Received: by 10.192.165.156 with SMTP id m28csp569160imm; Mon, 16 Apr 2018 05:21:54 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/uDjLFd5JFuepWk5fQMD36VxeV8fH7h0vuvmD3JlL2NsjN3wJ+YCDa1Mttgwd0iFEvuh3r X-Received: by 10.99.170.70 with SMTP id x6mr12834851pgo.114.1523881314381; Mon, 16 Apr 2018 05:21:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523881314; cv=none; d=google.com; s=arc-20160816; b=H0Cpn8zso0JNZrw1V4Yw2GjyO/jYoaR9lgDaJ86fefgHc29iEHGWpiI/yjGC/cZky+ i8mIT9/EWKvvDcUrYx5TpmsoxVerjGJtpP2icDjnRPL3SIgTMIDC1xjePvo4uX4OL0jE 91qr1pZgKuGnFqJoDSGwYAR6XM1xPnuUBhZ7sfQNT9pies7SyvBsJ13VagTyLQyRcDyA XiMlfxWT5NAAJ8eq/l3k98e5vF5S0H9bbZG+Fo87ykgEaXCSagDMBSuoOqv7fA8fOzW4 0YQcwW/K6iRybeNGO3+iz4mIJjcITHMJ6XIBJzHD9Qgu+ARD8kIvmyyaSBzA1rSPX8Yl IleQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:date:message-id:in-reply-to :references:from:subject:cc:to:arc-authentication-results; bh=QTRWJDnfwbSn8/4+wdW7/XDfIDabMA/zbabHMD40F4Q=; b=DxJwquknpkU2o25OTQC0iqRewlwP7p1hkiMhFgUunJTbZgH7usnE0Cl9Xn4avICnXS TXurEUeWhpXheNW8zMnG6mZoBiG4pZyAfoVW7HSi/+UrooVud1CXBscAi17wu2F5aswT vyTPb8TjfGWH4GwJQe6mW0nlLj4UPSST9UEMmM/Kly/vWNV7sKMHJRjCJ0JX3m3LWwDZ ZDdegw4VUMdhdr+5s/EBjIjdWLZ5rAZDh7L8zZwtpNLEK4hBYYuOOmndQROw8usg7GqS zlJALP6gH386058gJyLkJ5WEI+QWY8tRBMkrmSfj0nUK+5Imx/rBnckvn/vk5K8w9Pn6 dKvg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y9si6417883pgp.525.2018.04.16.05.21.40; Mon, 16 Apr 2018 05:21:54 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754451AbeDPLGi (ORCPT + 99 others); Mon, 16 Apr 2018 07:06:38 -0400 Received: from www262.sakura.ne.jp ([202.181.97.72]:33768 "EHLO www262.sakura.ne.jp" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751876AbeDPLGh (ORCPT ); Mon, 16 Apr 2018 07:06:37 -0400 Received: from fsav301.sakura.ne.jp (fsav301.sakura.ne.jp [153.120.85.132]) by www262.sakura.ne.jp (8.14.5/8.14.5) with ESMTP id w3GB6Zh5003190; Mon, 16 Apr 2018 20:06:35 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Received: from www262.sakura.ne.jp (202.181.97.72) by fsav301.sakura.ne.jp (F-Secure/fsigk_smtp/530/fsav301.sakura.ne.jp); Mon, 16 Apr 2018 20:06:35 +0900 (JST) X-Virus-Status: clean(F-Secure/fsigk_smtp/530/fsav301.sakura.ne.jp) Received: from AQUA (softbank126099184120.bbtec.net [126.99.184.120]) (authenticated bits=0) by www262.sakura.ne.jp (8.14.5/8.14.5) with ESMTP id w3GB6Z5c003187; Mon, 16 Apr 2018 20:06:35 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) To: gregkh@linuxfoundation.org, jslaby@suse.com Cc: alan@llwyncelyn.cymru, bot+1a77aeddeaf63317949b59c3df98f139a1ca34f9@syzkaller.appspotmail.com, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com, dvyukov@google.com, hannes@cmpxchg.org, hch@lst.de, mhocko@suse.com Subject: [PATCH] tty: Avoid possible error pointer dereference at tty_ldisc_restore(). From: Tetsuo Handa References: <001a1141f0c87da52c055d385a4d@google.com> <20171105103404.GB1487@kroah.com> <2e8fd7a6-6841-d660-8e1c-17b5a07618fa@I-love.SAKURA.ne.jp> <20180405142503.627552ca@alans-desktop> In-Reply-To: <20180405142503.627552ca@alans-desktop> Message-Id: <201804162006.GBB48461.FFJFSOMOOQHVLt@I-love.SAKURA.ne.jp> X-Mailer: Winbiff [Version 2.51 PL2] X-Accept-Language: ja,en,zh Date: Mon, 16 Apr 2018 20:06:34 +0900 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Greg