Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp2333810ybz;
        Thu, 23 Apr 2020 16:13:00 -0700 (PDT)
X-Google-Smtp-Source: APiQypKcBjmKIY6LhR3OKjgZNvvCL/52cbjaskGM4PQmzOOvkaMR0/R1QZwSlRZ8eIb6scD4+Pac
X-Received: by 2002:a05:6402:22ed:: with SMTP id dn13mr4772175edb.212.1587683580845;
        Thu, 23 Apr 2020 16:13:00 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1587683580; cv=none;
        d=google.com; s=arc-20160816;
        b=bN/GmB95guLvxbNWE9Zzytvw+duyJrKvj2UJ4j9hZs3mEfHHJshSJoW54qmpx1/6Uu
         er5daEDj3y9wZUbTAAJZFoTyA4ADhjAc7mpI1Dfd6+d1iETZiog1patzGrdipG8pr4yX
         4mrS25sErU8Vn34K88KuQ0gca6g8G/KIRhmso17xznpnkmblPEUxvt5Z8XVrilPrfx3N
         bVvk/sUSEeFdJPGxCTX5Q+12i5lpMW0osK+yfN4SUCTbVDAtBlIa4UV9oDaDb1m3L2qi
         Hum1vklvGAbZdnOIOBgWECQdjmRXMOZ20JFtq8ZhDBUVSHelqa1QpOp0IsgNivkeCVoM
         ZrPQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to
         :from:mime-version:content-transfer-encoding:content-disposition;
        bh=y48wWKSfyZbFhGfssB9O1UWqsQpjltvyZdLjM6JBPyA=;
        b=oE+tXsQqkRXA32cRXm64of68YSSW3S35rkb+XXu8tTNSlU7EX8tH1BNylScJqCy+mJ
         bvLXIQ3ZUPDCshDYsXrle/SFQC3pEqBKYcuGQ2tGfX+gn2SX8rcIMQyGFcbNCiyfY0ZG
         shWbkO2PSHxQIoL03ysepMyUL9vgeFPDYyWSy8amJemnowFYy3VGxvBJzUW6/0qru+P0
         eS/vAjJORTWWRRPpALIRGce9DAEjQ7iLjAoWrwnY0NKnCM3QOE6lCcSwKNnEKrC2DWSD
         aDBJNfQCmTGsAu5xhRGCjW162tQhHCu5Lv/Gwbkv51LVngsgPaSAIolktjbTpYqLG1HA
         3ayw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id l4si2068872ede.294.2020.04.23.16.12.37;
        Thu, 23 Apr 2020 16:13:00 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728980AbgDWXIb (ORCPT <rfc822;luizmacielfranco@gmail.com>
        + 99 others); Thu, 23 Apr 2020 19:08:31 -0400
Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:50980 "EHLO
        shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1728666AbgDWXG7 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 23 Apr 2020 19:06:59 -0400
Received: from [192.168.4.242] (helo=deadeye)
        by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
        (Exim 4.89)
        (envelope-from <ben@decadent.org.uk>)
        id 1jRkvc-0004n0-LE; Fri, 24 Apr 2020 00:06:44 +0100
Received: from ben by deadeye with local (Exim 4.93)
        (envelope-from <ben@decadent.org.uk>)
        id 1jRkvY-00E6y9-63; Fri, 24 Apr 2020 00:06:40 +0100
Content-Type: text/plain; charset="UTF-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
From:   Ben Hutchings <ben@decadent.org.uk>
To:     linux-kernel@vger.kernel.org, stable@vger.kernel.org
CC:     akpm@linux-foundation.org, Denis Kirjanov <kda@linux-powerpc.org>,
        "David S. Miller" <davem@davemloft.net>, netdev@vger.kernel.org,
        "Marc Kleine-Budde" <mkl@pengutronix.de>,
        "Richard Palethorpe" <rpalethorpe@suse.com>,
        "Wolfgang Grandegger" <wg@grandegger.com>,
        syzkaller@googlegroups.com, linux-can@vger.kernel.org,
        syzbot+017e491ae13c0068598a@syzkaller.appspotmail.com,
        "Tyler Hall" <tylerwhall@gmail.com>
Date:   Fri, 24 Apr 2020 00:07:08 +0100
Message-ID: <lsq.1587683028.166259533@decadent.org.uk>
X-Mailer: LinuxStableQueue (scripts by bwh)
X-Patchwork-Hint: ignore
Subject: [PATCH 3.16 201/245] can, slip: Protect tty->disc_data in
 write_wakeup and close with RCU
In-Reply-To: <lsq.1587683027.831233700@decadent.org.uk>
X-SA-Exim-Connect-IP: 192.168.4.242
X-SA-Exim-Mail-From: ben@decadent.org.uk
X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

