30 Dec, 2020
1 commit
-
[ Upstream commit d1b928ee1cfa965a3327bbaa59bfa005d97fa0fe ]
The flush_lock is uninitialized, use DEFINE_SPINLOCK
to define and initialize flush_lock.Fixes: c6e3fd22cd53 ("Staging: add speakup to the staging directory")
Reported-by: Hulk Robot
Reviewed-by: Samuel Thibault
Signed-off-by: Yang Yingliang
Link: https://lore.kernel.org/r/20201117012229.3395186-1-yangyingliang@huawei.com
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Sasha Levin
30 Nov, 2020
1 commit
-
Speakup exposing a line discipline allows userland to try to use it,
while it is deemed to be useless, and thus uselessly exposes potential
bugs. One of them is simply that in such a case if the line sends data,
spk_ttyio_receive_buf2 is called and crashes since spk_ttyio_synth
is NULL.This change restricts the use of the speakup line discipline to
speakup drivers, thus avoiding such kind of issues altogether.Cc: stable@vger.kernel.org
Reported-by: Shisong Qin
Signed-off-by: Samuel Thibault
Tested-by: Shisong Qin
Link: https://lore.kernel.org/r/20201129193523.hm3f6n5xrn6fiyyc@function
Signed-off-by: Greg Kroah-Hartman
23 Nov, 2020
1 commit
-
Pull tty fixes from Greg KH:
"Here are some small tty/serial fixes for 5.10-rc5 that resolve some
reported issues:- speakup crash when telling the kernel to use a device that isn't
really there- imx serial driver fixes for reported problems
- ar933x_uart driver fix for probe error handling path
All have been in linux-next for a while with no reported issues"
* tag 'tty-5.10-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
serial: ar933x_uart: disable clk on error handling path in probe
tty: serial: imx: keep console clocks always on
speakup: Do not let the line discipline be used several times
tty: serial: imx: fix potential deadlock
12 Nov, 2020
1 commit
-
Speakup has only one speakup_tty variable to store the tty it is managing. This
makes sense since its codebase currently assumes that there is only one user who
controls the screen reading.That however means that we have to forbid using the line discipline several
times, otherwise the second closure would try to free a NULL ldisc_data, leading togeneral protection fault: 0000 [#1] SMP KASAN PTI
RIP: 0010:spk_ttyio_ldisc_close+0x2c/0x60
Call Trace:
tty_ldisc_release+0xa2/0x340
tty_release_struct+0x17/0xd0
tty_release+0x9d9/0xcc0
__fput+0x231/0x740
task_work_run+0x12c/0x1a0
do_exit+0x9b5/0x2230
? release_task+0x1240/0x1240
? __do_page_fault+0x562/0xa30
do_group_exit+0xd5/0x2a0
__x64_sys_exit_group+0x35/0x40
do_syscall_64+0x89/0x2b0
? page_fault+0x8/0x30
entry_SYSCALL_64_after_hwframe+0x44/0xa9Cc: stable@vger.kernel.org
Reported-by: 秦世松
Signed-off-by: Samuel Thibault
Tested-by: Shisong Qin
Link: https://lore.kernel.org/r/20201110183541.fzgnlwhjpgqzjeth@function
Signed-off-by: Greg Kroah-Hartman
10 Nov, 2020
3 commits
-
With the ltlk and spkout drivers, the index read function, i.e.
