Eric Lee / smarc-fsl-linux-kernel

05 Dec, 2020

2 commits

  • c8bcd9c5b   tty: Fix ->session locking ... Browse Code »

    Currently, locking of ->session is very inconsistent; most places
    protect it using the legacy tty mutex, but disassociate_ctty(),
    __do_SAK(), tiocspgrp() and tiocgsid() don't.
    Two of the writers hold the ctrl_lock (because they already need it for
    ->pgrp), but __proc_set_tty() doesn't do that yet.

    On a PREEMPT=y system, an unprivileged user can theoretically abuse
    this broken locking to read 4 bytes of freed memory via TIOCGSID if
    tiocgsid() is preempted long enough at the right point. (Other things
    might also go wrong, especially if root-only ioctls are involved; I'm
    not sure about that.)

    Change the locking on ->session such that:

    - tty_lock() is held by all writers: By making disassociate_ctty()
    hold it. This should be fine because the same lock can already be
    taken through the call to tty_vhangup_session().
    The tricky part is that we need to shorten the area covered by
    siglock to be able to take tty_lock() without ugly retry logic; as
    far as I can tell, this should be fine, since nothing in the
    signal_struct is touched in the `if (tty)` branch.
    - ctrl_lock is held by all writers: By changing __proc_set_tty() to
    hold the lock a little longer.
    - All readers that aren't holding tty_lock() hold ctrl_lock: By
    adding locking to tiocgsid() and __do_SAK(), and expanding the area
    covered by ctrl_lock in tiocspgrp().

    Cc: stable@kernel.org
    Signed-off-by: Jann Horn
    Reviewed-by: Jiri Slaby
    Signed-off-by: Greg Kroah-Hartman

    Jann Horn
     
  • 54ffccbf0   tty: Fix ->pgrp locking in tiocspgrp() ... Browse Code »

    tiocspgrp() takes two tty_struct pointers: One to the tty that userspace
    passed to ioctl() (`tty`) and one to the TTY being changed (`real_tty`).
    These pointers are different when ioctl() is called with a master fd.

    To properly lock real_tty->pgrp, we must take real_tty->ctrl_lock.

    This bug makes it possible for racing ioctl(TIOCSPGRP, ...) calls on
    both sides of a PTY pair to corrupt the refcount of `struct pid`,
    leading to use-after-free errors.

    Fixes: 47f86834bbd4 ("redo locking of tty->pgrp")
    CC: stable@kernel.org
    Signed-off-by: Jann Horn
    Reviewed-by: Jiri Slaby
    Signed-off-by: Greg Kroah-Hartman

    Jann Horn
     

18 Aug, 2020

1 commit

  • fa4419545   tty: fix kernel-doc ... Browse Code »

    With W=1, the kernel-doc checker complains quite a lot in the tty layer.
    Over the time, many documented parameters were renamed, removed or
    switched from tty to tty_port and similar. Some were mistyped in the doc
    too.

    So fix all these in the tty core. (But do not add the missing ones which
    the checker complains about too. Not now.) The rest in the tty layer
    will follow in the next patches.

    Signed-off-by: Jiri Slaby
    Link: https://lore.kernel.org/r/20200818085655.12071-4-jslaby@suse.cz
    Signed-off-by: Greg Kroah-Hartman

    Jiri Slaby
     

28 Mar, 2019

2 commits

  • cf90c06f8   tty: fix read of tty->pgrp outside of ctrl_lock ... Browse Code »

    The intention was clearly to use the tty_pgrp local variable rather than
    re-read tty->pgrp outside of ctrl_lock, so do that.

    This bug was introduced by commit 2812d9e9fd94 ("tty: Combine
    SIGTTOU/SIGTTIN handling").

    Signed-off-by: David Emett
    Signed-off-by: Greg Kroah-Hartman

    David Emett
     
  • 3adf2aa8a   drivers/tty/tty_jobctrl.c - fix non-kerneldoc comment ... Browse Code »

    Building with W=1 reports (among other things):
    CC drivers/tty/tty_jobctrl.o
    drivers/tty/tty_jobctrl.c:317: warning: Cannot understand *
    on line 317 - I thought it was a doc line

    Fix up the non-kerneldoc comment. (other warnings to be cleaned up in separate patch)

    Signed-off-by Valdis Kletnieks
    Signed-off-by: Greg Kroah-Hartman

    Valdis Klētnieks
     

08 Nov, 2017

1 commit

  • e3b3d0f54   tty: add SPDX identifiers to all remaining files in drivers/tty/ ... Browse Code »

    It's good to have SPDX identifiers in all files to make it easier to
    audit the kernel tree for correct licenses.

    Update the drivers/tty files files with the correct SPDX license
    identifier based on the license text in the file itself. The SPDX
    identifier is a legally binding shorthand, which can be used instead of
    the full boiler plate text.

    This work is based on a script and data from Thomas Gleixner, Philippe
    Ombredanne, and Kate Stewart.

    Cc: Jiri Slaby
    Cc: Benjamin Herrenschmidt
    Cc: Paul Mackerras
    Cc: Michael Ellerman
    Cc: Chris Metcalf
    Cc: Jiri Kosina
    Cc: David Sterba
    Cc: James Hogan
    Cc: Rob Herring
    Cc: Eric Anholt
    Cc: Stefan Wahren
    Cc: Florian Fainelli
    Cc: Ray Jui
    Cc: Scott Branden
    Cc: bcm-kernel-feedback-list@broadcom.com
    Cc: "James E.J. Bottomley"
    Cc: Helge Deller
    Cc: Joachim Eastwood
    Cc: Matthias Brugger
    Cc: Masahiro Yamada
    Cc: Tobias Klauser
    Cc: Russell King
    Cc: Vineet Gupta
    Cc: Richard Genoud
    Cc: Alexander Shiyan
    Cc: Baruch Siach
    Cc: "Maciej W. Rozycki"
    Cc: "Uwe Kleine-König"
    Cc: Pat Gefre
    Cc: "Guilherme G. Piccoli"
    Cc: Jason Wessel
    Cc: Vladimir Zapolskiy
    Cc: Sylvain Lemieux
    Cc: Carlo Caione
    Cc: Kevin Hilman
    Cc: Liviu Dudau
    Cc: Sudeep Holla
    Cc: Lorenzo Pieralisi
    Cc: Andy Gross
    Cc: David Brown
    Cc: "Andreas Färber"
    Cc: Kevin Cernekee
    Cc: Laxman Dewangan
    Cc: Thierry Reding
    Cc: Jonathan Hunter
    Cc: Barry Song
    Cc: Patrice Chotard
    Cc: Maxime Coquelin
    Cc: Alexandre Torgue
    Cc: "David S. Miller"
    Cc: Peter Korsgaard
    Cc: Timur Tabi
    Cc: Tony Prisk
    Cc: Michal Simek
    Cc: "Sören Brinkmann"
    Cc: Thomas Gleixner
    Cc: Kate Stewart
    Cc: Philippe Ombredanne
    Cc: Jiri Slaby
    Signed-off-by: Greg Kroah-Hartman

    Greg Kroah-Hartman
     

19 Apr, 2017

1 commit