lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 15 Dec 2021 07:49:04 +0100
From:   Jiri Slaby <jirislaby@...nel.org>
To:     Arnaud Pouliquen <arnaud.pouliquen@...s.st.com>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc:     Bjorn Andersson <bjorn.andersson@...aro.org>,
        Mathieu Poirier <mathieu.poirier@...aro.org>,
        linux-remoteproc@...r.kernel.org, linux-kernel@...r.kernel.org,
        linux-stm32@...md-mailman.stormreply.com
Subject: Re: [PATCH v2] tty: rpmsg: Fix race condition releasing tty port

Hi,

much better IMO.

On 14. 12. 21, 18:06, Arnaud Pouliquen wrote:
> In current implementation the tty_port struct is part of the
> rpmsg_tty_port structure.The issue is that the rpmsg_tty_port structure is
> freed on rpmsg_tty_remove but also referenced in the tty_struct.
> Its release is not predictable due to workqueues.
> 
> For instance following ftrace shows that rpmsg_tty_close is called after
> rpmsg_tty_release_cport:
...
> diff --git a/drivers/tty/rpmsg_tty.c b/drivers/tty/rpmsg_tty.c
> index dae2a4e44f38..69272ad92266 100644
> --- a/drivers/tty/rpmsg_tty.c
> +++ b/drivers/tty/rpmsg_tty.c
> @@ -53,9 +53,19 @@ static int rpmsg_tty_install(struct tty_driver *driver, struct tty_struct *tty)
>   
>   	tty->driver_data = cport;
>   
> +	tty_port_get(&cport->port);

Can't this fail? Like when racing with removal?

>   	return tty_port_install(&cport->port, driver, tty);
>   }
...
>   static struct rpmsg_tty_port *rpmsg_tty_alloc_cport(void)
> @@ -139,6 +156,8 @@ static struct rpmsg_tty_port *rpmsg_tty_alloc_cport(void)
>   
>   static void rpmsg_tty_release_cport(struct rpmsg_tty_port *cport)
>   {
> +	tty_port_destroy(&cport->port);
> +

You should not call tty_port_destroy when you use refcounting. The port 
is already destroyed when ->destruct() is called. (It has currently no 
bad effect calling it twice on a port though.)

> @@ -146,7 +165,17 @@ static void rpmsg_tty_release_cport(struct rpmsg_tty_port *cport)
>   	kfree(cport);
>   }
>   
> -static const struct tty_port_operations rpmsg_tty_port_ops = { };
> +static void rpmsg_tty_destruct_port(struct tty_port *port)
> +{
> +	struct rpmsg_tty_port *cport = container_of(port, struct rpmsg_tty_port, port);
> +
> +	rpmsg_tty_release_cport(cport);
> +}
> +
> +static const struct tty_port_operations rpmsg_tty_port_ops = {
> +	.destruct = rpmsg_tty_destruct_port,
> +};
> +
>   
>   static int rpmsg_tty_probe(struct rpmsg_device *rpdev)
>   {
> @@ -179,7 +208,6 @@ static int rpmsg_tty_probe(struct rpmsg_device *rpdev)
>   	return 0;
>   
>   err_destroy:
> -	tty_port_destroy(&cport->port);
>   	rpmsg_tty_release_cport(cport);

Couldn't you just put the port here? And inline rpmsg_tty_release_cport 
into the new rpmsg_tty_destruct_port?

thanks,
-- 
js
suse labs

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