Received: by 10.213.65.68 with SMTP id h4csp1782785imn;
        Thu, 5 Apr 2018 03:50:07 -0700 (PDT)
X-Google-Smtp-Source: AIpwx48jWz3G0rBWcyxbS2b0NNBuEScGwbN2vUQCftMInZ1YyqpRktt/Xqv0ki7dHxmwatboqOvY
X-Received: by 2002:a17:902:8d97:: with SMTP id v23-v6mr21982200plo.285.1522925407488;
        Thu, 05 Apr 2018 03:50:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1522925407; cv=none;
        d=google.com; s=arc-20160816;
        b=EC3ebKSbUpdKEWIKFjvp/JBaZG7vaXnpymslPUtp0WecnzxYbiTRvmMsrhlobW/x5h
         ZYsL1O3r+QOEcFwHYHg4sLd8w4bPbeS99L+BT2HeMFeJasLXkrE7+Xyuvb/EeMZiJUuC
         lpIw6EljQqVcJl4fQMOAqJekn/0+62d7p0N0AY5H7iS6g49xfWd15YNr/DeoErjtYyTz
         ow78nSg9WpJrQPYARTHcyasXZEL7RQDHUd3qtzzNYR5Akgb40aqlZ1YrkG9QMoDUkKpc
         SbV0ET8HdYKzEaVUwwIJQwFVMnHhSQUj7GID3b3PdmpSAyNGijVfG91evUTqp4FPsdf0
         ZRxg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject:arc-authentication-results;
        bh=BMBktSPRuyy0e34HVCjBdJ97l5vursCJT1+5PuRfp9U=;
        b=YIriiT+i4RPaP7IZYSCTXvB7pbM3TNC1a0Xo4wo8eS9z6JHtXKAT4PT7lwpHjvf+BG
         8zoVg8m1qS9xJ1w8OHO8A9oGUz3jP3MS+VpV3mkaMVVcmNyMDuhXREvJuPNryhw7L859
         BXCPUw/BXLFvH9F+0v1pyxHjLR/qGgEJJ1Pe1smzd8vrS0y3FkdkZF2qHSSWFOb0UoZy
         QuajIGI14J5bQg1qUyac2iBEN+CthXHPD9txnrd73oI2ThJopGef2OXYhAk0OQWqCzIU
         WeY0kSedeVurKgaZYM2n+E5MHAt2gUOKlx+hU4j4LCWytj9VHrttXhHR1i6i8DJPka5m
         qMbA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 102-v6si5373824pla.230.2018.04.05.03.49.53;
        Thu, 05 Apr 2018 03:50:07 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751750AbeDEKqp (ORCPT
        <rfc822;paul.schmitz.hallo.parkuhr@gmail.com> + 99 others);
        Thu, 5 Apr 2018 06:46:45 -0400
Received: from www262.sakura.ne.jp ([202.181.97.72]:16561 "EHLO
        www262.sakura.ne.jp" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751038AbeDEKqo (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 5 Apr 2018 06:46:44 -0400
Received: from fsav404.sakura.ne.jp (fsav404.sakura.ne.jp [133.242.250.103])
        by www262.sakura.ne.jp (8.14.5/8.14.5) with ESMTP id w35AkhAV022982;
        Thu, 5 Apr 2018 19:46:43 +0900 (JST)
        (envelope-from penguin-kernel@I-love.SAKURA.ne.jp)
Received: from www262.sakura.ne.jp (202.181.97.72)
 by fsav404.sakura.ne.jp (F-Secure/fsigk_smtp/530/fsav404.sakura.ne.jp);
 Thu, 05 Apr 2018 19:46:42 +0900 (JST)
X-Virus-Status: clean(F-Secure/fsigk_smtp/530/fsav404.sakura.ne.jp)
Received: from [192.168.1.8] (softbank126099184120.bbtec.net [126.99.184.120])
        (authenticated bits=0)
        by www262.sakura.ne.jp (8.14.5/8.14.5) with ESMTP id w35AkgIe022979
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
        Thu, 5 Apr 2018 19:46:42 +0900 (JST)
        (envelope-from penguin-kernel@I-love.SAKURA.ne.jp)
Subject: Re: WARNING in tty_set_ldisc
To:     Greg KH <gregkh@linuxfoundation.org>, jslaby@suse.com
Cc:     syzbot 
        <bot+1a77aeddeaf63317949b59c3df98f139a1ca34f9@syzkaller.appspotmail.com>,
        linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com,
        Dmitry Vyukov <dvyukov@google.com>,
        Johannes Weiner <hannes@cmpxchg.org>,
        Alan Cox <alan@llwyncelyn.cymru>,
        Christoph Hellwig <hch@lst.de>, Michal Hocko <mhocko@suse.com>
References: <001a1141f0c87da52c055d385a4d@google.com>
 <20171105103404.GB1487@kroah.com>
From:   Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Message-ID: <2e8fd7a6-6841-d660-8e1c-17b5a07618fa@I-love.SAKURA.ne.jp>
Date:   Thu, 5 Apr 2018 19:46:38 +0900
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:52.0) Gecko/20100101
 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <20171105103404.GB1487@kroah.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 2017/11/05 19:34, Greg KH wrote:
> On Sun, Nov 05, 2017 at 01:45:01AM -0700, syzbot wrote:
>> Hello,
>>
>> syzkaller hit the following crash on
>> 9c323bff13f92832e03657cabdd70d731408d621
>> git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
>> compiler: gcc (GCC) 7.1.1 20170620
>> .config is attached
>> Raw console output is attached.
> 
> Again, what am I supposed to do with this?
> 
> thanks,
> 
> greg k-h
> 

