Re: [PATCH v2] tty: rpmsg: Fix race condition releasing tty port

From: Jiri Slaby
Date: Wed Dec 15 2021 - 01:49:08 EST

Next message: Lee Jones: "Re: [PATCH 2/2] sctp: hold cached endpoints to prevent possible UAF"
Previous message: Peng Fan (OSS): "[PATCH 2/2] arm64: mm: support bootparam max_addr"
In reply to: Arnaud Pouliquen: "[PATCH v2] tty: rpmsg: Fix race condition releasing tty port"
Next in thread: Arnaud POULIQUEN: "Re: [PATCH v2] tty: rpmsg: Fix race condition releasing tty port"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

much better IMO.

On 14. 12. 21, 18:06, Arnaud Pouliquen wrote:

In current implementation the tty_port struct is part of the
rpmsg_tty_port structure.The issue is that the rpmsg_tty_port structure is
freed on rpmsg_tty_remove but also referenced in the tty_struct.
Its release is not predictable due to workqueues.

For instance following ftrace shows that rpmsg_tty_close is called after
rpmsg_tty_release_cport:

...

diff --git a/drivers/tty/rpmsg_tty.c b/drivers/tty/rpmsg_tty.c
index dae2a4e44f38..69272ad92266 100644
--- a/drivers/tty/rpmsg_tty.c
+++ b/drivers/tty/rpmsg_tty.c
@@ -53,9 +53,19 @@ static int rpmsg_tty_install(struct tty_driver *driver, struct tty_struct *tty)
tty->driver_data = cport;
+ tty_port_get(&cport->port);

Can't this fail? Like when racing with removal?

return tty_port_install(&cport->port, driver, tty);
}

...

static struct rpmsg_tty_port *rpmsg_tty_alloc_cport(void)
@@ -139,6 +156,8 @@ static struct rpmsg_tty_port *rpmsg_tty_alloc_cport(void)
static void rpmsg_tty_release_cport(struct rpmsg_tty_port *cport)
{
+ tty_port_destroy(&cport->port);
+

You should not call tty_port_destroy when you use refcounting. The port is already destroyed when ->destruct() is called. (It has currently no bad effect calling it twice on a port though.)

@@ -146,7 +165,17 @@ static void rpmsg_tty_release_cport(struct rpmsg_tty_port *cport)
kfree(cport);
}
-static const struct tty_port_operations rpmsg_tty_port_ops = { };
+static void rpmsg_tty_destruct_port(struct tty_port *port)
+{
+ struct rpmsg_tty_port *cport = container_of(port, struct rpmsg_tty_port, port);
+
+ rpmsg_tty_release_cport(cport);
+}
+
+static const struct tty_port_operations rpmsg_tty_port_ops = {
+ .destruct = rpmsg_tty_destruct_port,
+};
+
static int rpmsg_tty_probe(struct rpmsg_device *rpdev)
{
@@ -179,7 +208,6 @@ static int rpmsg_tty_probe(struct rpmsg_device *rpdev)
return 0;
err_destroy:
- tty_port_destroy(&cport->port);
rpmsg_tty_release_cport(cport);

Couldn't you just put the port here? And inline rpmsg_tty_release_cport into the new rpmsg_tty_destruct_port?

thanks,
--
js
suse labs

Next message: Lee Jones: "Re: [PATCH 2/2] sctp: hold cached endpoints to prevent possible UAF"
Previous message: Peng Fan (OSS): "[PATCH 2/2] arm64: mm: support bootparam max_addr"
In reply to: Arnaud Pouliquen: "[PATCH v2] tty: rpmsg: Fix race condition releasing tty port"
Next in thread: Arnaud POULIQUEN: "Re: [PATCH v2] tty: rpmsg: Fix race condition releasing tty port"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]