Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp292209rwr; Thu, 27 Apr 2023 01:04:47 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5OLu9pIp+CJOLLqZyRaqBRPaYgP/2AZ98zfg4zSJQW6I4Z9NZHfbb4v2S9+NAXW6Xvi8w6 X-Received: by 2002:a05:6a00:1a0f:b0:63d:3a18:49fd with SMTP id g15-20020a056a001a0f00b0063d3a1849fdmr1156938pfv.2.1682582686901; Thu, 27 Apr 2023 01:04:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1682582686; cv=none; d=google.com; s=arc-20160816; b=vFSpU00WCkE2lyE0E/q5qQCejuve7Kvuf1RS/pKycY/v0HqMTdUPz5SLxOlTFaQ5OS QnZF1jtkmPbKPp4+Y8QpWdLMUNx+ayk7jlQ6bmUvI3SeDOGKCc3iTy3kW0fBtNchGHRU uoSS5khGgetROwE+1jXTOBOWdzkkfCWH5WjJeWIe+pFONufu6wyiZVs7SNkSdqF4OFc6 b90b9Y+lJF7ma7WaGgXaAS8cB87UVqsJce3TjPUhprXZO+GAqdKlFxQMlrY31FX4AsPD edte3GS3bAaEVDmKjiOd6JUAs73wNy3Ckhg71WMAUHcEoz4RSWYf9OQpOG/+2LnO5p1B WyLA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent:references:in-reply-to :subject:cc:to:from:message-id:date:dkim-signature:dkim-signature; bh=GuUVcD38jAMovH64SkqQKxX5RN0P/+TAtv2rdAFVBZ8=; b=T8b5r2tFYqpdmgC2tcqOxWomiSQR8y4dJVtuVjgWXRAXjB2opzFwjAWZSa8JLmiF5y H1pCjnN84qF6dtN/HMU3h5kKLNO6l2UYZoV1wxeU0HV/M7Yk04uuhDP7ATU5dLyiwsT7 wpnE7kTw4f9JBIbr4q3VvA0WewzRpHYDxXjl8Tyo3+WdqVssf3JA/dzVDvPq4TgXdf9m zaji8PK20Y4YsEZw0JfR1CAffiK/xH+xvCRN60nk355zj9VuAa1BIM5dNxlbNsCOvMhp GGMyix8l1eYI8/HqXvVQ12pi25nRTUKgi6zmmeHM64VsfdtHryTKHaNZFz8rJnK1NETU 5ucw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=K6krzc3L; dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q14-20020aa7842e000000b0063b7e177fc3si18288999pfn.165.2023.04.27.01.04.22; Thu, 27 Apr 2023 01:04:46 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=K6krzc3L; dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243190AbjD0H62 (ORCPT + 99 others); Thu, 27 Apr 2023 03:58:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60488 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242899AbjD0H61 (ORCPT ); Thu, 27 Apr 2023 03:58:27 -0400 Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.220.29]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B5ACA1B9; Thu, 27 Apr 2023 00:58:26 -0700 (PDT) Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 740BE1FDE6; Thu, 27 Apr 2023 07:58:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1682582305; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=GuUVcD38jAMovH64SkqQKxX5RN0P/+TAtv2rdAFVBZ8=; b=K6krzc3Liq3pUZjrA4chMtyqEZDkzcf0QkorM+i6l6FyLZgzipB6U/HsVINMSoW6lCE5V2 HwwshR8HOVWapMlJziDedAGlp/1KsArcUlX4PQOwUzemsVR96qFT3hpVNx412BoBvIhB0w 05rUwGrmxdxK+pdAgVMrQ5O8jh0cgEY= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1682582305; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=GuUVcD38jAMovH64SkqQKxX5RN0P/+TAtv2rdAFVBZ8=; b=AIZSk5c5RYTrgBpek0Ji9NMeTkNfmkc+jVxQs6HA8Tz5EfhPRI/ZsqjXdZRBRSuMB7oAeY Xtij/Cpz1/1kWkAQ== Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 4EE2D13910; Thu, 27 Apr 2023 07:58:25 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id 1zdJEiErSmRmQwAAMHmgww (envelope-from ); Thu, 27 Apr 2023 07:58:25 +0000 Date: Thu, 27 Apr 2023 09:58:24 +0200 Message-ID: <87bkj9u57j.wl-tiwai@suse.de> From: Takashi Iwai To: Yu Hao Cc: mchehab@kernel.org, linux-media@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: BUG: WARNING in dvb_frontend_get_event In-Reply-To: References: User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/27.2 Mule/6.0 MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue") Content-Type: text/plain; charset=US-ASCII X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 18 Apr 2023 06:50:07 +0200, Yu Hao wrote: > > Hello, > > We found the following issue using syzkaller on Linux v6.2.0. > > In the function `dvb_frontend_get_event`, function > `wait_event_interruptible` is called > and the condition is `dvb_frontend_test_event(fepriv, events)`. > In the function `dvb_frontend_test_event`, function > `down(&fepriv->sem);` is called. > However, function `wait_event_interruptible` would put the process to sleep. > And function `down(&fepriv->sem);` may block the process. > So there is the issue with "do not call blocking ops when !TASK_RUNNING". > > The full report including the Syzkaller reproducer & C reproducer: > https://gist.github.com/ZHYfeng/4c5f8be6adc63b73dba68230d15ece2c FYI, CVE-2023-31084 was assigned to this bug, and I was involved now though distro's bug report. So, the use of semaphore together with wait_event*() macro doesn't look like a good idea. A possible easy workaround would be to open-code the wait loop like below. Mauro, let me know if it's an acceptable workaround. Then I'll submit a proper patch. thanks, Takashi -- 8< -- --- a/drivers/media/dvb-core/dvb_frontend.c +++ b/drivers/media/dvb-core/dvb_frontend.c @@ -293,14 +293,22 @@ static int dvb_frontend_get_event(struct dvb_frontend *fe, } if (events->eventw == events->eventr) { - int ret; + struct wait_queue_entry wait; + int ret = 0; if (flags & O_NONBLOCK) return -EWOULDBLOCK; - ret = wait_event_interruptible(events->wait_queue, - dvb_frontend_test_event(fepriv, events)); - + init_waitqueue_entry(&wait, current); + add_wait_queue(&events->wait_queue, &wait); + while (!dvb_frontend_test_event(fepriv, events)) { + wait_woken(&wait, TASK_INTERRUPTIBLE, 0); + if (signal_pending(current)) { + ret = -ERESTARTSYS; + break; + } + } + remove_wait_queue(&events->wait_queue, &wait); if (ret < 0) return ret; }