Received: by 2002:a25:868d:0:0:0:0:0 with SMTP id z13csp524059ybk;
        Wed, 20 May 2020 05:46:13 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxZwCtccNMOfudDGK3Qb+ugY7E6JzdHYDovvH58Qs01saZu1GkdInbGstn7Ot/yuJmFvFNt
X-Received: by 2002:a05:6402:2c4:: with SMTP id b4mr3310453edx.331.1589978773136;
        Wed, 20 May 2020 05:46:13 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1589978773; cv=none;
        d=google.com; s=arc-20160816;
        b=xPreRrGc5EQx5r3sxG3qbnbV4PUnTppYtsQpAI1rT51vGND1A4AC9IZL+yyTB3Z+4v
         hhOSPlv1iYLYiSzmn1Uc644g5h0NPWbETWfZDwtbDPrEM4g2PzlDqc26Tw1G0AreCX94
         y5DsnAwtha8Wj/uG42Prf1BkTwaAvqC3PgaG09aY/xMfP50ar/qm9ZHx/kQs30Tb9sqR
         ArH3rwtVpaz3Stqhmazy2fJ1LSZJ5uwtG5aLpXTg7yDfOyFt5FTitNJwcIU8gIopPuoM
         JoIeAhMkU5xFLwC1vvnLhEocr87IRE1fVtb2tW6YI8rAlosbUKCPtVES/mMbsUM161oY
         oWPQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:message-id:references
         :in-reply-to:subject:cc:to:from:date:content-transfer-encoding
         :mime-version:dkim-signature;
        bh=nLaK/ohEQ1OzRdH5EY+kSAjwbEK+2E1W0vY/2r749BI=;
        b=pKCEIUpRliuAYkjoXLB4paWyXsa3D0vVqD6ALQ5EmjqZm7OSFt3vNjUt6020L4QGVX
         TJdOlA9Qig6lQ12b21bgvkkhCz1JROumlrDvBC4tREefbDq5kY5p1PTvYzJRR8t85+Jw
         3qvvRdad1JdsmmZHmVQdvcO4FVNnO0psvY6dCXC2sFQvv9MoMHirTPRWq35MwaEm7NxE
         w4bcPxvaA4HmuoZOfWQhXPbRSO8cpSRYSAN/tZ1q0XD0s8xftCWh1wqo1XFJx8fFX+ss
         1TWIUpaGs58s81Iq8yKDT73l1g+3hqFXG/Yelagj22IiSjKd+OTjL2/wKQMkqGrBLWYR
         dkWA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@mg.codeaurora.org header.s=smtp header.b=vSBpiFYh;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id ob21si1754848ejb.522.2020.05.20.05.45.50;
        Wed, 20 May 2020 05:46:13 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@mg.codeaurora.org header.s=smtp header.b=vSBpiFYh;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726988AbgETMn6 (ORCPT <rfc822;sunnyliangjy@gmail.com>
        + 99 others); Wed, 20 May 2020 08:43:58 -0400
Received: from mail27.static.mailgun.info ([104.130.122.27]:25053 "EHLO
        mail27.static.mailgun.info" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1726224AbgETMn5 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 20 May 2020 08:43:57 -0400
DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=mg.codeaurora.org; q=dns/txt;
 s=smtp; t=1589978637; h=Message-ID: References: In-Reply-To: Subject:
 Cc: To: From: Date: Content-Transfer-Encoding: Content-Type:
 MIME-Version: Sender; bh=nLaK/ohEQ1OzRdH5EY+kSAjwbEK+2E1W0vY/2r749BI=;
 b=vSBpiFYhyP1w7t8DlT703O7bKqtKvbvGWCbWwiNV/nZPwt2mlk1ualoafEinU1QxXpTgP2xh
 85h1QkGcF4I7g0SrmiFnvlbjo//LtSdmeIbuYdX5vYq92lyLJB8VMiZtIBJnYFMDoXVJfTbs
 JzOpIvOsSja/8U+Mv7/JZbaV++Q=
X-Mailgun-Sending-Ip: 104.130.122.27
X-Mailgun-Sid: WyI0MWYwYSIsICJsaW51eC1rZXJuZWxAdmdlci5rZXJuZWwub3JnIiwgImJlOWU0YSJd
Received: from smtp.codeaurora.org
 (ec2-35-166-182-171.us-west-2.compute.amazonaws.com [35.166.182.171]) by
 smtp-out-n05.prod.us-east-1.postgun.com with SMTP id
 5ec526044c3faf51e2931685 (version=TLS1.2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256); Wed, 20 May 2020 12:43:48
 GMT
Received: by smtp.codeaurora.org (Postfix, from userid 1001)
        id 83CE0C433A0; Wed, 20 May 2020 12:43:47 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
        aws-us-west-2-caf-mail-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.0 required=2.0 tests=ALL_TRUSTED
        autolearn=unavailable autolearn_force=no version=3.4.0