in_nowait, is getting called from the read_all_doc mechanism, from
the timer softirq:Call Trace:
dump_stack+0x71/0x98
dequeue_task_idle+0x1f/0x28
__schedule+0x167/0x5d6
? trace_hardirqs_on+0x2e/0x3a
? usleep_range+0x7f/0x7f
schedule+0x8a/0xae
schedule_timeout+0xb1/0xea
? del_timer_sync+0x31/0x31
do_wait_for_common+0xba/0x12b
? wake_up_q+0x45/0x45
wait_for_common+0x37/0x50
ttyio_in+0x2a/0x6b
spk_ttyio_in_nowait+0xc/0x13
spk_get_index_count+0x20/0x93
cursor_done+0x1c6/0x4c6
? read_all_doc+0xb1/0xb1
call_timer_fn+0x89/0x140
run_timer_softirq+0x164/0x1a5
? read_all_doc+0xb1/0xb1
? hrtimer_forward+0x7b/0x87
? timerqueue_add+0x62/0x68
? enqueue_hrtimer+0x95/0x9f
__do_softirq+0x181/0x31f
irq_exit+0x6a/0x86
smp_apic_timer_interrupt+0x15e/0x183
apic_timer_interrupt+0xf/0x20
We thus should not schedule() at all, even with timeout == 0, this
crashes the kernel. We can however use try_wait_for_completion()
instead of wait_for_completion_timeout(0).Cc: stable@vger.kernel.org
Reported-by: John Covici
Tested-by: John Covici
Signed-off-by: Samuel Thibault
Link: https://lore.kernel.org/r/20201108131233.tadycr73sxlvodgo@function
Signed-off-by: Greg Kroah-Hartman -
speakup_cut() calls speakup_clear_selection() which calls console_lock.
Problem is: speakup_cut() is called from a keyboard interrupt
context. This would hang if speakup_cut is pressed while the console
lock is unfortunately already held.We can however as well just defer calling clear_selection() until the
already-deferred set_selection_kernel() call.This was spotted by the lock hardener:
Possible unsafe locking scenario:\x0a
CPU0
----
lock(console_lock);
lock(console_lock);
\x0a *** DEADLOCK ***\x0a
[...]
Call Trace:
dump_stack+0xc2/0x11a
print_usage_bug.cold+0x3e0/0x4b1
mark_lock+0xd95/0x1390
? print_irq_inversion_bug+0xa0/0xa0
__lock_acquire+0x21eb/0x5730
? __kasan_check_read+0x11/0x20
? check_chain_key+0x215/0x5e0
? register_lock_class+0x1580/0x1580
? lock_downgrade+0x7a0/0x7a0
? __rwlock_init+0x140/0x140
lock_acquire+0x13f/0x370
? speakup_clear_selection+0xe/0x20 [speakup]
console_lock+0x33/0x50
? speakup_clear_selection+0xe/0x20 [speakup]
speakup_clear_selection+0xe/0x20 [speakup]
speakup_cut+0x19e/0x4b0 [speakup]
keyboard_notifier_call+0x1f04/0x4a40 [speakup]
? read_all_doc+0x240/0x240 [speakup]
notifier_call_chain+0xbf/0x130
__atomic_notifier_call_chain+0x80/0x130
atomic_notifier_call_chain+0x16/0x20
kbd_event+0x7d7/0x3b20
? k_pad+0x850/0x850
? sysrq_filter+0x450/0xd40
input_to_handler+0x362/0x4b0
? rcu_read_lock_sched_held+0xe0/0xe0
input_pass_values+0x408/0x5a0
? __rwlock_init+0x140/0x140
? lock_acquire+0x13f/0x370
input_handle_event+0x70e/0x1380
input_event+0x67/0x90
atkbd_interrupt+0xe62/0x1d4e [atkbd]
? __kasan_check_write+0x14/0x20
? atkbd_event_work+0x130/0x130 [atkbd]
? _raw_spin_lock_irqsave+0x26/0x70
serio_interrupt+0x93/0x120 [serio]
i8042_interrupt+0x232/0x510 [i8042]
? rcu_read_lock_bh_held+0xd0/0xd0
? handle_irq_event+0xa5/0x13a
? i8042_remove+0x1f0/0x1f0 [i8042]
__handle_irq_event_percpu+0xe6/0x6c0
handle_irq_event_percpu+0x71/0x150
? __handle_irq_event_percpu+0x6c0/0x6c0
? __kasan_check_read+0x11/0x20
? do_raw_spin_unlock+0x5c/0x240
handle_irq_event+0xad/0x13a
handle_edge_irq+0x233/0xa90
do_IRQ+0x10b/0x310
common_interrupt+0xf/0xf
Cc: stable@vger.kernel.org
Reported-by: Jookia
Signed-off-by: Samuel Thibault
Link: https://lore.kernel.org/r/20201107233310.7iisvaozpiqj3yvy@function
Signed-off-by: Greg Kroah-Hartman -
commit d97a9d7aea04 ("staging/speakup: Add inflection synth parameter")
introduced a new "inflection" speakup parameter next to "pitch", but
the values of the var_id_t enum are actually used by the keymap tables
so we must not renumber them. The effect was that notably the volume
control shortcut (speakup-1 or 2) was actually changing the inflection.This moves the INFLECTION value at the end of the var_id_t enum to
fix back the enum values. This also adds a warning about it.Fixes: d97a9d7aea04 ("staging/speakup: Add inflection synth parameter")
Cc: stable@vger.kernel.org
Reported-by: Kirk Reiser
Reported-by: Gregory Nowak
Tested-by: Gregory Nowak
Signed-off-by: Samuel Thibault
Link: https://lore.kernel.org/r/20201012160646.qmdo4eqtj24hpch4@function
Signed-off-by: Greg Kroah-Hartman
31 Aug, 2020
1 commit
-
We need the tty/serial fixes in here as well.
