| From foo@baz Thu Mar 22 14:57:33 CET 2018 |
| From: Sahara <keun-o.park@darkmatter.ae> |
| Date: Wed, 13 Dec 2017 09:10:48 +0400 |
| Subject: pty: cancel pty slave port buf's work in tty_release |
| |
| From: Sahara <keun-o.park@darkmatter.ae> |
| |
| |
| [ Upstream commit 2b022ab7542df60021ab57854b3faaaf42552eaf ] |
| |
| In case that CONFIG_SLUB_DEBUG is on and pty is used, races between |
| release_one_tty and flush_to_ldisc work threads may happen and lead |
| to use-after-free condition on tty->link->port. Because SLUB_DEBUG |
| is turned on, freed tty->link->port is filled with POISON_FREE value. |
| So far without SLUB_DEBUG, port was filled with zero and flush_to_ldisc |
| could return without a problem by checking if tty is NULL. |
| |
| CPU 0 CPU 1 |
| ----- ----- |
| release_tty pty_write |
| cancel_work_sync(tty) to = tty->link |
| tty_kref_put(tty->link) tty_schedule_flip(to->port) |
| << workqueue >> ... |
| release_one_tty ... |
| pty_cleanup ... |
| kfree(tty->link->port) << workqueue >> |
| flush_to_ldisc |
| tty = READ_ONCE(port->itty) |
| tty is 0x6b6b6b6b6b6b6b6b |
| !!PANIC!! access tty->ldisc |
| |
| Unable to handle kernel paging request at virtual address 6b6b6b6b6b6b6b93 |
| pgd = ffffffc0eb1c3000 |
| [6b6b6b6b6b6b6b93] *pgd=0000000000000000, *pud=0000000000000000 |
| ------------[ cut here ]------------ |
| Kernel BUG at ffffff800851154c [verbose debug info unavailable] |
| Internal error: Oops - BUG: 96000004 [#1] PREEMPT SMP |
| CPU: 3 PID: 265 Comm: kworker/u8:9 Tainted: G W 3.18.31-g0a58eeb #1 |
| Hardware name: Qualcomm Technologies, Inc. MSM 8996pro v1.1 + PMI8996 Carbide (DT) |
| Workqueue: events_unbound flush_to_ldisc |
| task: ffffffc0ed610ec0 ti: ffffffc0ed624000 task.ti: ffffffc0ed624000 |
| PC is at ldsem_down_read_trylock+0x0/0x4c |
| LR is at tty_ldisc_ref+0x24/0x4c |
| pc : [<ffffff800851154c>] lr : [<ffffff800850f6c0>] pstate: 80400145 |
| sp : ffffffc0ed627cd0 |
| x29: ffffffc0ed627cd0 x28: 0000000000000000 |
| x27: ffffff8009e05000 x26: ffffffc0d382cfa0 |
| x25: 0000000000000000 x24: ffffff800a012f08 |
| x23: 0000000000000000 x22: ffffffc0703fbc88 |
| x21: 6b6b6b6b6b6b6b6b x20: 6b6b6b6b6b6b6b93 |
| x19: 0000000000000000 x18: 0000000000000001 |
| x17: 00e80000f80d6f53 x16: 0000000000000001 |
| x15: 0000007f7d826fff x14: 00000000000000a0 |
| x13: 0000000000000000 x12: 0000000000000109 |
| x11: 0000000000000000 x10: 0000000000000000 |
| x9 : ffffffc0ed624000 x8 : ffffffc0ed611580 |
| x7 : 0000000000000000 x6 : ffffff800a42e000 |
| x5 : 00000000000003fc x4 : 0000000003bd1201 |
| x3 : 0000000000000001 x2 : 0000000000000001 |
| x1 : ffffff800851004c x0 : 6b6b6b6b6b6b6b93 |
| |
| Signed-off-by: Sahara <keun-o.park@darkmatter.ae> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| drivers/tty/tty_io.c | 2 ++ |
| 1 file changed, 2 insertions(+) |
| |
| --- a/drivers/tty/tty_io.c |
| +++ b/drivers/tty/tty_io.c |
| @@ -1694,6 +1694,8 @@ static void release_tty(struct tty_struc |
| if (tty->link) |
| tty->link->port->itty = NULL; |
| tty_buffer_cancel_work(tty->port); |
| + if (tty->link) |
| + tty_buffer_cancel_work(tty->link->port); |
| |
| tty_kref_put(tty->link); |
| tty_kref_put(tty); |