Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp2400413rwr; Fri, 21 Apr 2023 08:23:03 -0700 (PDT) X-Google-Smtp-Source: AKy350aJWW8D2Sc2TQFq0wTrQ4HRSY3o5crYTeSfkMsRAdadjeGIjAzO6cIW3wDpGqTv/ZNBPuE/ X-Received: by 2002:a05:6a20:12cc:b0:ee:b7ea:5d9c with SMTP id v12-20020a056a2012cc00b000eeb7ea5d9cmr8495863pzg.0.1682090583159; Fri, 21 Apr 2023 08:23:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1682090583; cv=none; d=google.com; s=arc-20160816; b=lk5e4PC/tho6M74sEN0qdANKnZGj2CYxvLG9y+wwS8IStG2/6kjYeWe7ufIk2NjkRV WtxbIUEz85WrdmIB6uTGExUPgB6ZhJou5+GpZ8ZHouxUQ2A5Ekt/CU6pj8ix4EeKTM0r kYHOZ1/REuK562rS+4pdjhbAd73tdi/CPMB4iYMq14+WLxkFWV7kEJ4WhnzojruSoNxw cSk0mQWq0sWPP2ksf/cnpEeOcU6iMLoHuf/nBtRmSnMrMa5ARuKb2crjANz5LUaQzA5O qWkHCyh7WEMPb5QC7iPwagNzwMAssMtNXFj2C61DBC0b573zYfooF3yHZGpjwSTjNVVd 64eQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id; bh=kdj3dusz4CYWEjjpE+GsNSWvJGWLjQ9L2McHfgFakoU=; b=vAwVwZ+fA+9BTMe4ctkq3CO9mRLjWGhbYw2X1RT1im1a/MrCXriqq91v7THhW27Cx6 /KSK+ruiWYtTvW3SxDJse6v4GfOyK+GRgGMV1blvo4O/uBCHlZuXEjRrY7ky2f3mvaMk F6gjwY9jmIb6BK72es3De0eKoElPb8D0sJCuyZSyxVeqEW4tI/ZnrqNRuY/HQRtcunOm byGN1nHiqBMMLFjofSxhIjvEvCJGhjftmZzHUP5Ybr9rET45I7N6Z9qLOsX9wxGIfZpM 7U+HmypslVqZ42u11DGHyLBZoFILXmlYxOia+P901Nwv88Ts/ezXYT6s+43G0XTevhfM EinQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i2-20020a63d442000000b004fc257265cfsi4286268pgj.267.2023.04.21.08.22.49; Fri, 21 Apr 2023 08:23:03 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230472AbjDUPMg (ORCPT + 99 others); Fri, 21 Apr 2023 11:12:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50826 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232686AbjDUPMf (ORCPT ); Fri, 21 Apr 2023 11:12:35 -0400 Received: from www262.sakura.ne.jp (www262.sakura.ne.jp [202.181.97.72]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 29C0C12C9A for ; Fri, 21 Apr 2023 08:12:27 -0700 (PDT) Received: from fsav114.sakura.ne.jp (fsav114.sakura.ne.jp [27.133.134.241]) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id 33LFC4nH004360; Sat, 22 Apr 2023 00:12:04 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Received: from www262.sakura.ne.jp (202.181.97.72) by fsav114.sakura.ne.jp (F-Secure/fsigk_smtp/550/fsav114.sakura.ne.jp); Sat, 22 Apr 2023 00:12:04 +0900 (JST) X-Virus-Status: clean(F-Secure/fsigk_smtp/550/fsav114.sakura.ne.jp) Received: from [192.168.1.6] (M106072142033.v4.enabler.ne.jp [106.72.142.33]) (authenticated bits=0) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id 33LFC4R7004357 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NO); Sat, 22 Apr 2023 00:12:04 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Message-ID: <6ff6fdea-c955-f9dd-289e-b0d613a28280@I-love.SAKURA.ne.jp> Date: Sat, 22 Apr 2023 00:12:02 +0900 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.10.0 Subject: Re: [syzbot] [kernel?] KCSAN: data-race in __fput / __tty_hangup (4) Content-Language: en-US To: Dmitry Vyukov , syzbot , Greg Kroah-Hartman , Jiri Slaby Cc: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com References: <00000000000013aaac05f9d44e7a@google.com> From: Tetsuo Handa In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-5.2 required=5.0 tests=BAYES_00,NICE_REPLY_A, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2023/04/21 17:21, Dmitry Vyukov wrote: > If I am reading this correctly, this race can lead to NULL derefs > among other things. > hung_up_tty_fops does not have splice_read, while other fops have. > > So the following code in splice can execute NULL callback: > > if (unlikely(!in->f_op->splice_read)) > return warn_unsupported(in, "read"); > return in->f_op->splice_read(in, ppos, pipe, len, flags); > __fput(file) is called when the last reference to file is released. Since __tty_hangup() traverses tty->tty_files under tty->files_lock, tty_add_file() needs to hold a ref before adding to tty->tty_files in order to defer concurrent __fput() by other threads? diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c index 36fb945fdad4..2838703d48cf 100644 --- a/drivers/tty/tty_io.c +++ b/drivers/tty/tty_io.c @@ -197,7 +197,7 @@ void tty_add_file(struct tty_struct *tty, struct file *file) struct tty_file_private *priv = file->private_data; priv->tty = tty; - priv->file = file; + priv->file = get_file(file); spin_lock(&tty->files_lock); list_add(&priv->list, &tty->tty_files); @@ -228,6 +228,7 @@ static void tty_del_file(struct file *file) spin_lock(&tty->files_lock); list_del(&priv->list); spin_unlock(&tty->files_lock); + fput(file); tty_free_file(file); }