Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp4918498rwr; Sun, 23 Apr 2023 16:47:23 -0700 (PDT) X-Google-Smtp-Source: AKy350YLymngyafDHDiJpocMZ0IOPOeD317+k5dGcYV6xrwuoahbwSC0lRhROPfB3s2YXmPncG9D X-Received: by 2002:a17:90a:70cc:b0:233:ee67:8eb3 with SMTP id a12-20020a17090a70cc00b00233ee678eb3mr12955834pjm.24.1682293643301; Sun, 23 Apr 2023 16:47:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1682293643; cv=none; d=google.com; s=arc-20160816; b=csOqaxOXBWcUaWSwm1/XxLTjgnQmTxrTKcUrGSuswFGiSNZYYMFTjd53qlmxdkVPyX SZW24xBB8bRvYKvPp9A6gJprMo8nm+Ids7dSbV9ptdb0OSi6bmuOuMneREsv2z4Fse4D tNwYxi3W+ALpknjIXfOulocWuuggziH0EdlecSY4cfAQFzlcBQE3X+qJLSRV0GjJQwRs GWkMC4Gxh4IsH+Otg9BenGGIrbdTZgwyHTFsDVKFia0wY2KEfE4PzX5DzqeyewwSBCYy 2OSm/NUq1oN5PAjw7UBILcomYAob8RrypfmQ5tgk0KvlUaHsuOjE+Nxjj8cdLwZ/zidl v1Qw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=QboGlpLN/tOwaNeHOvW+vLuIImI/acGyqt4GZ8ZZTb8=; b=t5sc4WhNz9FXg6rBN2/eAPA86YkQ1dYCyD/BcB7+Dh7XQ17DKwMe1z8kqrTvJLKZf9 Fm4cjDXMnY/xUBuuH8z2+Ac6oyd6Kkjmyl+admpnoqGcfwzYtQ0CB6rFxO5h3dZng2Xv tQm4Kkr4oRqYB6hTcfknkQKHYmLUlhB7yYhSwt8jhWTYps34EmqzPFva6+eqh6EDr1At s78Iyu9S/Xjz5psVWM4Hh37NuLf7xvxCxShgfjHbFMdbHxsq4MgV427goI3LKaQiXjMR CS6j26FSISxZPB4SHmj3Zalj0EVo87hKJuW8J/Pxk3bPEd+pGxsYxVu+vHylnS8szb1W l/+A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.org.uk header.s=zeniv-20220401 header.b=Yi0sWdHp; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zeniv.linux.org.uk Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id p24-20020a170903249800b001a68bbbaaa5si9674579plw.593.2023.04.23.16.47.09; Sun, 23 Apr 2023 16:47:23 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.org.uk header.s=zeniv-20220401 header.b=Yi0sWdHp; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zeniv.linux.org.uk Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229498AbjDWXet (ORCPT + 99 others); Sun, 23 Apr 2023 19:34:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45232 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229509AbjDWXer (ORCPT ); Sun, 23 Apr 2023 19:34:47 -0400 Received: from zeniv.linux.org.uk (zeniv.linux.org.uk [IPv6:2a03:a000:7:0:5054:ff:fe1c:15ff]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9C2AEE40 for ; Sun, 23 Apr 2023 16:34:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=linux.org.uk; s=zeniv-20220401; h=Sender:In-Reply-To:Content-Type: MIME-Version:References:Message-ID:Subject:Cc:To:From:Date:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=QboGlpLN/tOwaNeHOvW+vLuIImI/acGyqt4GZ8ZZTb8=; b=Yi0sWdHp36EbCKN34Ujm+aOCHo KePBQxMIodVW5+iiK30MqRkFtK4quhrD0l3MZ74Zjd/yjDXe4hVufuk7xP2COjt7fFFeXpgiWaOJn zMG+a5ciIVo6ezdBEMuIOoX8wm+zzx+7ETUFCsZvIIXh7v/ra7kd4l8bRsuT06XIBk1N+ifLsWKbN 7FwsbOdn56BEYAjkbIdCa8bKTFCtrEFqCPaWvryPrP61BzD4ddsBOJ4ZcTcmSeFxrUsjBMPcmXb+G kKzPbi/atJP7UbxT/5jGw67QitMw9r1lKHNR4tU5+LUunL3ImAXv28nTG+DLblKkuvT3+ywbFKJLX 54uan+XA==; Received: from viro by zeniv.linux.org.uk with local (Exim 4.96 #2 (Red Hat Linux)) id 1pqjE1-00Bwck-2w; Sun, 23 Apr 2023 23:34:34 +0000 Date: Mon, 24 Apr 2023 00:34:33 +0100 From: Al Viro To: Tetsuo Handa Cc: Dmitry Vyukov , syzbot , Greg Kroah-Hartman , Jiri Slaby , linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Subject: Re: [syzbot] [kernel?] KCSAN: data-race in __fput / __tty_hangup (4) Message-ID: <20230423233433.GF3390869@ZenIV> References: <00000000000013aaac05f9d44e7a@google.com> <6ff6fdea-c955-f9dd-289e-b0d613a28280@I-love.SAKURA.ne.jp> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6ff6fdea-c955-f9dd-289e-b0d613a28280@I-love.SAKURA.ne.jp> Sender: Al Viro X-Spam-Status: No, score=-4.3 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Apr 22, 2023 at 12:12:02AM +0900, Tetsuo Handa wrote: > On 2023/04/21 17:21, Dmitry Vyukov wrote: > > If I am reading this correctly, this race can lead to NULL derefs > > among other things. > > hung_up_tty_fops does not have splice_read, while other fops have. > > > > So the following code in splice can execute NULL callback: > > > > if (unlikely(!in->f_op->splice_read)) > > return warn_unsupported(in, "read"); > > return in->f_op->splice_read(in, ppos, pipe, len, flags); > > > > __fput(file) is called when the last reference to file is released. > Since __tty_hangup() traverses tty->tty_files under tty->files_lock, > tty_add_file() needs to hold a ref before adding to tty->tty_files > in order to defer concurrent __fput() by other threads? > > diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c > index 36fb945fdad4..2838703d48cf 100644 > --- a/drivers/tty/tty_io.c > +++ b/drivers/tty/tty_io.c > @@ -197,7 +197,7 @@ void tty_add_file(struct tty_struct *tty, struct file *file) > struct tty_file_private *priv = file->private_data; > > priv->tty = tty; > - priv->file = file; > + priv->file = get_file(file); This is broken. Simple open() + close() on a tty will leak the damn thing - that extra reference will stick around, possibly all the way until reboot. As for the original report - add a (failing) ->splice_read() in hung_ut_tty_fops to deal with the original problem.