Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v4.4.8 2016-02-17T20:31:02+00:00 2016-02-17T20:31:02+00:00 Peter Hurley peter@hurleysoftware.com 2016-01-11T06:40:55+00:00 urn:sha1:d343601a19410f71bf1765df5e2edda66fe5de5f commit 5c17c861a357e9458001f021a7afa7aab9937439 upstream. ioctl(TIOCGETD) retrieves the line discipline id directly from the ldisc because the line discipline id (c_line) in termios is untrustworthy; userspace may have set termios via ioctl(TCSETS*) without actually changing the line discipline via ioctl(TIOCSETD). However, directly accessing the current ldisc via tty->ldisc is unsafe; the ldisc ptr dereferenced may be stale if the line discipline is changing via ioctl(TIOCSETD) or hangup. Wait for the line discipline reference (just like read() or write()) to retrieve the "current" line discipline id. Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2016-02-17T20:31:02+00:00 Peter Hurley peter@hurleysoftware.com 2016-01-10T05:13:45+00:00 urn:sha1:b4312250147d42dceed6c8d44aa02cb29539db19 commit 7f22f6c935cda600660e623a411fe380015d28d9 upstream. A small window exists where a tty reopen will observe the tty just prior to imminent teardown (tty->count == 0); in this case, open() returns EIO to userspace. Instead, retry the open after checking for signals and yielding; this interruptible retry loop allows teardown to commence and initialize a new tty on retry. Never retry the BSD master pty reopen; there is no guarantee the pty pair teardown is imminent since the slave file descriptors may remain open indefinitely. Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2016-02-17T20:31:02+00:00 Peter Hurley peter@hurleysoftware.com 2016-01-10T05:13:44+00:00 urn:sha1:c35f1234931e2cae81726440ad4df8ef1f313219 commit 0bfd464d3fdd5bb322f9cace4cc47f1796545cf7 upstream. Allow a signal to interrupt the wait for a tty reopen; eg., if the tty has starting final close and is waiting for the device to drain. Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2015-11-21T00:19:54+00:00 Peter Hurley peter@hurleysoftware.com 2015-11-11T13:03:54+00:00 urn:sha1:ee0c1a65cf95230d5eb3d9de94fd2ead9a428c67 The correct lock order is atomic_write_lock => termios_rwsem, as established by tty_write() => n_tty_write(). Fixes: c274f6ef1c666 ("tty: Hold termios_rwsem for tcflow(TCIxxx)") Reported-and-Tested-by: Dmitry Vyukov <dvyukov@google.com> Cc: <stable@vger.kernel.org> # v3.18+ Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2015-10-18T04:32:21+00:00 Peter Hurley peter@hurleysoftware.com 2015-10-17T20:36:23+00:00 urn:sha1:e176058f0de53c2346734e5254835e0045364001 Introduce API functions to restart and cancel tty buffer work, rather than manipulate buffer work directly. Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2015-10-18T04:30:49+00:00 Peter Hurley peter@hurleysoftware.com 2015-10-11T00:28:44+00:00 urn:sha1:4b41b9539a1e9531f942ededfcdcff372317d2e7 tty_write_message() allows the caller to directly write to a specific tty. Since the line discipline is bypassed for the direct write, nothing prevents the tty from being torn down after the tty count is checked. Hold the tty lock for the duration of the direct write. Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2015-10-18T04:30:49+00:00 Peter Hurley peter@hurleysoftware.com 2015-10-11T00:28:43+00:00 urn:sha1:1e86b5bf15e2be662df303b7067ac08247713401 tiocspgrp() is the ioctl handler for TIOCSPGRP, which runs in non-atomic context; use spin_lock/unlock_irq (since interrupt state is on). Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2015-10-18T04:30:49+00:00 Peter Hurley peter@hurleysoftware.com 2015-10-11T00:28:42+00:00 urn:sha1:2812d9e9fd94c54b0482215f579e6aa04452a322 The job_control() check in n_tty_read() has nearly identical purpose and results as tty_check_change(). Both functions' purpose is to determine if the current task's pgrp is the foreground pgrp for the tty, and if not, to signal the current pgrp. Introduce __tty_check_change() which takes the signal to send and performs the shared operations for job control() and tty_check_change(). Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2015-10-04T18:20:30+00:00 Jann Horn jann@thejh.net 2015-10-04T17:29:12+00:00 urn:sha1:0c55627167870255158db1cde0d28366f91c8872 This is mostly a hardening fix, given that write-only access to other users' ttys is usually only given through setgid tty executables. Signed-off-by: Jann Horn <jann@thejh.net> Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2015-10-04T17:51:42+00:00 Leon Yu chianglungyu@gmail.com 2015-09-07T13:08:37+00:00 urn:sha1:c1a752ba2d6b8a52879c7ab637cff38359ea9827 Commit a3a10ce3429e ("Avoid usb reset crashes by making tty_io cdevs truly dynamic") which mixes using cdev_alloc() and cdev_init() is problematic. Subsequent call to cdev_init() after cdev_alloc() sets kobj release method from cdev_dynamic_release() to cdev_default_release() and thus makes it impossible to free allocated cdev. This patch also consolidates error path of cdev_add() as cdev can also leak here if things went wrong. Signed-off-by: Leon Yu <chianglungyu@gmail.com> Fixes: a3a10ce3429e ("Avoid usb reset crashes by making tty_io cdevs truly dynamic") Acked-by: Richard Watts <rrw@kynesim.co.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>