Eric Lee / smarc-ti-linux-kernel

Download as
Browse Code ยป

Commit 72934919ba0f17b51166e5ab31c52e114676cb25

Authored by Johan Hovold
Committed by Greg Kroah-Hartman
1 parent 68d91b4c79

USB: console: fix potential use after free 

commit 32a4bf2e81ec378e5925d4e069e0677a6c86a6ad upstream.

Use tty kref to release the fake tty in usb_console_setup to avoid use
after free if the underlying serial driver has acquired a reference.

Note that using the tty destructor release_one_tty requires some more
state to be initialised.

Fixes: 4a90f09b20f4 ("tty: usb-serial krefs")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Showing 1 changed file with 10 additions and 5 deletions Inline Diff

drivers/usb/serial/console.c
Diff comments   View file @ 7293491
1 /* 1 /*
2 * USB Serial Console driver 2 * USB Serial Console driver
3 * 3 *
4 * Copyright (C) 2001 - 2002 Greg Kroah-Hartman (greg@kroah.com) 4 * Copyright (C) 2001 - 2002 Greg Kroah-Hartman (greg@kroah.com)
5 * 5 *
6 * This program is free software; you can redistribute it and/or 6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License version 7 * modify it under the terms of the GNU General Public License version
8 * 2 as published by the Free Software Foundation. 8 * 2 as published by the Free Software Foundation.
9 * 9 *
10 * Thanks to Randy Dunlap for the original version of this code. 10 * Thanks to Randy Dunlap for the original version of this code.
11 * 11 *
12 */ 12 */
13 13
14 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 14 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
15 15
16 #include <linux/kernel.h> 16 #include <linux/kernel.h>
17 #include <linux/slab.h> 17 #include <linux/slab.h>
18 #include <linux/tty.h> 18 #include <linux/tty.h>
19 #include <linux/console.h> 19 #include <linux/console.h>
20 #include <linux/serial.h> 20 #include <linux/serial.h>
21 #include <linux/usb.h> 21 #include <linux/usb.h>
22 #include <linux/usb/serial.h> 22 #include <linux/usb/serial.h>
23 23
24 struct usbcons_info { 24 struct usbcons_info {
25 int magic; 25 int magic;
26 int break_flag; 26 int break_flag;
27 struct usb_serial_port *port; 27 struct usb_serial_port *port;
28 }; 28 };
29 29
30 static struct usbcons_info usbcons_info; 30 static struct usbcons_info usbcons_info;
31 static struct console usbcons; 31 static struct console usbcons;
32 32
33 /* 33 /*
34 * ------------------------------------------------------------ 34 * ------------------------------------------------------------
35 * USB Serial console driver 35 * USB Serial console driver
36 * 36 *
37 * Much of the code here is copied from drivers/char/serial.c 37 * Much of the code here is copied from drivers/char/serial.c
38 * and implements a phony serial console in the same way that 38 * and implements a phony serial console in the same way that
39 * serial.c does so that in case some software queries it, 39 * serial.c does so that in case some software queries it,
40 * it will get the same results. 40 * it will get the same results.
41 * 41 *
42 * Things that are different from the way the serial port code 42 * Things that are different from the way the serial port code
43 * does things, is that we call the lower level usb-serial 43 * does things, is that we call the lower level usb-serial
44 * driver code to initialize the device, and we set the initial 44 * driver code to initialize the device, and we set the initial
45 * console speeds based on the command line arguments. 45 * console speeds based on the command line arguments.
46 * ------------------------------------------------------------ 46 * ------------------------------------------------------------
47 */ 47 */
48 48
49 static const struct tty_operations usb_console_fake_tty_ops = {
50 };
49 51
50 /* 52 /*
51 * The parsing of the command line works exactly like the 53 * The parsing of the command line works exactly like the
52 * serial.c code, except that the specifier is "ttyUSB" instead 54 * serial.c code, except that the specifier is "ttyUSB" instead
53 * of "ttyS". 55 * of "ttyS".
54 */ 56 */
55 static int usb_console_setup(struct console *co, char *options) 57 static int usb_console_setup(struct console *co, char *options)
