lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Wed, 15 Dec 2021 11:05:27 +0100
From:   Arnaud POULIQUEN <arnaud.pouliquen@...s.st.com>
To:     Jiri Slaby <jirislaby@...nel.org>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>
CC:     Bjorn Andersson <bjorn.andersson@...aro.org>,
        Mathieu Poirier <mathieu.poirier@...aro.org>,
        <linux-remoteproc@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
        <linux-stm32@...md-mailman.stormreply.com>
Subject: Re: [PATCH v2] tty: rpmsg: Fix race condition releasing tty port



On 12/15/21 7:49 AM, Jiri Slaby wrote:
> Hi,
> 
> much better IMO.
> 
> On 14. 12. 21, 18:06, Arnaud Pouliquen wrote:
>> In current implementation the tty_port struct is part of the
>> rpmsg_tty_port structure.The issue is that the rpmsg_tty_port structure is
>> freed on rpmsg_tty_remove but also referenced in the tty_struct.
>> Its release is not predictable due to workqueues.
>>
>> For instance following ftrace shows that rpmsg_tty_close is called after
>> rpmsg_tty_release_cport:
> ...
>> diff --git a/drivers/tty/rpmsg_tty.c b/drivers/tty/rpmsg_tty.c
>> index dae2a4e44f38..69272ad92266 100644
>> --- a/drivers/tty/rpmsg_tty.c
>> +++ b/drivers/tty/rpmsg_tty.c
>> @@ -53,9 +53,19 @@ static int rpmsg_tty_install(struct tty_driver *driver,
>> struct tty_struct *tty)
>>         tty->driver_data = cport;
>>   +    tty_port_get(&cport->port);
> 
> Can't this fail? Like when racing with removal?
> 
>>       return tty_port_install(&cport->port, driver, tty);
>>   }
> ...
>>   static struct rpmsg_tty_port *rpmsg_tty_alloc_cport(void)
>> @@ -139,6 +156,8 @@ static struct rpmsg_tty_port *rpmsg_tty_alloc_cport(void)
>>     static void rpmsg_tty_release_cport(struct rpmsg_tty_port *cport)
>>   {
>> +    tty_port_destroy(&cport->port);
>> +
> 
> You should not call tty_port_destroy when you use refcounting. The port is
> already destroyed when ->destruct() is called. (It has currently no bad effect
> calling it twice on a port though.)
> 
>> @@ -146,7 +165,17 @@ static void rpmsg_tty_release_cport(struct rpmsg_tty_port
>> *cport)
>>       kfree(cport);
>>   }
>>   -static const struct tty_port_operations rpmsg_tty_port_ops = { };
>> +static void rpmsg_tty_destruct_port(struct tty_port *port)
>> +{
>> +    struct rpmsg_tty_port *cport = container_of(port, struct rpmsg_tty_port,
>> port);
>> +
>> +    rpmsg_tty_release_cport(cport);
>> +}
>> +
>> +static const struct tty_port_operations rpmsg_tty_port_ops = {
>> +    .destruct = rpmsg_tty_destruct_port,
>> +};
>> +
>>     static int rpmsg_tty_probe(struct rpmsg_device *rpdev)
>>   {
>> @@ -179,7 +208,6 @@ static int rpmsg_tty_probe(struct rpmsg_device *rpdev)
>>       return 0;
>>     err_destroy:
>> -    tty_port_destroy(&cport->port);
>>       rpmsg_tty_release_cport(cport);
> 
> Couldn't you just put the port here? And inline rpmsg_tty_release_cport into the
> new rpmsg_tty_destruct_port?
> 

Thanks for all the insightful comments, V3 is coming.

> thanks,

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