OpenE2K
/
linux
6
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
linux/drivers
History
Sergei Trofimovich 46ca3f735f tty/vt: fix write/write race in ioctl(KDSKBSENT) handler 
The bug manifests as an attempt to access deallocated memory:

    BUG: unable to handle kernel paging request at ffff9c8735448000
    #PF error: [PROT] [WRITE]
    PGD 288a05067 P4D 288a05067 PUD 288a07067 PMD 7f60c2063 PTE 80000007f5448161
    Oops: 0003 [#1] PREEMPT SMP
    CPU: 6 PID: 388 Comm: loadkeys Tainted: G         C        5.0.0-rc6-00153-g5ded5871030e #91
    Hardware name: Gigabyte Technology Co., Ltd. To be filled by O.E.M./H77M-D3H, BIOS F12 11/14/2013
    RIP: 0010:__memmove+0x81/0x1a0
    Code: 4c 89 4f 10 4c 89 47 18 48 8d 7f 20 73 d4 48 83 c2 20 e9 a2 00 00 00 66 90 48 89 d1 4c 8b 5c 16 f8 4c 8d 54 17 f8 48 c1 e9 03 <f3> 48 a5 4d 89 1a e9 0c 01 00 00 0f 1f 40 00 48 89 d1 4c 8b 1e 49
    RSP: 0018:ffffa1b9002d7d08 EFLAGS: 00010203
    RAX: ffff9c873541af43 RBX: ffff9c873541af43 RCX: 00000c6f105cd6bf
    RDX: 0000637882e986b6 RSI: ffff9c8735447ffb RDI: ffff9c8735447ffb
    RBP: ffff9c8739cd3800 R08: ffff9c873b802f00 R09: 00000000fffff73b
    R10: ffffffffb82b35f1 R11: 00505b1b004d5b1b R12: 0000000000000000
    R13: ffff9c873541af3d R14: 000000000000000b R15: 000000000000000c
    FS:  00007f450c390580(0000) GS:ffff9c873f180000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: ffff9c8735448000 CR3: 00000007e213c002 CR4: 00000000000606e0
    Call Trace:
     vt_do_kdgkb_ioctl+0x34d/0x440
     vt_ioctl+0xba3/0x1190
     ? __bpf_prog_run32+0x39/0x60
     ? mem_cgroup_commit_charge+0x7b/0x4e0
     tty_ioctl+0x23f/0x920
     ? preempt_count_sub+0x98/0xe0
     ? __seccomp_filter+0x67/0x600
     do_vfs_ioctl+0xa2/0x6a0
     ? syscall_trace_enter+0x192/0x2d0
     ksys_ioctl+0x3a/0x70
     __x64_sys_ioctl+0x16/0x20
     do_syscall_64+0x54/0xe0
     entry_SYSCALL_64_after_hwframe+0x49/0xbe

The bug manifests on systemd systems with multiple vtcon devices:
  # cat /sys/devices/virtual/vtconsole/vtcon0/name
  (S) dummy device
  # cat /sys/devices/virtual/vtconsole/vtcon1/name
  (M) frame buffer device

There systemd runs 'loadkeys' tool in tapallel for each vtcon
instance. This causes two parallel ioctl(KDSKBSENT) calls to
race into adding the same entry into 'func_table' array at:

    drivers/tty/vt/keyboard.c:vt_do_kdgkb_ioctl()

The function has no locking around writes to 'func_table'.

The simplest reproducer is to have initrams with the following
init on a 8-CPU machine x86_64:

    #!/bin/sh

    loadkeys -q windowkeys ru4 &
    loadkeys -q windowkeys ru4 &
    loadkeys -q windowkeys ru4 &
    loadkeys -q windowkeys ru4 &

    loadkeys -q windowkeys ru4 &
    loadkeys -q windowkeys ru4 &
    loadkeys -q windowkeys ru4 &
    loadkeys -q windowkeys ru4 &
    wait

The change adds lock on write path only. Reads are still racy.

