
> serport_is_active(serport)
Sure, makes sense.
>
> Anyway, what prevents this from changing _right_ after you test it and
> before you call the next line in this function (same for all invocations
> here.)
Eh, you're right. I got suggested by such solution in
ttyport_write_buf() assuming it was correct in the first place. Is
holding tty_lock for entire function here reasonable?
Anyway the issue also is in the caller, which should not talk over
closed TTY, which should be fixed in patch 2.
Best regards,
Krzysztof
next prev parent reply other threads:[~2022-12-21 17:38 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-21 16:32 [PATCH 1/2] serdev: ttyport: fix use-after-free on closed TTY Krzysztof Kozlowski
2022-12-21 16:32 ` [PATCH 2/2] Bluetooth: hci_qca: Fix driver shutdown on closed serdev Krzysztof Kozlowski
2022-12-21 16:39 ` [PATCH 1/2] serdev: ttyport: fix use-after-free on closed TTY Greg Kroah-Hartman
2022-12-21 17:37 ` Krzysztof Kozlowski [this message]
2022-12-21 17:42 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e2925111-abcf-26fb-59e0-9bd4fb3f7b8e@linaro.org \
--to=krzysztof.kozlowski@linaro.org \
--cc=gregkh@linuxfoundation.org \
--cc=jirislaby@kernel.org \
--cc=johan.hedberg@gmail.com \
--cc=johan@kernel.org \
--cc=linux-bluetooth@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-serial@vger.kernel.org \
--cc=luiz.dentz@gmail.com \
--cc=marcel@holtmann.org \
--cc=quic_pharish@quicinc.com \
--cc=quic_saluvala@quicinc.com \
--cc=robh@kernel.org \
--cc=stable@vger.kernel.org \
--cc=zijuhu@codeaurora.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox