On Fri, Oct 30, 2015 at 6:44 PM, Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote:Andy, thanks for finally fixing this attack surface!
Hi all-Nope, the bug has nothing to do with task_work. Patches sent.
In 4.3-rc7, running dosemu2 (https://github.com/stsp/dosemu2/) oopses
the system very quickly, as long as CONFIG_VM86=y. It blows up
because snd_seq_delete_port walks ports_list_head, finds two valid
ports, and then starts finding obviously invalid pointers in the list.
git bisect blames:
commit 5ed92a8ab71f8865ba07811429c988c72299b315
Author: Brian Gerst <brgerst@xxxxxxxxx>
Date: Wed Jul 29 01:41:19 2015 -0400
x86/vm86: Use the normal pt_regs area for vm86
I haven't spotted the problem yet. It seems to happen when
task_work_run fires in get_signal, which happens before
save_v86_state. I'm not entirely sure what causes task work to be
scheduled at all while in v86 land. Could we somehow be processing
task_work later than we should?