All of lore.kernel.org
 help / color / mirror / Atom feed
From: Takashi Iwai <tiwai@suse.de>
To: mchehab@kernel.org
Cc: Yu Hao <yhao016@ucr.edu>,
	linux-media@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: BUG: WARNING in dvb_frontend_get_event
Date: Thu, 04 May 2023 10:28:56 +0200	[thread overview]
Message-ID: <875y98mref.wl-tiwai@suse.de> (raw)
In-Reply-To: <87bkj9u57j.wl-tiwai@suse.de>

On Thu, 27 Apr 2023 09:58:24 +0200,
Takashi Iwai wrote:
> 
> On Tue, 18 Apr 2023 06:50:07 +0200,
> Yu Hao wrote:
> > 
> > Hello,
> > 
> > We found the following issue using syzkaller on Linux v6.2.0.
> > 
> > In the function `dvb_frontend_get_event`, function
> > `wait_event_interruptible` is called
> > and the condition is `dvb_frontend_test_event(fepriv, events)`.
> > In the function `dvb_frontend_test_event`, function
> > `down(&fepriv->sem);` is called.
> > However, function `wait_event_interruptible` would put the process to sleep.
> > And function `down(&fepriv->sem);` may block the process.
> > So there is the issue with "do not call blocking ops when !TASK_RUNNING".
> > 
> > The full report including the Syzkaller reproducer & C reproducer:
> > https://gist.github.com/ZHYfeng/4c5f8be6adc63b73dba68230d15ece2c
> 
> FYI, CVE-2023-31084 was assigned to this bug, and I was involved now
> though distro's bug report.
> 
> So, the use of semaphore together with wait_event*() macro doesn't
> look like a good idea.  A possible easy workaround would be to
> open-code the wait loop like below.
> 
> Mauro, let me know if it's an acceptable workaround.  Then I'll submit
> a proper patch.

A gentle ping.

Can anyone please check whether the suggested change is OK or not?


thanks,

Takashi

> 
> 
> thanks,
> 
> Takashi
> 
> -- 8< --
> --- a/drivers/media/dvb-core/dvb_frontend.c
> +++ b/drivers/media/dvb-core/dvb_frontend.c
> @@ -293,14 +293,22 @@ static int dvb_frontend_get_event(struct dvb_frontend *fe,
>  	}
>  
>  	if (events->eventw == events->eventr) {
> -		int ret;
> +		struct wait_queue_entry wait;
> +		int ret = 0;
>  
>  		if (flags & O_NONBLOCK)
>  			return -EWOULDBLOCK;
>  
> -		ret = wait_event_interruptible(events->wait_queue,
> -					       dvb_frontend_test_event(fepriv, events));
> -
> +		init_waitqueue_entry(&wait, current);
> +		add_wait_queue(&events->wait_queue, &wait);
> +		while (!dvb_frontend_test_event(fepriv, events)) {
> +			wait_woken(&wait, TASK_INTERRUPTIBLE, 0);
> +			if (signal_pending(current)) {
> +				ret = -ERESTARTSYS;
> +				break;
> +			}
> +		}
> +		remove_wait_queue(&events->wait_queue, &wait);
>  		if (ret < 0)
>  			return ret;
>  	}

      reply	other threads:[~2023-05-04  8:32 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-04-18  4:50 BUG: WARNING in dvb_frontend_get_event Yu Hao
2023-04-27  7:58 ` Takashi Iwai
2023-05-04  8:28   ` Takashi Iwai [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=875y98mref.wl-tiwai@suse.de \
    --to=tiwai@suse.de \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-media@vger.kernel.org \
    --cc=mchehab@kernel.org \
    --cc=yhao016@ucr.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.