lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <e167d14c-76d3-46b4-aca5-b6003f9cbfc1@kernel.org>
Date: Thu, 9 May 2024 08:41:18 +0200
From: Jiri Slaby <jirislaby@...nel.org>
To: kovalev@...linux.org, gregkh@...uxfoundation.org,
 linux-kernel@...r.kernel.org, linux-serial@...r.kernel.org
Cc: lvc-project@...uxtesting.org, dutyrok@...linux.org,
 oficerovas@...linux.org, stable@...r.kernel.org
Subject: Re: [PATCH] tty: Fix possible deadlock in tty_buffer_flush

On 08. 05. 24, 11:30, kovalev@...linux.org wrote:
> From: Vasiliy Kovalev <kovalev@...linux.org>
> 
> A possible scenario in which a deadlock may occur is as follows:
> 
> flush_to_ldisc() {
> 
>    mutex_lock(&buf->lock);
> 
>    tty_port_default_receive_buf() {
>      tty_ldisc_receive_buf() {
>        n_tty_receive_buf2() {
> 	n_tty_receive_buf_common() {
> 	  n_tty_receive_char_special() {
> 	    isig() {
> 	      tty_driver_flush_buffer() {
> 		pty_flush_buffer() {
> 		  tty_buffer_flush() {
> 
> 		    mutex_lock(&buf->lock); (DEADLOCK)
> 
> flush_to_ldisc() and tty_buffer_flush() functions they use the same mutex
> (&buf->lock), but not necessarily the same struct tty_bufhead object.

"not necessarily" -- so does it mean that it actually can happen (and we 
should fix it) or not at all (and we should annotate the mutex)?

> However, you should probably use a separate mutex for the
> tty_buffer_flush() function to exclude such a situation.
..

> Cc: stable@...r.kernel.org

What commit does this fix?

> --- a/drivers/tty/tty_buffer.c
> +++ b/drivers/tty/tty_buffer.c
> @@ -226,7 +226,7 @@ void tty_buffer_flush(struct tty_struct *tty, struct tty_ldisc *ld)
>   
>   	atomic_inc(&buf->priority);
>   
> -	mutex_lock(&buf->lock);
> +	mutex_lock(&buf->flush_mtx);

Hmm, how does this protect against concurrent buf pickup. We free it 
here and the racing thread can start using it, or?

>   	/* paired w/ release in __tty_buffer_request_room; ensures there are
>   	 * no pending memory accesses to the freed buffer
>   	 */

thanks,
-- 
js
suse labs

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