Received: by 2002:a05:7412:b795:b0:e2:908c:2ebd with SMTP id iv21csp566061rdb; Thu, 2 Nov 2023 11:17:45 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGZQRXB+Kh2YP0GnUJCevYLwareZP2m++J7G84iVzvcft/XE6WqwU5Y7OJ9a4I9cu2nOjBk X-Received: by 2002:a05:6e02:20c6:b0:359:53d5:3b3d with SMTP id 6-20020a056e0220c600b0035953d53b3dmr2791157ilq.21.1698949065287; Thu, 02 Nov 2023 11:17:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1698949065; cv=none; d=google.com; s=arc-20160816; b=CxmRUlBmLFOhMWA69m8sKFQBwNIauvOXvMvh+AT68jtYHb1zJczU7rOSa9pJXVXxcx ZeD9rnyYfWdLyol5v6n4OC/4wfq73hXu6PG7ik2otDouRs3qJSZO985oOEmFP5IEW2Y6 eWli3kfuBw77VAtsQOmufxrUFGbD9VjEHV8LG0oUGm38en7lWdEu8zwE+X9ygN+52NYy GCgMkt7WxSFR9XVc+Ta0RSrpfSk0WGkC9bZ0H5/Ffdl/cYSrgfWqZUCN53qXMXyS6pC9 8ffvi4EIWE9RrYPnaX/83oI0DAriOPHOpf0WAnGULplkLkHhhamw68NrSJWgJttPELYS mZJQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:feedback-id :dkim-signature:dkim-signature; bh=ccRdkv2KouFQrXacW6T4fBEpKBx+OWWMqYeM7hOtQhw=; fh=kPEQ+Ld/ZOx3pH1Die3rS7uVQpU7NfxY+v0rV/EOZC4=; b=ERoSZWHS2Eo4TWHjziql/6gkdHZ1wiEy01CCeEC4eyprcmLiAXc0cuGoVbIMBfXXhX KaJalVhPWNlWv0+SQpEtKNb43UFbi4+Ml7VzL4RJDYFMJCtI0PVT6kl1G5GwPCOGcoUG O43WbiF9DVYGIEt1hHFm2Vrj3i0rvHoiwVFqAE/P1+bsePjmKz/L1+ecK1Wwn7/uTDdw zVHKmwVpFpYlWgYmg5fO0o5Rrd4X+Ki+YuV8cvsyZYUXWifN7pF68x0/+GSWMJa0spoS bgttfWsWOxtoOPgATRizPW0q5Radwfs+pOKguJ0oV7Mz8AwgTxHa5nh0fZbvP4Fr/hh2 zFOQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@jcline.org header.s=fm3 header.b=mKvxFm0D; dkim=pass header.i=@messagingengine.com header.s=fm3 header.b=X2ci7TaD; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from lipwig.vger.email (lipwig.vger.email. [23.128.96.33]) by mx.google.com with ESMTPS id t71-20020a63814a000000b0056513361b4fsi71727pgd.741.2023.11.02.11.17.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 02 Nov 2023 11:17:45 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) client-ip=23.128.96.33; Authentication-Results: mx.google.com; dkim=pass header.i=@jcline.org header.s=fm3 header.b=mKvxFm0D; dkim=pass header.i=@messagingengine.com header.s=fm3 header.b=X2ci7TaD; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by lipwig.vger.email (Postfix) with ESMTP id 43BBB8226F4C; Thu, 2 Nov 2023 11:17:40 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1377185AbjKBSR0 (ORCPT + 99 others); Thu, 2 Nov 2023 14:17:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34952 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235364AbjKBSRW (ORCPT ); Thu, 2 Nov 2023 14:17:22 -0400 Received: from wout4-smtp.messagingengine.com (wout4-smtp.messagingengine.com [64.147.123.20]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7A6D919D; Thu, 2 Nov 2023 11:17:01 -0700 (PDT) Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.west.internal (Postfix) with ESMTP id 1BEC5320093C; Thu, 2 Nov 2023 14:16:57 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute1.internal (MEProxy); Thu, 02 Nov 2023 14:16:57 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jcline.org; h=cc :cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:sender :subject:subject:to:to; s=fm3; t=1698949016; x=1699035416; bh=cc Rdkv2KouFQrXacW6T4fBEpKBx+OWWMqYeM7hOtQhw=; b=mKvxFm0DCr9N84kDn+ EZWTm5c4Z4j2jEi30p/sjG6MCl2TdBNKldA7SvxfsvDW4Lg/STFFxTcn5T7YormW fIQZyiPv0CRhBQ0k4MqZC0CpWl+M2mGzAthc+phgggSLGRWX6pB8JYEGMhqAPBwm V86BWApKHKcS4y6L7cNKdrDB9YD8snnt83csswhdicOq1R41V4YSFyOSHANLQ8zd jN+hHJKQI//CFD23Jq8w2MCMOnNafXRU6LyoLlYnrXM4l2E9ZSn6kdT1rA/J0slo uINX5UPMSyse2Iu6AUJSng3frDaNoCP7dG3fIY9/c3pQCLUQxhbNHOBsqZN5VvQG Qy0g== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; t=1698949016; x=1699035416; bh=ccRdkv2KouFQr XacW6T4fBEpKBx+OWWMqYeM7hOtQhw=; b=X2ci7TaDRAwKRs2TPjmHaENk9MuIB 5ELb9NI75Pq0qo5PwFW3pGswaY/Ht1RxZRx8cGw1R19bFsXWPZZcbArDpb42OMPr fh1eIE85LNlOix8CAG20bs9ibFHr6YPEhlcZgNzs3rGNA7wphh1oEvoQbmuEFyOe 7Ssrx3RiJqQ1YpnrJOga8lTE5q66ClXV4XC3/jaYfl4XnLCrPasK+KAA9UpQoWDq