56 { 58 {
57 struct usbcons_info *info = &usbcons_info; 59 struct usbcons_info *info = &usbcons_info;
58 int baud = 9600; 60 int baud = 9600;
59 int bits = 8; 61 int bits = 8;
60 int parity = 'n'; 62 int parity = 'n';
61 int doflow = 0; 63 int doflow = 0;
62 int cflag = CREAD | HUPCL | CLOCAL; 64 int cflag = CREAD | HUPCL | CLOCAL;
63 char *s; 65 char *s;
64 struct usb_serial *serial; 66 struct usb_serial *serial;
65 struct usb_serial_port *port; 67 struct usb_serial_port *port;
66 int retval; 68 int retval;
67 struct tty_struct *tty = NULL; 69 struct tty_struct *tty = NULL;
68 struct ktermios dummy; 70 struct ktermios dummy;
69 71
70 if (options) { 72 if (options) {
71 baud = simple_strtoul(options, NULL, 10); 73 baud = simple_strtoul(options, NULL, 10);
72 s = options; 74 s = options;
73 while (*s >= '0' && *s <= '9') 75 while (*s >= '0' && *s <= '9')
74 s++; 76 s++;
75 if (*s) 77 if (*s)
76 parity = *s++; 78 parity = *s++;
77 if (*s) 79 if (*s)
78 bits = *s++ - '0'; 80 bits = *s++ - '0';
79 if (*s) 81 if (*s)
80 doflow = (*s++ == 'r'); 82 doflow = (*s++ == 'r');
81 } 83 }
82 84
83 /* Sane default */ 85 /* Sane default */
84 if (baud == 0) 86 if (baud == 0)
85 baud = 9600; 87 baud = 9600;
86 88
87 switch (bits) { 89 switch (bits) {
88 case 7: 90 case 7:
89 cflag |= CS7; 91 cflag |= CS7;
90 break; 92 break;
91 default: 93 default:
92 case 8: 94 case 8:
93 cflag |= CS8; 95 cflag |= CS8;
94 break; 96 break;
95 } 97 }
96 switch (parity) { 98 switch (parity) {
97 case 'o': case 'O': 99 case 'o': case 'O':
98 cflag |= PARODD; 100 cflag |= PARODD;
99 break; 101 break;
100 case 'e': case 'E': 102 case 'e': case 'E':
101 cflag |= PARENB; 103 cflag |= PARENB;
102 break; 104 break;
103 } 105 }
104 co->cflag = cflag; 106 co->cflag = cflag;
105 107
106 /* 108 /*
107 * no need to check the index here: if the index is wrong, console 109 * no need to check the index here: if the index is wrong, console
108 * code won't call us 110 * code won't call us
109 */ 111 */
110 port = usb_serial_port_get_by_minor(co->index); 112 port = usb_serial_port_get_by_minor(co->index);
111 if (port == NULL) { 113 if (port == NULL) {
112 /* no device is connected yet, sorry :( */ 114 /* no device is connected yet, sorry :( */
113 pr_err("No USB device connected to ttyUSB%i\n", co->index); 115 pr_err("No USB device connected to ttyUSB%i\n", co->index);
114 return -ENODEV; 116 return -ENODEV;
115 } 117 }
116 serial = port->serial; 118 serial = port->serial;
117 119
118 retval = usb_autopm_get_interface(serial->interface); 120 retval = usb_autopm_get_interface(serial->interface);
119 if (retval) 121 if (retval)
120 goto error_get_interface; 122 goto error_get_interface;
121 123
122 tty_port_tty_set(&port->port, NULL); 124 tty_port_tty_set(&port->port, NULL);
123 125
124 info->port = port; 126 info->port = port;
125 127
126 ++port->port.count; 128 ++port->port.count;
127 if (!test_bit(ASYNCB_INITIALIZED, &port->port.flags)) { 129 if (!test_bit(ASYNCB_INITIALIZED, &port->port.flags)) {
128 if (serial->type->set_termios) { 130 if (serial->type->set_termios) {
129 /* 131 /*
130 * allocate a fake tty so the driver can initialize 132 * allocate a fake tty so the driver can initialize
131 * the termios structure, then later call set_termios to 133 * the termios structure, then later call set_termios to
132 * configure according to command line arguments 134 * configure according to command line arguments
133 */ 135 */
134 tty = kzalloc(sizeof(*tty), GFP_KERNEL); 136 tty = kzalloc(sizeof(*tty), GFP_KERNEL);
135 if (!tty) { 137 if (!tty) {
136 retval = -ENOMEM; 138 retval = -ENOMEM;
137 goto reset_open_count; 139 goto reset_open_count;
138 } 140 }
139 kref_init(&tty->kref); 141 kref_init(&tty->kref);
140 tty_port_tty_set(&port->port, tty);
141 tty->driver = usb_serial_tty_driver; 142 tty->driver = usb_serial_tty_driver;
142 tty->index = co->index; 143 tty->index = co->index;
143 init_ldsem(&tty->ldisc_sem); 144 init_ldsem(&tty->ldisc_sem);
145 INIT_LIST_HEAD(&tty->tty_files);
146 kref_get(&tty->driver->kref);
147 tty->ops = &usb_console_fake_tty_ops;
144 if (tty_init_termios(tty)) { 148 if (tty_init_termios(tty)) {