Received: from mail.codeaurora.org (localhost.localdomain [127.0.0.1])
        (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
        (No client certificate requested)
        (Authenticated sender: rananta)
        by smtp.codeaurora.org (Postfix) with ESMTPSA id B5A10C433C8;
        Wed, 20 May 2020 12:43:46 +0000 (UTC)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII;
 format=flowed
Content-Transfer-Encoding: 7bit
Date:   Wed, 20 May 2020 05:43:46 -0700
From:   rananta@codeaurora.org
To:     Jiri Slaby <jslaby@suse.cz>
Cc:     gregkh@linuxfoundation.org, andrew@daynix.com,
        linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org,
        stable@vger.kernel.org
Subject: Re: [PATCH v2] tty: hvc: Fix data abort due to race in hvc_open
In-Reply-To: <f84a9da7-bb0f-7538-fa00-968c9625335b@suse.cz>
References: <20200520064708.24278-1-rananta@codeaurora.org>
 <f84a9da7-bb0f-7538-fa00-968c9625335b@suse.cz>
Message-ID: <5895803be5c8fd4c5e7725b57ffe79e4@codeaurora.org>
X-Sender: rananta@codeaurora.org
User-Agent: Roundcube Webmail/1.3.9
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 2020-05-20 01:59, Jiri Slaby wrote:
> On 20. 05. 20, 8:47, Raghavendra Rao Ananta wrote:
>> Potentially, hvc_open() can be called in parallel when two tasks calls
>> open() on /dev/hvcX. In such a scenario, if the 
>> hp->ops->notifier_add()
>> callback in the function fails, where it sets the tty->driver_data to
>> NULL, the parallel hvc_open() can see this NULL and cause a memory 
>> abort.
>> Hence, do a NULL check at the beginning, before proceeding ahead.
>> 
>> The issue can be easily reproduced by launching two tasks 
>> simultaneously
>> that does an open() call on /dev/hvcX.
>> For example:
>> $ cat /dev/hvc0 & cat /dev/hvc0 &
>> 
>> Cc: stable@vger.kernel.org
>> Signed-off-by: Raghavendra Rao Ananta <rananta@codeaurora.org>
>> ---
>>  drivers/tty/hvc/hvc_console.c | 3 +++
>>  1 file changed, 3 insertions(+)
>> 
>> diff --git a/drivers/tty/hvc/hvc_console.c 
>> b/drivers/tty/hvc/hvc_console.c
>> index 436cc51c92c3..80709f754cc8 100644
>> --- a/drivers/tty/hvc/hvc_console.c
>> +++ b/drivers/tty/hvc/hvc_console.c
>> @@ -350,6 +350,9 @@ static int hvc_open(struct tty_struct *tty, struct 
>> file * filp)
>>  	unsigned long flags;
>>  	int rc = 0;
>> 
>> +	if (!hp)
>> +		return -ENODEV;
>> +
> 
> This is still not fixing the bug properly. See:
> https://lore.kernel.org/linuxppc-dev/0f7791f5-0a53-59f6-7277-247a789f30c2@suse.cz/
> 
> In particular, the paragraph starting "IOW".
> 
You are right. This doesn't fix the problem entirely. There are other 
parts to it which is
not handled in a clean way by the driver. Apart from the things you've 
mentioned, it doesn't
seem to handle the hp->port.count correctly as well.

hvc_open:
   hp->port.count++
   hp->ops->notifier_add(hp, hp->data) fails
   tty->driver_data = NULL

hvc_close:
   returns immediately as tty->driver_data == NULL, without 
hp->port.count--

This would leave the port in a stale state, and the second caller of 
hvc_open doesn't get
a chance to call/retry hp->ops->notifier_add(hp, hp->data);

However, the patch is not trying to address the logical issues with 
hvc_open and hvc_close.
It's only trying to eliminate the potential NULL pointer dereference, 
leading to a panic.
 From what I see, the hvc_open is serialized by tty_lock, and adding a 
NULL check here is
preventing the second caller.
> thanks,

Thank you.
Raghavendra