Signed-off-by: Greg Kroah-Hartman
18 Aug, 2020
3 commits
-
viewed is used as a flag, i.e. bool. So treat is as such in most of the
places. vcs_vc is handled in the next patch.Note: the last parameter of invert_screen was misnamed in the
declaration since 1.1.92.Signed-off-by: Jiri Slaby
Link: https://lore.kernel.org/r/20200818085706.12163-3-jslaby@suse.cz
Signed-off-by: Greg Kroah-Hartman -
Drivers using serialio were already made available in Kconfig only under
the ISA condition.Signed-off-by: Samuel Thibault
Link: https://lore.kernel.org/r/20200804160659.7y76sdseow43lfms@function
Signed-off-by: Greg Kroah-Hartman -
This was missed while introducing the tty-based serial access.
The only remaining use of wait_for_xmitr with tty-based access is in
spk_synth_is_alive_restart to check whether the synth can be restarted.
With tty-based this is up to the tty layer to cope with the buffering
etc. so we can just say yes.Signed-off-by: Samuel Thibault
Link: https://lore.kernel.org/r/20200804160637.x3iycau5izywbgzl@function
Signed-off-by: Greg Kroah-Hartman
07 Aug, 2020
1 commit
-
Pull tty/serial updates from Greg KH:
"Here is the large set of TTY and Serial driver patches for 5.9-rc1.Lots of bugfixes in here, thanks to syzbot fuzzing for serial and vt
and console code.Other highlights include:
- much needed vt/vc code cleanup from Jiri Slaby
- 8250 driver fixes and additions
- various serial driver updates and feature enhancements
- locking cleanup for serial/console initializations
- other minor cleanups
All of these have been in linux-next with no reported issues"
* tag 'tty-5.9-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty: (90 commits)
MAINTAINERS: enlist Greg formally for console stuff
vgacon: Fix for missing check in scrollback handling
Revert "serial: 8250: Let serial core initialise spin lock"
serial: 8250: Let serial core initialise spin lock
tty: keyboard, do not speculate on func_table index
serial: stm32: Add RS485 RTS GPIO control
serial: 8250_dw: Fix common clocks usage race condition
serial: 8250_dw: Pass the same rate to the clk round and set rate methods
serial: 8250_dw: Simplify the ref clock rate setting procedure
serial: 8250: Add 8250 port clock update method
tty: serial: imx: add imx earlycon driver
tty: serial: imx: enable imx serial console port as module
tty/synclink: remove leftover bits of non-PCI card support
tty: Use the preferred form for passing the size of a structure type
tty: Fix identation issues in struct serial_struct32
tty: Avoid the use of one-element arrays
serial: msm_serial: add sparse context annotation
serial: pmac_zilog: add sparse context annotation
newport_con: vc_color is now in state
serial: imx: use hrtimers for rs485 delays
...
29 Jul, 2020
1 commit
-
The nasty TODO items are done.
Signed-off-by: Samuel Thibault
Link: https://lore.kernel.org/r/20200729003531.907370-1-samuel.thibault@ens-lyon.org
Signed-off-by: Greg Kroah-Hartman