145 retval = -ENOMEM; 149 retval = -ENOMEM;
146 goto free_tty; 150 goto put_tty;
147 } 151 }
152 tty_port_tty_set(&port->port, tty);
148 } 153 }
149 154
150 /* only call the device specific open if this 155 /* only call the device specific open if this
151 * is the first time the port is opened */ 156 * is the first time the port is opened */
152 retval = serial->type->open(NULL, port); 157 retval = serial->type->open(NULL, port);
153 if (retval) { 158 if (retval) {
154 dev_err(&port->dev, "could not open USB console port\n"); 159 dev_err(&port->dev, "could not open USB console port\n");
155 goto fail; 160 goto fail;
156 } 161 }
157 162
158 if (serial->type->set_termios) { 163 if (serial->type->set_termios) {
159 tty->termios.c_cflag = cflag; 164 tty->termios.c_cflag = cflag;
160 tty_termios_encode_baud_rate(&tty->termios, baud, baud); 165 tty_termios_encode_baud_rate(&tty->termios, baud, baud);
161 memset(&dummy, 0, sizeof(struct ktermios)); 166 memset(&dummy, 0, sizeof(struct ktermios));
162 serial->type->set_termios(tty, port, &dummy); 167 serial->type->set_termios(tty, port, &dummy);
163 168
164 tty_port_tty_set(&port->port, NULL); 169 tty_port_tty_set(&port->port, NULL);
165 kfree(tty); 170 tty_kref_put(tty);
166 } 171 }
167 set_bit(ASYNCB_INITIALIZED, &port->port.flags); 172 set_bit(ASYNCB_INITIALIZED, &port->port.flags);
168 } 173 }
169 /* Now that any required fake tty operations are completed restore 174 /* Now that any required fake tty operations are completed restore
170 * the tty port count */ 175 * the tty port count */
171 --port->port.count; 176 --port->port.count;
172 /* The console is special in terms of closing the device so 177 /* The console is special in terms of closing the device so
173 * indicate this port is now acting as a system console. */ 178 * indicate this port is now acting as a system console. */
174 port->port.console = 1; 179 port->port.console = 1;
175 180
176 mutex_unlock(&serial->disc_mutex); 181 mutex_unlock(&serial->disc_mutex);
177 return retval; 182 return retval;
178 183
179 fail: 184 fail:
180 tty_port_tty_set(&port->port, NULL); 185 tty_port_tty_set(&port->port, NULL);
181 free_tty: 186 put_tty:
182 kfree(tty); 187 tty_kref_put(tty);
183 reset_open_count: 188 reset_open_count:
184 port->port.count = 0; 189 port->port.count = 0;
185 usb_autopm_put_interface(serial->interface); 190 usb_autopm_put_interface(serial->interface);
186 error_get_interface: 191 error_get_interface:
187 usb_serial_put(serial); 192 usb_serial_put(serial);
188 mutex_unlock(&serial->disc_mutex); 193 mutex_unlock(&serial->disc_mutex);
189 return retval; 194 return retval;
190 } 195 }
191 196
192 static void usb_console_write(struct console *co, 197 static void usb_console_write(struct console *co,
193 const char *buf, unsigned count) 198 const char *buf, unsigned count)
194 { 199 {
195 static struct usbcons_info *info = &usbcons_info; 200 static struct usbcons_info *info = &usbcons_info;
196 struct usb_serial_port *port = info->port; 201 struct usb_serial_port *port = info->port;
197 struct usb_serial *serial; 202 struct usb_serial *serial;
198 int retval = -ENODEV; 203 int retval = -ENODEV;
199 204
200 if (!port || port->serial->dev->state == USB_STATE_NOTATTACHED) 205 if (!port || port->serial->dev->state == USB_STATE_NOTATTACHED)
201 return; 206 return;
202 serial = port->serial; 207 serial = port->serial;
203 208
204 if (count == 0) 209 if (count == 0)
205 return; 210 return;
206 211
207 dev_dbg(&port->dev, "%s - %d byte(s)\n", __func__, count); 212 dev_dbg(&port->dev, "%s - %d byte(s)\n", __func__, count);
208 213
209 if (!port->port.console) { 214 if (!port->port.console) {
210 dev_dbg(&port->dev, "%s - port not opened\n", __func__); 215 dev_dbg(&port->dev, "%s - port not opened\n", __func__);
211 return; 216 return;
212 } 217 }
213 218
214 while (count) { 219 while (count) {
215 unsigned int i; 220 unsigned int i;
216 unsigned int lf; 221 unsigned int lf;
217 /* search for LF so we can insert CR if necessary */ 222 /* search for LF so we can insert CR if necessary */
218 for (i = 0, lf = 0 ; i < count ; i++) { 223 for (i = 0, lf = 0 ; i < count ; i++) {
