linux

History

Vegard Nossum 925bb1ce47 tty: fix port buffer locking tty_insert_flip_string_fixed_flag() is racy against itself when called from the ioctl(TCXONC, TCION/TCIOFF) path [1] and the flush_to_ldisc() workqueue path [2]. The problem is that port->buf.tail->used is modified without consistent locking; the ioctl path takes tty->atomic_write_lock, whereas the workqueue path takes ldata->output_lock. We cannot simply take ldata->output_lock, since that is specific to the N_TTY line discipline. It might seem natural to try to take port->buf.lock inside tty_insert_flip_string_fixed_flag() and friends (where port->buf is actually used/modified), but this creates problems for flush_to_ldisc() which takes it before grabbing tty->ldisc_sem, o_tty->termios_rwsem, and ldata->output_lock. Therefore, the simplest solution for now seems to be to take tty->atomic_write_lock inside tty_port_default_receive_buf(). This lock is also used in the write path [3] with a consistent ordering. [1]: Call Trace: tty_insert_flip_string_fixed_flag pty_write tty_send_xchar // down_read(&o_tty->termios_rwsem) // mutex_lock(&tty->atomic_write_lock) n_tty_ioctl_helper n_tty_ioctl tty_ioctl // down_read(&tty->ldisc_sem) do_vfs_ioctl SyS_ioctl [2]: Workqueue: events_unbound flush_to_ldisc Call Trace: tty_insert_flip_string_fixed_flag pty_write tty_put_char __process_echoes commit_echoes // mutex_lock(&ldata->output_lock) n_tty_receive_buf_common n_tty_receive_buf2 tty_ldisc_receive_buf // down_read(&o_tty->termios_rwsem) tty_port_default_receive_buf // down_read(&tty->ldisc_sem) flush_to_ldisc // mutex_lock(&port->buf.lock) process_one_work [3]: Call Trace: tty_insert_flip_string_fixed_flag pty_write n_tty_write // mutex_lock(&ldata->output_lock) // down_read(&tty->termios_rwsem) do_tty_write (inline) // mutex_lock(&tty->atomic_write_lock) tty_write // down_read(&tty->ldisc_sem) __vfs_write vfs_write SyS_write The bug can result in about a dozen different crashes depending on what exactly gets corrupted when port->buf.tail->used points outside the buffer. The patch passes my LOCKDEP/PROVE_LOCKING testing but more testing is always welcome. Found using syzkaller. Cc: <stable@vger.kernel.org> Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2017-05-18 16:43:55 +02:00
..
hvc	tty/hvc_console: fix console lock ordering with spinlock	2017-03-31 11:37:13 +02:00
ipwireless	tty: ipwireless, cleanup TIOCGSERIAL	2016-06-25 08:56:30 -07:00
serdev	serdev: fix tty-port client deregistration	2017-05-18 16:41:49 +02:00
serial	serial: ifx6x60: fix use-after-free on module unload	2017-05-18 16:43:55 +02:00
vt	vt: make mouse selection of non-ASCII consistent	2017-04-11 21:39:15 +02:00
amiserial.c	Replace <asm/uaccess.h> with <linux/uaccess.h> globally	2016-12-24 11:46:01 -08:00
bfin_jtag_comm.c
cyclades.c	Annotate hardware config module parameters in drivers/tty/	2017-04-20 12:02:32 +01:00
ehv_bytechan.c	tty: ehv_bytechan: clean up init error handling	2017-05-18 16:43:55 +02:00
goldfish.c	tty: goldfish: Fix a parameter of a call to free_irq	2017-01-12 11:51:25 +01:00
isicom.c	tty: Replace ASYNC_INITIALIZED bit and update atomically	2016-04-30 09:26:55 -07:00
Kconfig	devpts: Make each mount of devpts an independent filesystem.	2016-06-05 10:36:01 -07:00
Makefile	tty: split job control support into a file of its own	2017-04-18 18:01:52 +02:00
metag_da.c	timers, drivers/tty/metag_da: Initialize the poll timer as pinned	2016-07-07 10:25:14 +02:00
mips_ejtag_fdc.c	timers, drivers/tty/mips_ejtag: Initialize the poll timer as pinned	2016-07-07 10:34:59 +02:00
moxa.c	Annotate hardware config module parameters in drivers/tty/	2017-04-20 12:02:32 +01:00
moxa.h
mxser.c	Annotate hardware config module parameters in drivers/tty/	2017-04-20 12:02:32 +01:00
mxser.h
n_gsm.c	tty: n_gsm: Use net_device_stats from struct net_device	2017-03-17 14:14:00 +09:00
n_hdlc.c	format-security: move static strings to const	2017-05-08 17:15:14 -07:00
n_r3964.c	Replace <asm/uaccess.h> with <linux/uaccess.h> globally	2016-12-24 11:46:01 -08:00
n_tracerouter.c
n_tracesink.c
n_tracesink.h
n_tty.c	Fix OpenSSH pty regression on close	2016-05-01 13:22:54 -07:00
nozomi.c	tty: nozomi: avoid sprintf buffer overflow	2016-11-29 20:20:07 +01:00
pty.c	tty: pty: Fix ldisc flush after userspace become aware of the data already	2017-03-17 14:16:09 +09:00
rocket_int.h	tty: rocket: Remove private close_wait	2016-01-28 14:13:44 -08:00
rocket.c	Annotate hardware config module parameters in drivers/tty/	2017-04-20 12:02:32 +01:00
rocket.h
synclink_gt.c	Replace <asm/uaccess.h> with <linux/uaccess.h> globally	2016-12-24 11:46:01 -08:00
synclink.c	Annotate hardware config module parameters in drivers/tty/	2017-04-20 12:02:32 +01:00
synclinkmp.c	Replace <asm/uaccess.h> with <linux/uaccess.h> globally	2016-12-24 11:46:01 -08:00
sysrq.c	oom: improve oom disable handling	2017-05-03 15:52:10 -07:00
tty_audit.c	tty: audit: remove unused variable	2016-03-07 16:11:14 -08:00
tty_baudrate.c	tty: move baudrate handling code to a file of its own	2017-04-18 18:01:52 +02:00
tty_buffer.c	tty_port: Add port client functions	2017-02-03 10:17:02 +01:00
tty_io.c	tty: fix comment for __tty_alloc_driver()	2017-04-24 13:15:39 +02:00
tty_ioctl.c	tty: move baudrate handling code to a file of its own	2017-04-18 18:01:52 +02:00
tty_jobctrl.c	tty: split job control support into a file of its own	2017-04-18 18:01:52 +02:00
tty_ldisc.c	Revert "tty: don't panic on OOM in tty_set_ldisc()"	2017-04-14 10:59:56 +02:00
tty_ldsem.c	sched/headers: Prepare to move the get_task_struct()/put_task_struct() and related APIs from <linux/sched.h> to <linux/sched/task.h>	2017-03-02 08:42:40 +01:00
tty_mutex.c	Merge 4.5-rc4 into tty-next	2016-02-14 14:36:04 -08:00
tty_port.c	tty: fix port buffer locking	2017-05-18 16:43:55 +02:00