and Jiri, are you OK with this patch? Alan Cox wrote: > > syzbot is reporting crashes [1] triggered by memory allocation failure at > > tty_ldisc_get() from tty_ldisc_restore(). While syzbot stops at WARN_ON() > > due to panic_on_warn == true, panic_on_warn == false will after all trigger > > an OOPS by dereferencing old->ops->num if IS_ERR(old) == true. > > > > We can simplify tty_ldisc_restore() as three calls (old->ops->num, N_TTY, > > N_NULL) to tty_ldisc_failto() in addition to avoiding possible error > > pointer dereference. > > > > If someone reports kernel panic triggered by forcing all memory allocations > > for tty_ldisc_restore() to fail, we can consider adding __GFP_NOFAIL for > > tty_ldisc_restore() case. > > > > [1] https://syzkaller.appspot.com/bug?id=6ac359c61e71d22e06db7f8f88243feb11d927e7 > > > > Signed-off-by: Tetsuo Handa > > Cc: Greg Kroah-Hartman > > Cc: Jiri Slaby > > Cc: Dmitry Vyukov > > Cc: Johannes Weiner > > Cc: Alan Cox > > Cc: Christoph Hellwig > > Cc: Michal Hocko > > Seems reasonable to me > > Alan > >From 023cf07f799d0efd160ec1c1617d5b8902577765 Mon Sep 17 00:00:00 2001 From: Tetsuo Handa Date: Thu, 5 Apr 2018 11:27:06 +0900 Subject: [PATCH] tty: Avoid possible error pointer dereference at tty_ldisc_restore(). syzbot is reporting crashes [1] triggered by memory allocation failure at tty_ldisc_get() from tty_ldisc_restore(). While syzbot stops at WARN_ON() due to panic_on_warn == true, panic_on_warn == false will after all trigger an OOPS by dereferencing old->ops->num if IS_ERR(old) == true. We can simplify tty_ldisc_restore() as three calls (old->ops->num, N_TTY, N_NULL) to tty_ldisc_failto() in addition to avoiding possible error pointer dereference. If someone reports kernel panic triggered by forcing all memory allocations for tty_ldisc_restore() to fail, we can consider adding __GFP_NOFAIL for tty_ldisc_restore() case. [1] https://syzkaller.appspot.com/bug?id=6ac359c61e71d22e06db7f8f88243feb11d927e7 Signed-off-by: Tetsuo Handa Cc: Greg Kroah-Hartman Cc: Jiri Slaby Cc: Dmitry Vyukov Cc: Johannes Weiner Cc: Alan Cox Cc: Christoph Hellwig Cc: Michal Hocko --- drivers/tty/tty_ldisc.c | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/drivers/tty/tty_ldisc.c b/drivers/tty/tty_ldisc.c index 08ddb2c..de007e1 100644 --- a/drivers/tty/tty_ldisc.c +++ b/drivers/tty/tty_ldisc.c @@ -527,19 +527,16 @@ static int tty_ldisc_failto(struct tty_struct *tty, int ld) static void tty_ldisc_restore(struct tty_struct *tty, struct tty_ldisc *old) { /* There is an outstanding reference here so this is safe */ - old = tty_ldisc_get(tty, old->ops->num); - WARN_ON(IS_ERR(old)); - tty->ldisc = old; - tty_set_termios_ldisc(tty, old->ops->num); - if (tty_ldisc_open(tty, old) < 0) { - tty_ldisc_put(old); + if (tty_ldisc_failto(tty, old->ops->num) < 0) { + const char *name = tty_name(tty); + + pr_warn("Falling back ldisc for %s.\n", name); /* The traditional behaviour is to fall back to N_TTY, we want to avoid falling back to N_NULL unless we have no choice to avoid the risk of breaking anything */ if (tty_ldisc_failto(tty, N_TTY) < 0 && tty_ldisc_failto(tty, N_NULL) < 0) - panic("Couldn't open N_NULL ldisc for %s.", - tty_name(tty)); + panic("Couldn't open N_NULL ldisc for %s.", name); } } -- 1.8.3.1