From 023cf07f799d0efd160ec1c1617d5b8902577765 Mon Sep 17 00:00:00 2001
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date: Thu, 5 Apr 2018 11:27:06 +0900
Subject: [PATCH] tty: Avoid possible error pointer dereference at tty_ldisc_restore().

syzbot is reporting crashes [1] triggered by memory allocation failure at
tty_ldisc_get() from tty_ldisc_restore(). While syzbot stops at WARN_ON()
due to panic_on_warn == true, panic_on_warn == false will after all trigger
an OOPS by dereferencing old->ops->num if IS_ERR(old) == true.

We can simplify tty_ldisc_restore() as three calls (old->ops->num, N_TTY,
N_NULL) to tty_ldisc_failto() in addition to avoiding possible error
pointer dereference.

If someone reports kernel panic triggered by forcing all memory allocations
for tty_ldisc_restore() to fail, we can consider adding __GFP_NOFAIL for
tty_ldisc_restore() case.

[1] https://syzkaller.appspot.com/bug?id=6ac359c61e71d22e06db7f8f88243feb11d927e7

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Jiri Slaby <jslaby@suse.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Alan Cox <alan@llwyncelyn.cymru>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Michal Hocko <mhocko@suse.com>
---
 drivers/tty/tty_ldisc.c | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

diff --git a/drivers/tty/tty_ldisc.c b/drivers/tty/tty_ldisc.c
index 08ddb2c..de007e1 100644
--- a/drivers/tty/tty_ldisc.c
+++ b/drivers/tty/tty_ldisc.c
@@ -527,19 +527,16 @@ static int tty_ldisc_failto(struct tty_struct *tty, int ld)
 static void tty_ldisc_restore(struct tty_struct *tty, struct tty_ldisc *old)
 {
 	/* There is an outstanding reference here so this is safe */
-	old = tty_ldisc_get(tty, old->ops->num);
-	WARN_ON(IS_ERR(old));
-	tty->ldisc = old;
-	tty_set_termios_ldisc(tty, old->ops->num);
-	if (tty_ldisc_open(tty, old) < 0) {
-		tty_ldisc_put(old);
+	if (tty_ldisc_failto(tty, old->ops->num) < 0) {
+		const char *name = tty_name(tty);
+
+		pr_warn("Falling back ldisc for %s.\n", name);
 		/* The traditional behaviour is to fall back to N_TTY, we
 		   want to avoid falling back to N_NULL unless we have no
 		   choice to avoid the risk of breaking anything */
 		if (tty_ldisc_failto(tty, N_TTY) < 0 &&
 		    tty_ldisc_failto(tty, N_NULL) < 0)
-			panic("Couldn't open N_NULL ldisc for %s.",
-			      tty_name(tty));
+			panic("Couldn't open N_NULL ldisc for %s.", name);
 	}
 }
 
-- 
1.8.3.1