From patchwork Fri Jul 12 16:29:34 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bethany Jamison X-Patchwork-Id: 1959966 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WLHB95V1Lz1xqx for ; Sat, 13 Jul 2024 02:29:52 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1sSJ9P-0001bV-V2; Fri, 12 Jul 2024 16:29:39 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1sSJ9O-0001bF-N2 for kernel-team@lists.ubuntu.com; Fri, 12 Jul 2024 16:29:38 +0000 Received: from mail-io1-f71.google.com (mail-io1-f71.google.com [209.85.166.71]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 6B5A93F429 for ; Fri, 12 Jul 2024 16:29:38 +0000 (UTC) Received: by mail-io1-f71.google.com with SMTP id ca18e2360f4ac-803621a51c9so224888639f.3 for ; Fri, 12 Jul 2024 09:29:38 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1720801777; x=1721406577; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=vC7cS5r2lC82t+E38GWFg4I9xzDMwiLuLQQk5M/fQu0=; b=MUjwyFxuvs7Pst8hnTtWE1tbTstH0DJq9eYjJPv0mEWktOrG+fFozggarnTQTebukw HF49g6cY/dQ59KmBTymnlb4hiVnr2UOu/sgJsHJenQz0Hk0lhivlMVozqcLIhdCMqsVq FQsJwD2Bn3r+iJTZX6Np90RrS5FiC8v9JaqACWSB1p195kQUSKxF3RNO6k0YRosEMK2V WofE4NlT/062TN5f/nT2ReBPMtBQfLZedY2DTVxTUXJ9KPO9F84PUn0EPajd4TOPSMjm mlXLJlU3jIC3hKm1dTYrf+Q+Yujb9TOHEszFlyegoEtCZ69dHo81VQHwAS+3X959kMaP 84Cg== X-Gm-Message-State: AOJu0YyuZlMowZ1t27GhyQyVXEF511GSAjzwey/qHiEN3IpTLLFAJgaa AkaQusB5vF9aqKf1AKxst/QF3aR5VOuKbP69s+97ZjrVHDCh3AtVgvrcBRtxTL/weQGHvS77vQ3 BqVRhktZ5CfgyitLSb1lS72VDJpd7fsQ7SArU7iOBxQtGsA//+cBtypTe+e13/ctqbOd5grFBEV VBbJbmEY9M3w== X-Received: by 2002:a5d:9c12:0:b0:7f7:d2c7:3b7a with SMTP id ca18e2360f4ac-7fffa8cc428mr1221987439f.0.1720801776928; Fri, 12 Jul 2024 09:29:36 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFsHLVU7trHz1O2Xyxe6JH/VG9TWcxjajtL5l+gfK2XniJBhl0kRaKiAo9ikDZFVURETkfLFA== X-Received: by 2002:a5d:9c12:0:b0:7f7:d2c7:3b7a with SMTP id ca18e2360f4ac-7fffa8cc428mr1221985539f.0.1720801776460; Fri, 12 Jul 2024 09:29:36 -0700 (PDT) Received: from smtp.gmail.com (167-248-51-36.oa02.lnk04.ne.dynamic.allophone.net. [167.248.51.36]) by smtp.gmail.com with ESMTPSA id 8926c6da1cb9f-4c0b1c162f5sm2546818173.143.2024.07.12.09.29.36 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 12 Jul 2024 09:29:36 -0700 (PDT) From: Bethany Jamison To: kernel-team@lists.ubuntu.com Subject: [SRU][N/J][PATCH 1/1] um: Add winch to winch_handlers before registering winch IRQ Date: Fri, 12 Jul 2024 11:29:34 -0500 Message-Id: <20240712162934.9725-2-bethany.jamison@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240712162934.9725-1-bethany.jamison@canonical.com> References: <20240712162934.9725-1-bethany.jamison@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Roberto Sassu [ Upstream commit a0fbbd36c156b9f7b2276871d499c9943dfe5101 ] Registering a winch IRQ is racy, an interrupt may occur before the winch is added to the winch_handlers list. If that happens, register_winch_irq() adds to that list a winch that is scheduled to be (or has already been) freed, causing a panic later in winch_cleanup(). Avoid the race by adding the winch to the winch_handlers list before registering the IRQ, and rolling back if um_request_irq() fails. Fixes: 42a359e31a0e ("uml: SIGIO support cleanup") Signed-off-by: Roberto Sassu Reviewed-by: Johannes Berg Signed-off-by: Richard Weinberger Signed-off-by: Sasha Levin (cherry picked from commit 73b8e21f76c7dda4905655d2e2c17dc5a73b87f1 linux-6.9.y) CVE-2024-39292 Signed-off-by: Bethany Jamison --- arch/um/drivers/line.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/arch/um/drivers/line.c b/arch/um/drivers/line.c index ffc5cb92fa367..d82bc3fdb86e7 100644 --- a/arch/um/drivers/line.c +++ b/arch/um/drivers/line.c @@ -676,24 +676,26 @@ void register_winch_irq(int fd, int tty_fd, int pid, struct tty_port *port, goto cleanup; } - *winch = ((struct winch) { .list = LIST_HEAD_INIT(winch->list), - .fd = fd, + *winch = ((struct winch) { .fd = fd, .tty_fd = tty_fd, .pid = pid, .port = port, .stack = stack }); + spin_lock(&winch_handler_lock); + list_add(&winch->list, &winch_handlers); + spin_unlock(&winch_handler_lock); + if (um_request_irq(WINCH_IRQ, fd, IRQ_READ, winch_interrupt, IRQF_SHARED, "winch", winch) < 0) { printk(KERN_ERR "register_winch_irq - failed to register " "IRQ\n"); + spin_lock(&winch_handler_lock); + list_del(&winch->list); + spin_unlock(&winch_handler_lock); goto out_free; } - spin_lock(&winch_handler_lock); - list_add(&winch->list, &winch_handlers); - spin_unlock(&winch_handler_lock); - return; out_free: