Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp224659rwr; Thu, 4 May 2023 01:54:16 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5un8qgVUd3DNu8FA9kHfKtLDnM2661Q1g5GfME+PRWcEo2I33RPKNVMVMvor+GSU4CRVIX X-Received: by 2002:a17:90b:698:b0:23d:3549:82b7 with SMTP id m24-20020a17090b069800b0023d354982b7mr1310242pjz.46.1683190456537; Thu, 04 May 2023 01:54:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1683190456; cv=none; d=google.com; s=arc-20160816; b=brYG4dSzos4dDAUKRnE4w2kYKDpAtFZzw9WloEX+62bcGtLjTgKO74OaVjGK/IhPt7 xrRbV3zEI3yjTg4hfgdCUDD5Ju3eDQRmhQl/LneHLy/M2GQMp9IQ6QSGO1I5RwQUORO0 uXiFqqiW90W/j8+YQXZKxXoM1HSCc8sMeaCYX8rn8mkqxDHUnOsLmGY5hnm+AcgOC2iy 7v5pK9CbPrOx6fsHiBXrkdsXrfvGtS+0IOJwFmCLSz3dkmlQAOQqCf1b9E9+tUOqFGEi RvsF5e7wJEC2TckVMNXNldQsLC3nUSSrYz+th9XuAzkPhb47LWBp1hP5ZpZCpnbLCWy5 kj8Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent:references:in-reply-to :subject:cc:to:from:message-id:date:dkim-signature:dkim-signature; bh=30lCJ5iRI0rRhzC2loXRpex/n1l+HSk0YaCzEl11E4E=; b=n6/slfq+VAu5EjaO4d1qZBbjXcp+OUbwvUOEiiTfKIvktS0hl4q0jeWufKNVotg1h/ JyUMWmz3SXHFL9InNjW7SnlxigtUBa6VkhsL3zLi05zyFovyb2a7DZNNGQ7FKNi93dnw zXSSGqG+W/7SLh5OHr1lOJoTSlJ34f881FQaHPz7aeysvbuCZU+L1CKS0Mpc+JvyJqsw 39S5s2MnHgt5eMeeQjWGiGC7XNVFENcXgok767mP6Y63ppzBdwYnKcjxL1ePwaiKdUVA 5D0Rt2bXDzCK/SHyZ/yuAwBpSSou60rW9z4CJFbOrT0B49NDBfYdBfG60ZFS9xNjqsib aOrg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=BBck4RD2; dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id j3-20020a170903028300b001ab0d0f6175si6423399plr.481.2023.05.04.01.54.02; Thu, 04 May 2023 01:54:16 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=BBck4RD2; dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229758AbjEDIcR (ORCPT + 99 others); Thu, 4 May 2023 04:32:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43884 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230190AbjEDIb7 (ORCPT ); Thu, 4 May 2023 04:31:59 -0400 Received: from smtp-out2.suse.de (smtp-out2.suse.de [IPv6:2001:67c:2178:6::1d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EEF617AAE; Thu, 4 May 2023 01:28:58 -0700 (PDT) Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id DD8C62097B; Thu, 4 May 2023 08:28:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1683188936; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=30lCJ5iRI0rRhzC2loXRpex/n1l+HSk0YaCzEl11E4E=; b=BBck4RD22FF3fRahgkzPtMfKrA/pfX9GLDg4RAOv5fhSsHyT+a5teMomoSaIJRE64IwAXu 1cDRe5UN0KuGhtyJX7NTroKCEEJovbKFyXQfW0dnvFlWGbf8IOF8oX9fM6MTrrWJ3zFHBh 05ytJSih6bBJWmJHupn3vKdtrHk09ck= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1683188936; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=30lCJ5iRI0rRhzC2loXRpex/n1l+HSk0YaCzEl11E4E=; b=ol0bRq/VjWfAAjuodPVP1Sfvx38nIjHzFCyiTzh/JY21tPaSL7jUl9jhiEQy14csRgPG0n 2nsuOs0X8c9ULGDg== Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id B46CA133F7; Thu, 4 May 2023 08:28:56 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id uOUaK8hsU2SwNgAAMHmgww (envelope-from ); Thu, 04 May 2023 08:28:56 +0000 Date: Thu, 04 May 2023 10:28:56 +0200 Message-ID: <875y98mref.wl-tiwai@suse.de> From: Takashi Iwai To: mchehab@kernel.org Cc: Yu Hao , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: BUG: WARNING in dvb_frontend_get_event In-Reply-To: <87bkj9u57j.wl-tiwai@suse.de> References: <87bkj9u57j.wl-tiwai@suse.de> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/27.2 Mule/6.0 MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue") Content-Type: text/plain; charset=US-ASCII X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 27 Apr 2023 09:58:24 +0200, Takashi Iwai wrote: > > On Tue, 18 Apr 2023 06:50:07 +0200, > Yu Hao wrote: > > > > Hello, > > > > We found the following issue using syzkaller on Linux v6.2.0. > > > > In the function `dvb_frontend_get_event`, function > > `wait_event_interruptible` is called > > and the condition is `dvb_frontend_test_event(fepriv, events)`. > > In the function `dvb_frontend_test_event`, function > > `down(&fepriv->sem);` is called. > > However, function `wait_event_interruptible` would put the process to sleep. > > And function `down(&fepriv->sem);` may block the process. > > So there is the issue with "do not call blocking ops when !TASK_RUNNING". > > > > The full report including the Syzkaller reproducer & C reproducer: > > https://gist.github.com/ZHYfeng/4c5f8be6adc63b73dba68230d15ece2c > > FYI, CVE-2023-31084 was assigned to this bug, and I was involved now > though distro's bug report. > > So, the use of semaphore together with wait_event*() macro doesn't > look like a good idea. A possible easy workaround would be to > open-code the wait loop like below. > > Mauro, let me know if it's an acceptable workaround. Then I'll submit > a proper patch. A gentle ping. Can anyone please check whether the suggested change is OK or not? thanks, Takashi > > > thanks, > > Takashi > > -- 8< -- > --- a/drivers/media/dvb-core/dvb_frontend.c > +++ b/drivers/media/dvb-core/dvb_frontend.c > @@ -293,14 +293,22 @@ static int dvb_frontend_get_event(struct dvb_frontend *fe, > } > > if (events->eventw == events->eventr) { > - int ret; > + struct wait_queue_entry wait; > + int ret = 0; > > if (flags & O_NONBLOCK) > return -EWOULDBLOCK; > > - ret = wait_event_interruptible(events->wait_queue, > - dvb_frontend_test_event(fepriv, events)); > - > + init_waitqueue_entry(&wait, current); > + add_wait_queue(&events->wait_queue, &wait); > + while (!dvb_frontend_test_event(fepriv, events)) { > + wait_woken(&wait, TASK_INTERRUPTIBLE, 0); > + if (signal_pending(current)) { > + ret = -ERESTARTSYS; > + break; > + } > + } > + remove_wait_queue(&events->wait_queue, &wait); > if (ret < 0) > return ret; > }