Re: [PATCH v3] can, slip: Protect tty->disc_data in write_wakeup and close with RCU

From: David Miller
Date: Wed Jan 22 2020 - 14:33:30 EST

Next message: Guenter Roeck: "Re: [PATCH v4 0/6] hwmon: k10temp driver improvements"
Previous message: Matthew Wilcox: "Re: [RFC][PATCH] iov_iter: Add ITER_MAPPING"
In reply to: Richard Palethorpe: "[PATCH v3] can, slip: Protect tty->disc_data in write_wakeup and close with RCU"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Richard Palethorpe <rpalethorpe@xxxxxxxx>
Date: Tue, 21 Jan 2020 14:42:58 +0100

> write_wakeup can happen in parallel with close/hangup where tty->disc_data
> is set to NULL and the netdevice is freed thus also freeing
> disc_data. write_wakeup accesses disc_data so we must prevent close from
> freeing the netdev while write_wakeup has a non-NULL view of
> tty->disc_data.
>
> We also need to make sure that accesses to disc_data are atomic. Which can
> all be done with RCU.
>
> This problem was found by Syzkaller on SLCAN, but the same issue is
> reproducible with the SLIP line discipline using an LTP test based on the
> Syzkaller reproducer.
>
> A fix which didn't use RCU was posted by Hillf Danton.
>
> Fixes: 661f7fda21b1 ("slip: Fix deadlock in write_wakeup")
> Fixes: a8e83b17536a ("slcan: Port write_wakeup deadlock fix from slip")
> Reported-by: syzbot+017e491ae13c0068598a@xxxxxxxxxxxxxxxxxxxxxxxxx
> Signed-off-by: Richard Palethorpe <rpalethorpe@xxxxxxxx>

Applied and queued up for -stable, thanks.

Next message: Guenter Roeck: "Re: [PATCH v4 0/6] hwmon: k10temp driver improvements"
Previous message: Matthew Wilcox: "Re: [RFC][PATCH] iov_iter: Add ITER_MAPPING"
In reply to: Richard Palethorpe: "[PATCH v3] can, slip: Protect tty->disc_data in write_wakeup and close with RCU"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]