3.16.83-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Richard Palethorpe <rpalethorpe@suse.com>

commit 0ace17d56824165c7f4c68785d6b58971db954dd upstream.

write_wakeup can happen in parallel with close/hangup where tty->disc_data
is set to NULL and the netdevice is freed thus also freeing
disc_data. write_wakeup accesses disc_data so we must prevent close from
freeing the netdev while write_wakeup has a non-NULL view of
tty->disc_data.

We also need to make sure that accesses to disc_data are atomic. Which can
all be done with RCU.

This problem was found by Syzkaller on SLCAN, but the same issue is
reproducible with the SLIP line discipline using an LTP test based on the
Syzkaller reproducer.

A fix which didn't use RCU was posted by Hillf Danton.

Fixes: 661f7fda21b1 ("slip: Fix deadlock in write_wakeup")
Fixes: a8e83b17536a ("slcan: Port write_wakeup deadlock fix from slip")
Reported-by: syzbot+017e491ae13c0068598a@syzkaller.appspotmail.com
Signed-off-by: Richard Palethorpe <rpalethorpe@suse.com>
Cc: Wolfgang Grandegger <wg@grandegger.com>
Cc: Marc Kleine-Budde <mkl@pengutronix.de>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Tyler Hall <tylerwhall@gmail.com>
Cc: linux-can@vger.kernel.org
Cc: netdev@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: syzkaller@googlegroups.com
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/can/slcan.c | 12 ++++++++++--
 drivers/net/slip/slip.c | 12 ++++++++++--
 2 files changed, 20 insertions(+), 4 deletions(-)

--- a/drivers/net/can/slcan.c
+++ b/drivers/net/can/slcan.c
@@ -346,9 +346,16 @@ static void slcan_transmit(struct work_s
  */
 static void slcan_write_wakeup(struct tty_struct *tty)
 {
-	struct slcan *sl = tty->disc_data;
+	struct slcan *sl;
+
+	rcu_read_lock();
+	sl = rcu_dereference(tty->disc_data);
+	if (!sl)
+		goto out;
 
 	schedule_work(&sl->tx_work);
+out:
+	rcu_read_unlock();
 }
 
 /* Send a can_frame to a TTY queue. */
@@ -640,10 +647,11 @@ static void slcan_close(struct tty_struc
 		return;
 
 	spin_lock_bh(&sl->lock);
-	tty->disc_data = NULL;
+	rcu_assign_pointer(tty->disc_data, NULL);
 	sl->tty = NULL;
 	spin_unlock_bh(&sl->lock);
 
+	synchronize_rcu();
 	flush_work(&sl->tx_work);
 
 	/* Flush network side */
--- a/drivers/net/slip/slip.c
+++ b/drivers/net/slip/slip.c
@@ -452,9 +452,16 @@ static void slip_transmit(struct work_st
  */
 static void slip_write_wakeup(struct tty_struct *tty)
 {
-	struct slip *sl = tty->disc_data;
+	struct slip *sl;
+
+	rcu_read_lock();
+	sl = rcu_dereference(tty->disc_data);
+	if (!sl)
+		goto out;
 
 	schedule_work(&sl->tx_work);
+out:
+	rcu_read_unlock();
 }
 
 static void sl_tx_timeout(struct net_device *dev)
@@ -885,10 +892,11 @@ static void slip_close(struct tty_struct
 		return;
 
 	spin_lock_bh(&sl->lock);
-	tty->disc_data = NULL;
+	rcu_assign_pointer(tty->disc_data, NULL);
 	sl->tty = NULL;
 	spin_unlock_bh(&sl->lock);
 
+	synchronize_rcu();
 	flush_work(&sl->tx_work);
 
 	/* VSV = very important to remove timers */