CC: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
CC: Jiri Slaby <jslaby@suse.com>
Link: https://lkml.org/lkml/2019/2/17/256
Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2019-03-28 01:28:23 +09:00
..
accessibility
acpi device-dax for 5.1 2019-03-16 13:05:32 -07:00
amba ARM: 8836/1: drivers: amba: Update component matching to use the CoreSight UCI values. 2019-02-26 11:23:49 +00:00
android
ata SCSI misc on 20190306 2019-03-09 16:53:47 -08:00
atm
auxdisplay
base device-dax for 5.1 2019-03-16 13:05:32 -07:00
bcma
block for-5.1/block-post-20190315 2019-03-16 12:36:39 -07:00
bluetooth Bluetooth: mediatek: add support for MediaTek MT7663U and MT7668U UART devices 2019-03-02 19:51:23 +01:00
bus ARM: SoC driver updates for 5.1 2019-03-06 09:41:12 -08:00
cdrom
char Merge branch 'next-tpm' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2019-03-10 17:37:29 -07:00
clk We have a fairly balanced mix of clk driver updates and clk framework 2019-03-14 08:46:17 -07:00
clocksource ARM: some cleanups, direct physical timer assignment, cache sanitization 2019-03-15 15:00:28 -07:00
connector connector: fix unsafe usage of ->real_parent 2019-03-08 15:06:38 -08:00
cpufreq cpufreq: intel_pstate: Fix up iowait_boost computation 2019-03-12 09:47:30 +01:00
cpuidle cpuidle: governor: Add new governors to cpuidle_governors again 2019-03-12 23:46:55 +01:00
crypto Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2019-03-13 09:51:17 -07:00
dax device-dax for 5.1 2019-03-16 13:05:32 -07:00
dca
devfreq
dio
dma dmaengine updates for v5.1-rc1 2019-03-14 09:11:54 -07:00
dma-buf
edac Merge branch 'ras-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2019-03-08 09:11:39 -08:00
eisa
extcon
firewire
firmware memblock: drop memblock_alloc_*_nopanic() variants 2019-03-12 10:04:02 -07:00
fmc
fpga
fsi
gnss
gpio pci-v5.1-changes 2019-03-09 14:57:08 -08:00
gpu drm i915, amdgpu, qxl and etnaviv fixes 2019-03-15 13:58:35 -07:00
hid Merge branch 'for-5.1/wacom' into for-linus 2019-03-05 15:43:05 +01:00
hsi
hv Char/Misc driver patches for 5.1-rc1 2019-03-06 14:18:59 -08:00
hwmon hwmon: (ad7418) Add device tree probing 2019-02-25 09:06:00 -08:00
hwspinlock
hwtracing ARM updates for 5.1-rc1 2019-03-15 14:37:46 -07:00
i2c i2c: i2c-designware-platdrv: Always use a dynamic adapter number 2019-03-13 18:07:10 +01:00
i3c - Add a /* fall-through */ comment in the dw-i3c-master driver 2019-03-04 19:05:02 -08:00
ide Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/ide 2019-03-11 09:34:00 -07:00
idle
iio - New Drivers 2019-03-08 10:02:58 -08:00
infiniband XArray updates for 5.1-rc1 2019-03-11 20:06:18 -07:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2019-03-11 10:57:11 -07:00
interconnect
iommu IOMMU Fix for Linux v5.1-rc1 2019-03-15 14:41:30 -07:00
ipack
irqchip arm64 updates for 5.1: 2019-03-10 10:17:23 -07:00
isdn isdn: hfcpci: fix potential NULL pointer dereference 2019-03-12 14:36:02 -07:00
leds platform-drivers-x86 for v5.1-1 2019-03-10 13:16:37 -07:00
lightnvm pblk: fix max_io calculation 2019-03-07 08:59:26 -07:00
macintosh treewide: add checks for the return value of memblock_alloc*() 2019-03-12 10:04:02 -07:00
mailbox mailbox: imx: keep MU irq working during suspend/resume 2019-03-11 02:51:43 -05:00
mcb
md for-5.1/block-post-20190315 2019-03-16 12:36:39 -07:00
media DMA mapping updates for 5.1 2019-03-10 11:54:48 -07:00
