mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-08 17:49:45 +00:00
Code Issues Releases Wiki Activity
linux-stable/drivers/tty
History
Jiri Slaby efe4feb818 tty: hvc_console, fix crashes on parallel open/close 
commit 24eb2377f9 upstream.

hvc_open sets tty->driver_data to NULL when open fails at some point.
Typically, the failure happens in hp->ops->notifier_add(). If there is
a racing process which tries to open such mangled tty, which was not
closed yet, the process will crash in hvc_open as tty->driver_data is
NULL.

All this happens because close wants to know whether open failed or not.
But ->open should not NULL this and other tty fields for ->close to be
happy. ->open should call tty_port_set_initialized(true) and close
should check by tty_port_initialized() instead. So do this properly in
this driver.

So this patch removes these from ->open:
* tty_port_tty_set(&hp->port, NULL). This happens on last close.
* tty->driver_data = NULL. Dtto.
* tty_port_put(&hp->port). This happens in shutdown and until now, this
  must have been causing a reference underflow, if I am not missing
  something.

Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: stable <stable@vger.kernel.org>
Reported-and-tested-by: Raghavendra <rananta@codeaurora.org>
Link: https://lore.kernel.org/r/20200526145632.13879-1-jslaby@suse.cz
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-06-10 21:35:00 +02:00
..
hvc tty: hvc_console, fix crashes on parallel open/close 2020-06-10 21:35:00 +02:00
ipwireless tty: ipwireless: Fix potential NULL pointer dereference 2020-01-27 14:50:16 +01:00
serdev serdev: ttyport: restore client ops on deregistration 2020-02-28 16:38:49 +01:00
serial tty: serial: qcom_geni_serial: Fix wrap around of TX buffer 2020-05-27 17:37:41 +02:00
vt vt: keyboard: avoid signed integer overflow in k_ascii 2020-06-10 21:35:00 +02:00
amiserial.c
cyclades.c
ehv_bytechan.c tty: evh_bytechan: Fix out of bounds accesses 2020-04-23 10:30:23 +02:00
goldfish.c
isicom.c
Kconfig
Makefile
mips_ejtag_fdc.c
moxa.c
moxa.h
mxser.c
mxser.h
n_gsm.c
n_hdlc.c tty: Don't block on IO when ldisc change is pending 2019-12-13 08:52:28 +01:00
n_null.c
n_r3964.c tty: Don't block on IO when ldisc change is pending 2019-12-13 08:52:28 +01:00
n_tracerouter.c
n_tracesink.c
n_tracesink.h
n_tty.c tty: Don't block on IO when ldisc change is pending 2019-12-13 08:52:28 +01:00
nozomi.c
pty.c
rocket.c tty: rocket, avoid OOB access 2020-04-29 16:31:30 +02:00
rocket.h
rocket_int.h
synclink.c
synclink_gt.c tty: synclink_gt: Adjust indentation in several functions 2020-02-24 08:34:47 +01:00
synclinkmp.c tty: synclinkmp: Adjust indentation in several functions 2020-02-24 08:34:47 +01:00
sysrq.c sysrq: Remove duplicated sysrq message 2020-03-05 16:42:15 +01:00
tty_audit.c
tty_baudrate.c
tty_buffer.c
tty_io.c
tty_ioctl.c
tty_jobctrl.c
tty_ldisc.c tty: Don't block on IO when ldisc change is pending 2019-12-13 08:52:28 +01:00
tty_ldsem.c
tty_mutex.c
tty_port.c serdev: ttyport: restore client ops on deregistration 2020-02-28 16:38:49 +01:00
vcc.c