| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 07 Apr 2017 12:06:00 +1000
From: Michael Neuling <mikey@...ling.org>
To: Wang YanQing <udknight@...il.com>
Cc: Al Viro <viro@...IV.linux.org.uk>, johan Hovold <johan@...nel.org>,
Peter Hurley <peter@...leysoftware.com>,
Alexander Popov <alex.popov@...ux.com>,
Rob Herring <robh@...nel.org>,
Mikulas Patocka <mpatocka@...hat.com>,
Dmitry Vyukov <dvyukov@...gle.com>,
benh <benh@...nel.crashing.org>,
LKML <linux-kernel@...r.kernel.org>
Subject: Re: tty crash in tty_ldisc_receive_buf()
> > + /* This probably shouldn't happen, but return 0 data processed */
> > + if (!ldata)
> > + return 0;
> > +
> > while (1) {
> > /*
> > * When PARMRK is set, each input char may take up to 3
> > chars
>
> Maybe your patch should looks like:
> + /* This probably shouldn't happen, but return 0 data processed */
> + if (!ldata) {
> + up_read(&tty->termios_rwsem);
> + return 0;
> + }
Oops, nice catch.. Thanks!
That does indeed fix the problem now without the softlockup. I'm not sure it's
the right fix, but full patch below.
Anyone see a problem with this approach? Am I just papering over a real issue?
> Maybe below patch should work:
> @@ -1668,11 +1668,12 @@ static int
> n_tty_receive_buf_common(struct tty_struct *tty, const unsigned char *cp,
> char *fp, int count, int flow)
> {
> - struct n_tty_data *ldata = tty->disc_data;
> + struct n_tty_data *ldata;
> int room, n, rcvd = 0, overflow;
>
> down_read(&tty->termios_rwsem);
>
> + ldata = tty->disc_data;
I did try just that alone and it didn't help.
Mikey
------------------------------------------------------------------------
>From 75c2a0369450692946ca8cc7ac148a98deaecd2a Mon Sep 17 00:00:00 2001
From: Michael Neuling <mikey@...ling.org>
Date: Fri, 7 Apr 2017 11:31:02 +1000
Subject: [PATCH] tty: fix regression in flush_to_ldisc
When reiniting a tty we can end up with:
[ 417.514499] Unable to handle kernel paging request for data at address 0x00002260
[ 417.515361] Faulting instruction address: 0xc0000000006fad80
cpu 0x15: Vector: 300 (Data Access) at [c00000799411f890]
pc: c0000000006fad80: n_tty_receive_buf_common+0xc0/0xbd0
lr: c0000000006fad5c: n_tty_receive_buf_common+0x9c/0xbd0
sp: c00000799411fb10
msr: 900000000280b033
dar: 2260
dsisr: 40000000
current = 0xc0000079675d1e00
paca = 0xc00000000fb0d200 softe: 0 irq_happened: 0x01
pid = 5, comm = kworker/u56:0
Linux version 4.11.0-rc5-next-20170405 (mikey@...86) (gcc version 5.4.0 20160609 (Ubuntu/IBM 5.4.0-6ubuntu1~16.04.4) ) #2 SMP Thu Apr 6 00:36:46 CDT 2017
enter ? for help
[c00000799411fbe0] c0000000006ff968 tty_ldisc_receive_buf+0x48/0xe0
[c00000799411fc10] c0000000007009d8 tty_port_default_receive_buf+0x68/0xe0
[c00000799411fc50] c0000000006ffce4 flush_to_ldisc+0x114/0x130
[c00000799411fca0] c00000000010a0fc process_one_work+0x1ec/0x580
[c00000799411fd30] c00000000010a528 worker_thread+0x98/0x5d0
[c00000799411fdc0] c00000000011343c kthread+0x16c/0x1b0
[c00000799411fe30] c00000000000b4e8 ret_from_kernel_thread+0x5c/0x74
This is due to a NULL ptr dref of tty->disc_data.
This fixes the issue by moving the disc_data read to after we take the
semaphore, then returning 0 data processed when NULL.
Cc: <stable@...r.kernel.org> [4.10+]
Signed-off-by: Michael Neuling <mikey@...ling.org>
---
drivers/tty/n_tty.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
index bdf0e6e899..a2a9832a42 100644
--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -1668,11 +1668,17 @@ static int
n_tty_receive_buf_common(struct tty_struct *tty, const unsigned char *cp,
char *fp, int count, int flow)
{
- struct n_tty_data *ldata = tty->disc_data;
+ struct n_tty_data *ldata;
int room, n, rcvd = 0, overflow;
down_read(&tty->termios_rwsem);
+ ldata = tty->disc_data;
+ if (!ldata) {
+ up_read(&tty->termios_rwsem);
+ return 0;
+ }
+
while (1) {
/*
* When PARMRK is set, each input char may take up to 3 chars
--
2.9.3
Powered by blists - more mailing lists