memory
memstick
message
mfd DMA mapping updates for 5.1 2019-03-10 11:54:48 -07:00
misc 5.1 Merge Window Pull Request 2019-03-09 15:53:03 -08:00
mmc for-5.1/block-20190302 2019-03-08 14:12:17 -08:00
mtd This pull request contains updates for both UBI and UBIFS: 2019-03-13 09:34:35 -07:00
mux
net Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2019-03-14 09:28:12 -07:00
nfc
ntb Fixes for switchtec debugability and mapping table entries, NTB 2019-03-15 14:32:59 -07:00
nubus
nvdimm device-dax for 5.1 2019-03-16 13:05:32 -07:00
nvme for-5.1/block-post-20190315 2019-03-16 12:36:39 -07:00
nvmem Char/Misc driver patches for 5.1-rc1 2019-03-06 14:18:59 -08:00
of of: fix kmemleak crash caused by imbalance in early memory reservation 2019-03-12 10:04:02 -07:00
opp PM / OPP: Update performance state when freq == old_freq 2019-03-12 09:45:56 +01:00
oprofile
parisc DMA mapping updates for 5.1 2019-03-10 11:54:48 -07:00
parport
pci IOMMU Updates for Linux v5.1 2019-03-10 12:29:52 -07:00
pcmcia
perf arm64 updates for 5.1: 2019-03-10 10:17:23 -07:00
phy drm next pull request for 5.1 2019-03-08 08:23:15 -08:00
pinctrl This is the bulk of pin control changes for the v5.1 kernel cycle. 2019-03-11 11:12:50 -07:00
platform chrome platform changes for v5.1 2019-03-12 09:46:32 -07:00
pnp ACPI/ACPICA: Trivial: fix spelling mistakes and fix whitespace formatting 2019-02-24 21:12:01 +01:00
power
powercap
pps
ps3
ptp Merge branch 'timers-2038-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2019-03-05 14:08:26 -08:00
pwm pwm: atmel: Remove useless symbolic definitions 2019-03-04 12:52:49 +01:00
rapidio rapidio/mport_cdev: mark expected switch fall-through 2019-03-07 18:32:02 -08:00
ras
regulator regulator: mc13xxx: Constify regulator_ops variables 2019-03-04 00:01:08 +00:00
remoteproc remoteproc updates for v5.1 2019-03-14 09:00:06 -07:00
reset
rpmsg
rtc chrome platform changes for v5.1 2019-03-12 09:46:32 -07:00
s390 ARM: some cleanups, direct physical timer assignment, cache sanitization 2019-03-15 15:00:28 -07:00
sbus
scsi SCSI misc on 20190315 2019-03-16 12:51:50 -07:00
sfi
sh
siox
slimbus
sn
soc ARM: SoC driver updates for 5.1 2019-03-06 09:41:12 -08:00
soundwire
spi pci-v5.1-changes 2019-03-09 14:57:08 -08:00
spmi
ssb
staging media updates for v5.1-rc1 2019-03-09 14:45:54 -08:00
target SCSI misc on 20190315 2019-03-16 12:51:50 -07:00
tc
tee ARM: SoC driver updates for 5.1 2019-03-06 09:41:12 -08:00
thermal Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/evalenti/linux-soc-thermal 2019-03-08 09:52:41 -08:00
thunderbolt
tty tty/vt: fix write/write race in ioctl(KDSKBSENT) handler 2019-03-28 01:28:23 +09:00
uio
usb memblock: drop memblock_alloc_*_nopanic() variants 2019-03-12 10:04:02 -07:00
uwb
vfio powerpc updates for 5.1 2019-03-07 12:56:26 -08:00
vhost virtio: fixes, cleanups 2019-03-10 12:47:57 -07:00
video fbdev changes for v5.1: 2019-03-15 14:22:59 -07:00
virt virt: vbox: Mark expected switch fall-through 2019-02-27 16:00:20 +01:00
virtio virtio: hint if callbacks surprisingly might sleep 2019-03-06 11:19:57 -05:00
visorbus
vlynq
vme
w1
watchdog linux-watchdog 5.1-rc1 tag 2019-03-11 11:22:15 -07:00
xen xen/balloon: Fix mapping PG_offline pages to user space 2019-03-15 15:35:35 +01:00
zorro
Kconfig
Makefile IOMMU Updates for Linux v5.1 2019-03-10 12:29:52 -07:00