All of lore.kernel.org
 help / color / mirror / Atom feed
From: Takashi Iwai <tiwai@suse.de>
To: Yu Hao <yhao016@ucr.edu>
Cc: mchehab@kernel.org, linux-media@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: Re: BUG: WARNING in dvb_frontend_get_event
Date: Thu, 27 Apr 2023 09:58:24 +0200	[thread overview]
Message-ID: <87bkj9u57j.wl-tiwai@suse.de> (raw)
In-Reply-To: <CA+UBctCu7fXn4q41O_3=id1+OdyQ85tZY1x+TkT-6OVBL6KAUw@mail.gmail.com>

On Tue, 18 Apr 2023 06:50:07 +0200,
Yu Hao wrote:
> 
> Hello,
> 
> We found the following issue using syzkaller on Linux v6.2.0.
> 
> In the function `dvb_frontend_get_event`, function
> `wait_event_interruptible` is called
> and the condition is `dvb_frontend_test_event(fepriv, events)`.
> In the function `dvb_frontend_test_event`, function
> `down(&fepriv->sem);` is called.
> However, function `wait_event_interruptible` would put the process to sleep.
> And function `down(&fepriv->sem);` may block the process.
> So there is the issue with "do not call blocking ops when !TASK_RUNNING".
> 
> The full report including the Syzkaller reproducer & C reproducer:
> https://gist.github.com/ZHYfeng/4c5f8be6adc63b73dba68230d15ece2c

FYI, CVE-2023-31084 was assigned to this bug, and I was involved now
though distro's bug report.

So, the use of semaphore together with wait_event*() macro doesn't
look like a good idea.  A possible easy workaround would be to
open-code the wait loop like below.

Mauro, let me know if it's an acceptable workaround.  Then I'll submit
a proper patch.


thanks,

Takashi

-- 8< --
--- a/drivers/media/dvb-core/dvb_frontend.c
+++ b/drivers/media/dvb-core/dvb_frontend.c
@@ -293,14 +293,22 @@ static int dvb_frontend_get_event(struct dvb_frontend *fe,
 	}
 
 	if (events->eventw == events->eventr) {
-		int ret;
+		struct wait_queue_entry wait;
+		int ret = 0;
 
 		if (flags & O_NONBLOCK)
 			return -EWOULDBLOCK;
 
-		ret = wait_event_interruptible(events->wait_queue,
-					       dvb_frontend_test_event(fepriv, events));
-
+		init_waitqueue_entry(&wait, current);
+		add_wait_queue(&events->wait_queue, &wait);
+		while (!dvb_frontend_test_event(fepriv, events)) {
+			wait_woken(&wait, TASK_INTERRUPTIBLE, 0);
+			if (signal_pending(current)) {
+				ret = -ERESTARTSYS;
+				break;
+			}
+		}
+		remove_wait_queue(&events->wait_queue, &wait);
 		if (ret < 0)
 			return ret;
 	}

  reply	other threads:[~2023-04-27  7:58 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-04-18  4:50 BUG: WARNING in dvb_frontend_get_event Yu Hao
2023-04-27  7:58 ` Takashi Iwai [this message]
2023-05-04  8:28   ` Takashi Iwai

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87bkj9u57j.wl-tiwai@suse.de \
    --to=tiwai@suse.de \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-media@vger.kernel.org \
    --cc=mchehab@kernel.org \
    --cc=yhao016@ucr.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.