nM9Ym1u5chUDrJbqRlDHUGsLuIyPZ3sSxdW8h/iBL9HT/yzRYFr+YUcf5GvdtDx6 J9pp5H1DItU5tRcH5+V/ja0Bg4BzORKBwXJhlq7dxc+VwGWk8i2Trj7CA== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedruddtiedgudduudcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpeffhffvvefukfhfgggtuggjsehttdertddttddvnecuhfhrohhmpeflvghr vghmhicuvehlihhnvgcuoehjvghrvghmhiesjhgtlhhinhgvrdhorhhgqeenucggtffrrg htthgvrhhnpeeigeejfeefueejheeujeduleegueehtdeltedvieevgeefffeljeelvdej hfehheenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpe hjvghrvghmhiesjhgtlhhinhgvrdhorhhg X-ME-Proxy: Feedback-ID: i7a7146c5:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 2 Nov 2023 14:16:55 -0400 (EDT) Date: Thu, 2 Nov 2023 14:16:54 -0400 From: Jeremy Cline To: Edward Adam Davis Cc: habetsm.xilinx@gmail.com, davem@davemloft.net, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, reibax@gmail.com, richardcochran@gmail.com, syzbot+df3f3ef31f60781fa911@syzkaller.appspotmail.com, syzkaller-bugs@googlegroups.com Subject: Re: [PATCH net-next V2] ptp: fix corrupted list in ptp_open Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Thu, 02 Nov 2023 11:17:40 -0700 (PDT) Hi Edward, On Tue, Oct 31, 2023 at 06:25:42PM +0800, Edward Adam Davis wrote: > There is no lock protection when writing ptp->tsevqs in ptp_open(), > ptp_release(), which can cause data corruption, use mutex lock to avoid this > issue. > > Moreover, ptp_release() should not be used to release the queue in ptp_read(), > and it should be deleted together. > > Reported-and-tested-by: syzbot+df3f3ef31f60781fa911@syzkaller.appspotmail.com > Fixes: 8f5de6fb2453 ("ptp: support multiple timestamp event readers") > Signed-off-by: Edward Adam Davis > --- > drivers/ptp/ptp_chardev.c | 11 +++++++++-- > drivers/ptp/ptp_clock.c | 3 +++ > drivers/ptp/ptp_private.h | 1 + > 3 files changed, 13 insertions(+), 2 deletions(-) > > diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c > index 282cd7d24077..e31551d2697d 100644 > --- a/drivers/ptp/ptp_chardev.c > +++ b/drivers/ptp/ptp_chardev.c > @@ -109,6 +109,9 @@ int ptp_open(struct posix_clock_context *pccontext, fmode_t fmode) > struct timestamp_event_queue *queue; > char debugfsname[32]; > > + if (mutex_lock_interruptible(&ptp->tsevq_mux)) > + return -ERESTARTSYS; > + > queue = kzalloc(sizeof(*queue), GFP_KERNEL); > if (!queue) > return -EINVAL; > @@ -132,15 +135,20 @@ int ptp_open(struct posix_clock_context *pccontext, fmode_t fmode) > debugfs_create_u32_array("mask", 0444, queue->debugfs_instance, > &queue->dfs_bitmap); > > + mutex_unlock(&ptp->tsevq_mux); The lock doesn't need to be held so long here. Doing so causes a bit of an issue, actually, because the memory allocation for the queue can fail which will cause the function to return early without releasing the mutex. The lock only needs to be held for the list_add_tail() call. > return 0; > } > > int ptp_release(struct posix_clock_context *pccontext) > { > struct timestamp_event_queue *queue = pccontext->private_clkdata; > + struct ptp_clock *ptp = > + container_of(pccontext->clk, struct ptp_clock, clock); > unsigned long flags; > > if (queue) { > + if (mutex_lock_interruptible(&ptp->tsevq_mux)) > + return -ERESTARTSYS; > debugfs_remove(queue->debugfs_instance); > pccontext->private_clkdata = NULL; > spin_lock_irqsave(&queue->lock, flags); > @@ -148,6 +156,7 @@ int ptp_release(struct posix_clock_context *pccontext) > spin_unlock_irqrestore(&queue->lock, flags); > bitmap_free(queue->mask); > kfree(queue); > + mutex_unlock(&ptp->tsevq_mux); Similar to the above note, you don't want to hold the lock any longer than you must. While this patch looks to cover adding and removing items from the list, the code that iterates over the list isn't covered which can be problematic. If the list is modified while it is being iterated, the iterating code could chase an invalid pointer. Regards, Jeremy