05 Dec, 2020
2 commits
-
Currently, locking of ->session is very inconsistent; most places
protect it using the legacy tty mutex, but disassociate_ctty(),
__do_SAK(), tiocspgrp() and tiocgsid() don't.
Two of the writers hold the ctrl_lock (because they already need it for
->pgrp), but __proc_set_tty() doesn't do that yet.On a PREEMPT=y system, an unprivileged user can theoretically abuse
this broken locking to read 4 bytes of freed memory via TIOCGSID if
tiocgsid() is preempted long enough at the right point. (Other things
might also go wrong, especially if root-only ioctls are involved; I'm
not sure about that.)Change the locking on ->session such that:
- tty_lock() is held by all writers: By making disassociate_ctty()
hold it. This should be fine because the same lock can already be
taken through the call to tty_vhangup_session().
The tricky part is that we need to shorten the area covered by
siglock to be able to take tty_lock() without ugly retry logic; as
far as I can tell, this should be fine, since nothing in the
signal_struct is touched in the `if (tty)` branch.
- ctrl_lock is held by all writers: By changing __proc_set_tty() to
hold the lock a little longer.
- All readers that aren't holding tty_lock() hold ctrl_lock: By
adding locking to tiocgsid() and __do_SAK(), and expanding the area
covered by ctrl_lock in tiocspgrp().Cc: stable@kernel.org
Signed-off-by: Jann Horn
Reviewed-by: Jiri Slaby
Signed-off-by: Greg Kroah-Hartman -
tiocspgrp() takes two tty_struct pointers: One to the tty that userspace
passed to ioctl() (`tty`) and one to the TTY being changed (`real_tty`).
These pointers are different when ioctl() is called with a master fd.To properly lock real_tty->pgrp, we must take real_tty->ctrl_lock.
This bug makes it possible for racing ioctl(TIOCSPGRP, ...) calls on
both sides of a PTY pair to corrupt the refcount of `struct pid`,
leading to use-after-free errors.Fixes: 47f86834bbd4 ("redo locking of tty->pgrp")
CC: stable@kernel.org
Signed-off-by: Jann Horn
Reviewed-by: Jiri Slaby
Signed-off-by: Greg Kroah-Hartman
18 Aug, 2020
1 commit
-
With W=1, the kernel-doc checker complains quite a lot in the tty layer.
Over the time, many documented parameters were renamed, removed or
switched from tty to tty_port and similar. Some were mistyped in the doc
too.So fix all these in the tty core. (But do not add the missing ones which
the checker complains about too. Not now.) The rest in the tty layer
will follow in the next patches.Signed-off-by: Jiri Slaby
Link: https://lore.kernel.org/r/20200818085655.12071-4-jslaby@suse.cz
Signed-off-by: Greg Kroah-Hartman
28 Mar, 2019
2 commits
-
The intention was clearly to use the tty_pgrp local variable rather than
re-read tty->pgrp outside of ctrl_lock, so do that.This bug was introduced by commit 2812d9e9fd94 ("tty: Combine
SIGTTOU/SIGTTIN handling").Signed-off-by: David Emett
Signed-off-by: Greg Kroah-Hartman -
Building with W=1 reports (among other things):
CC drivers/tty/tty_jobctrl.o
drivers/tty/tty_jobctrl.c:317: warning: Cannot understand *
on line 317 - I thought it was a doc lineFix up the non-kerneldoc comment. (other warnings to be cleaned up in separate patch)
Signed-off-by Valdis Kletnieks
Signed-off-by: Greg Kroah-Hartman
08 Nov, 2017
1 commit
-
It's good to have SPDX identifiers in all files to make it easier to
audit the kernel tree for correct licenses.Update the drivers/tty files files with the correct SPDX license
identifier based on the license text in the file itself. The SPDX
identifier is a legally binding shorthand, which can be used instead of
the full boiler plate text.This work is based on a script and data from Thomas Gleixner, Philippe
Ombredanne, and Kate Stewart.Cc: Jiri Slaby
Cc: Benjamin Herrenschmidt
Cc: Paul Mackerras
Cc: Michael Ellerman
Cc: Chris Metcalf
Cc: Jiri Kosina
Cc: David Sterba
Cc: James Hogan
Cc: Rob Herring
Cc: Eric Anholt
Cc: Stefan Wahren
Cc: Florian Fainelli
Cc: Ray Jui
Cc: Scott Branden
Cc: bcm-kernel-feedback-list@broadcom.com
Cc: "James E.J. Bottomley"
Cc: Helge Deller
Cc: Joachim Eastwood
Cc: Matthias Brugger
Cc: Masahiro Yamada
Cc: Tobias Klauser
Cc: Russell King
Cc: Vineet Gupta
Cc: Richard Genoud
Cc: Alexander Shiyan
Cc: Baruch Siach
Cc: "Maciej W. Rozycki"
Cc: "Uwe Kleine-König"
Cc: Pat Gefre
Cc: "Guilherme G. Piccoli"
Cc: Jason Wessel
Cc: Vladimir Zapolskiy
Cc: Sylvain Lemieux
Cc: Carlo Caione
Cc: Kevin Hilman
Cc: Liviu Dudau
Cc: Sudeep Holla
Cc: Lorenzo Pieralisi
Cc: Andy Gross
Cc: David Brown
Cc: "Andreas Färber"
Cc: Kevin Cernekee
Cc: Laxman Dewangan
Cc: Thierry Reding
Cc: Jonathan Hunter
Cc: Barry Song
Cc: Patrice Chotard
Cc: Maxime Coquelin
Cc: Alexandre Torgue
Cc: "David S. Miller"
Cc: Peter Korsgaard
Cc: Timur Tabi
Cc: Tony Prisk
Cc: Michal Simek
Cc: "Sören Brinkmann"
Cc: Thomas Gleixner
Cc: Kate Stewart
Cc: Philippe Ombredanne
Cc: Jiri Slaby
Signed-off-by: Greg Kroah-Hartman
19 Apr, 2017
1 commit
-
This makes it easier for job control to become optional and/or usable
independently from tty_io.c, as well as providing a nice purpose
separation. No logical changes from this patch.Signed-off-by: Nicolas Pitre
Signed-off-by: Greg Kroah-Hartman