219 if (*(buf + i) == 10) { 224 if (*(buf + i) == 10) {
220 lf = 1; 225 lf = 1;
221 i++; 226 i++;
222 break; 227 break;
223 } 228 }
224 } 229 }
225 /* pass on to the driver specific version of this function if 230 /* pass on to the driver specific version of this function if
226 it is available */ 231 it is available */
227 retval = serial->type->write(NULL, port, buf, i); 232 retval = serial->type->write(NULL, port, buf, i);
228 dev_dbg(&port->dev, "%s - write: %d\n", __func__, retval); 233 dev_dbg(&port->dev, "%s - write: %d\n", __func__, retval);
229 if (lf) { 234 if (lf) {
230 /* append CR after LF */ 235 /* append CR after LF */
231 unsigned char cr = 13; 236 unsigned char cr = 13;
232 retval = serial->type->write(NULL, port, &cr, 1); 237 retval = serial->type->write(NULL, port, &cr, 1);
233 dev_dbg(&port->dev, "%s - write cr: %d\n", 238 dev_dbg(&port->dev, "%s - write cr: %d\n",
234 __func__, retval); 239 __func__, retval);
235 } 240 }
236 buf += i; 241 buf += i;
237 count -= i; 242 count -= i;
238 } 243 }
239 } 244 }
240 245
241 static struct tty_driver *usb_console_device(struct console *co, int *index) 246 static struct tty_driver *usb_console_device(struct console *co, int *index)
242 { 247 {
243 struct tty_driver **p = (struct tty_driver **)co->data; 248 struct tty_driver **p = (struct tty_driver **)co->data;
244 249
245 if (!*p) 250 if (!*p)
246 return NULL; 251 return NULL;
247 252
248 *index = co->index; 253 *index = co->index;
249 return *p; 254 return *p;
250 } 255 }
251 256
252 static struct console usbcons = { 257 static struct console usbcons = {
253 .name = "ttyUSB", 258 .name = "ttyUSB",
254 .write = usb_console_write, 259 .write = usb_console_write,
255 .device = usb_console_device, 260 .device = usb_console_device,
256 .setup = usb_console_setup, 261 .setup = usb_console_setup,
257 .flags = CON_PRINTBUFFER, 262 .flags = CON_PRINTBUFFER,
258 .index = -1, 263 .index = -1,
259 .data = &usb_serial_tty_driver, 264 .data = &usb_serial_tty_driver,
260 }; 265 };
261 266
262 void usb_serial_console_disconnect(struct usb_serial *serial) 267 void usb_serial_console_disconnect(struct usb_serial *serial)
263 { 268 {
264 if (serial && serial->port && serial->port[0] 269 if (serial && serial->port && serial->port[0]
265 && serial->port[0] == usbcons_info.port) { 270 && serial->port[0] == usbcons_info.port) {
266 usb_serial_console_exit(); 271 usb_serial_console_exit();
267 usb_serial_put(serial); 272 usb_serial_put(serial);
268 } 273 }
269 } 274 }
270 275
271 void usb_serial_console_init(int minor) 276 void usb_serial_console_init(int minor)
272 { 277 {
273 if (minor == 0) { 278 if (minor == 0) {
274 /* 279 /*
275 * Call register_console() if this is the first device plugged 280 * Call register_console() if this is the first device plugged
276 * in. If we call it earlier, then the callback to 281 * in. If we call it earlier, then the callback to
277 * console_setup() will fail, as there is not a device seen by 282 * console_setup() will fail, as there is not a device seen by
278 * the USB subsystem yet. 283 * the USB subsystem yet.
279 */ 284 */
280 /* 285 /*
281 * Register console. 286 * Register console.
282 * NOTES: 287 * NOTES:
283 * console_setup() is called (back) immediately (from 288 * console_setup() is called (back) immediately (from
284 * register_console). console_write() is called immediately 289 * register_console). console_write() is called immediately
285 * from register_console iff CON_PRINTBUFFER is set in flags. 290 * from register_console iff CON_PRINTBUFFER is set in flags.
286 */ 291 */
287 pr_debug("registering the USB serial console.\n"); 292 pr_debug("registering the USB serial console.\n");
288 register_console(&usbcons); 293 register_console(&usbcons);
289 } 294 }
290 } 295 }
291 296
292 void usb_serial_console_exit(void) 297 void usb_serial_console_exit(void)
293 { 298 {
294 if (usbcons_info.port) { 299 if (usbcons_info.port) {
295 unregister_console(&usbcons); 300 unregister_console(&usbcons);
296 usbcons_info.port->port.console = 0; 301 usbcons_info.port->port.console = 0;
297 usbcons_info.port = NULL; 302 usbcons_info.port = NULL;
298 } 303 }
299 } 304 }
300 305