From patchwork Thu Feb 6 10:37:51 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Po-Hsu Lin X-Patchwork-Id: 1234201 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 48CvzB1G61z9sRK; Thu, 6 Feb 2020 21:38:14 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1izeXy-0006i7-Tk; Thu, 06 Feb 2020 10:38:10 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1izeXr-0006fo-8X for kernel-team@lists.ubuntu.com; Thu, 06 Feb 2020 10:38:03 +0000 Received: from mail-pf1-f199.google.com ([209.85.210.199]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1izeXq-0003xF-RU for kernel-team@lists.ubuntu.com; Thu, 06 Feb 2020 10:38:03 +0000 Received: by mail-pf1-f199.google.com with SMTP id o1so3677360pfg.6 for ; Thu, 06 Feb 2020 02:38:02 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=En+xq3EwfDR18d2ZHmyQ+7lcbaJML99NMCPViMCYlfk=; b=MQSHDFHqi9/jpnw/pJL6e+iTU7PVNZY2+HMAKypNJGxujgEytKN9oeLAX8zYsbqSno N9kayZhxH6CGNfcIBNCraY/K41tTEjSIQOxkJKbq2WfXOwzIzD3isxZoMhqD5/Cqql0z 66vtmVFsucZSt5E0zngkHKrYZlnfCsduDsUKEy7c0b8pcLgigUn1mW4IYItmtkhHQLNz HqcYrBpepOvqR19zEcgoScZKizzMBLCNqOah9c7aeY3/HnLZSRrmorHhoXd7ckyFUyEN hXAj6PT1Pni9K0j+Jx2gBLOeKgjtnNBHlafO8fAnA7Tn63L2PMSuCK20ckkXQqaAfLHa N3qw== X-Gm-Message-State: APjAAAXpZR9bk9JGAsWZOHY9n8kXT+VY9XgmX6AL/9RUl993pw1r+ytf KEobbTzfOFWjvey+6y+GPV5PAV99G3JDcS+Xe+bpdNg7gjw0FndHe9vEM/UuFVAJ9WJNVoArIuD DXdjwuO2ZcRkaiMOrmgfA/Mu8nztZ9RR9lTHlYEu4 X-Received: by 2002:aa7:85d8:: with SMTP id z24mr3184348pfn.202.1580985481266; Thu, 06 Feb 2020 02:38:01 -0800 (PST) X-Google-Smtp-Source: APXvYqx2nlyyfTWhWGXHNZBbfwYR4q+tIWs5Apr2ceoSAIXd1dOC/GAvw2v0KzcfIL09rtdnCP2Mnw== X-Received: by 2002:aa7:85d8:: with SMTP id z24mr3184327pfn.202.1580985480983; Thu, 06 Feb 2020 02:38:00 -0800 (PST) Received: from Leggiero.taipei.internal (61-220-137-37.HINET-IP.hinet.net. [61.220.137.37]) by smtp.gmail.com with ESMTPSA id k5sm2849066pju.29.2020.02.06.02.37.59 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 06 Feb 2020 02:38:00 -0800 (PST) From: Po-Hsu Lin To: kernel-team@lists.ubuntu.com Subject: [X][B][D][E][F][SRU][PATCH 1/1] can, slip: Protect tty->disc_data in write_wakeup and close with RCU Date: Thu, 6 Feb 2020 18:37:51 +0800 Message-Id: <20200206103751.28983-2-po-hsu.lin@canonical.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200206103751.28983-1-po-hsu.lin@canonical.com> References: <20200206103751.28983-1-po-hsu.lin@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Richard Palethorpe BugLink: https://bugs.launchpad.net/bugs/1862114 write_wakeup can happen in parallel with close/hangup where tty->disc_data is set to NULL and the netdevice is freed thus also freeing disc_data. write_wakeup accesses disc_data so we must prevent close from freeing the netdev while write_wakeup has a non-NULL view of tty->disc_data. We also need to make sure that accesses to disc_data are atomic. Which can all be done with RCU. This problem was found by Syzkaller on SLCAN, but the same issue is reproducible with the SLIP line discipline using an LTP test based on the Syzkaller reproducer. A fix which didn't use RCU was posted by Hillf Danton. Fixes: 661f7fda21b1 ("slip: Fix deadlock in write_wakeup") Fixes: a8e83b17536a ("slcan: Port write_wakeup deadlock fix from slip") Reported-by: syzbot+017e491ae13c0068598a@syzkaller.appspotmail.com Signed-off-by: Richard Palethorpe Cc: Wolfgang Grandegger Cc: Marc Kleine-Budde Cc: "David S. Miller" Cc: Tyler Hall Cc: linux-can@vger.kernel.org Cc: netdev@vger.kernel.org Cc: linux-kernel@vger.kernel.org Cc: syzkaller@googlegroups.com Signed-off-by: David S. Miller (cherry picked from commit 0ace17d56824165c7f4c68785d6b58971db954dd) Signed-off-by: Po-Hsu Lin Acked-by: Thadeu Lima de Souza Cascardo Acked-by: Colin Ian King --- drivers/net/can/slcan.c | 12 ++++++++++-- drivers/net/slip/slip.c | 12 ++++++++++-- 2 files changed, 20 insertions(+), 4 deletions(-) diff --git a/drivers/net/can/slcan.c b/drivers/net/can/slcan.c index cf0769a..b2e5bca 100644 --- a/drivers/net/can/slcan.c +++ b/drivers/net/can/slcan.c @@ -343,9 +343,16 @@ static void slcan_transmit(struct work_struct *work) */ static void slcan_write_wakeup(struct tty_struct *tty) { - struct slcan *sl = tty->disc_data; + struct slcan *sl; + + rcu_read_lock(); + sl = rcu_dereference(tty->disc_data); + if (!sl) + goto out; schedule_work(&sl->tx_work); +out: + rcu_read_unlock(); } /* Send a can_frame to a TTY queue. */ @@ -640,10 +647,11 @@ static void slcan_close(struct tty_struct *tty) return; spin_lock_bh(&sl->lock); - tty->disc_data = NULL; + rcu_assign_pointer(tty->disc_data, NULL); sl->tty = NULL; spin_unlock_bh(&sl->lock); + synchronize_rcu(); flush_work(&sl->tx_work); /* Flush network side */ diff --git a/drivers/net/slip/slip.c b/drivers/net/slip/slip.c index 2a91c19..61d7e0d 100644 --- a/drivers/net/slip/slip.c +++ b/drivers/net/slip/slip.c @@ -452,9 +452,16 @@ static void slip_transmit(struct work_struct *work) */ static void slip_write_wakeup(struct tty_struct *tty) { - struct slip *sl = tty->disc_data; + struct slip *sl; + + rcu_read_lock(); + sl = rcu_dereference(tty->disc_data); + if (!sl) + goto out; schedule_work(&sl->tx_work); +out: + rcu_read_unlock(); } static void sl_tx_timeout(struct net_device *dev) @@ -882,10 +889,11 @@ static void slip_close(struct tty_struct *tty) return; spin_lock_bh(&sl->lock); - tty->disc_data = NULL; + rcu_assign_pointer(tty->disc_data, NULL); sl->tty = NULL; spin_unlock_bh(&sl->lock); + synchronize_rcu(); flush_work(&sl->tx_work); /* VSV = very important to remove timers */