[PATCH 3.14 62/76] tty: Fix GPF in flush_to_ldisc()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Dmitry Vyukov <dvyukov@google.com>,
	Peter Hurley <peter@hurleysoftware.com>
Subject: [PATCH 3.14 62/76] tty: Fix GPF in flush_to_ldisc()
Date: Sun, 14 Feb 2016 14:23:29 -0800	[thread overview]
Message-ID: <20160214222221.152900464@linuxfoundation.org> (raw)
In-Reply-To: <20160214222218.658495779@linuxfoundation.org>

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Peter Hurley <peter@hurleysoftware.com>

commit 9ce119f318ba1a07c29149301f1544b6c4bea52a upstream.

A line discipline which does not define a receive_buf() method can
can cause a GPF if data is ever received [1]. Oddly, this was known
to the author of n_tracesink in 2011, but never fixed.

[1] GPF report
    BUG: unable to handle kernel NULL pointer dereference at           (null)
    IP: [<          (null)>]           (null)
    PGD 3752d067 PUD 37a7b067 PMD 0
    Oops: 0010 [#1] SMP KASAN
    Modules linked in:
    CPU: 2 PID: 148 Comm: kworker/u10:2 Not tainted 4.4.0-rc2+ #51
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
    Workqueue: events_unbound flush_to_ldisc
    task: ffff88006da94440 ti: ffff88006db60000 task.ti: ffff88006db60000
    RIP: 0010:[<0000000000000000>]  [<          (null)>]           (null)
    RSP: 0018:ffff88006db67b50  EFLAGS: 00010246
    RAX: 0000000000000102 RBX: ffff88003ab32f88 RCX: 0000000000000102
    RDX: 0000000000000000 RSI: ffff88003ab330a6 RDI: ffff88003aabd388
    RBP: ffff88006db67c48 R08: ffff88003ab32f9c R09: ffff88003ab31fb0
    R10: ffff88003ab32fa8 R11: 0000000000000000 R12: dffffc0000000000
    R13: ffff88006db67c20 R14: ffffffff863df820 R15: ffff88003ab31fb8
    FS:  0000000000000000(0000) GS:ffff88006dc00000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
    CR2: 0000000000000000 CR3: 0000000037938000 CR4: 00000000000006e0
    Stack:
     ffffffff829f46f1 ffff88006da94bf8 ffff88006da94bf8 0000000000000000
     ffff88003ab31fb0 ffff88003aabd438 ffff88003ab31ff8 ffff88006430fd90
     ffff88003ab32f9c ffffed0007557a87 1ffff1000db6cf78 ffff88003ab32078
    Call Trace:
     [<ffffffff8127cf91>] process_one_work+0x8f1/0x17a0 kernel/workqueue.c:2030
     [<ffffffff8127df14>] worker_thread+0xd4/0x1180 kernel/workqueue.c:2162
     [<ffffffff8128faaf>] kthread+0x1cf/0x270 drivers/block/aoe/aoecmd.c:1302
     [<ffffffff852a7c2f>] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468
    Code:  Bad RIP value.
    RIP  [<          (null)>]           (null)
     RSP <ffff88006db67b50>
    CR2: 0000000000000000
    ---[ end trace a587f8947e54d6ea ]---

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/tty_buffer.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/tty/tty_buffer.c
+++ b/drivers/tty/tty_buffer.c
@@ -411,7 +411,7 @@ receive_buf(struct tty_struct *tty, stru
 		count = disc->ops->receive_buf2(tty, p, f, count);
 	else {
 		count = min_t(int, count, tty->receive_room);
-		if (count)
+		if (count && disc->ops->receive_buf)
 			disc->ops->receive_buf(tty, p, f, count);
 	}
 	head->read += count;

next prev parent reply	other threads:[~2016-02-14 23:12 UTC|newest]

Thread overview: 81+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-02-14 22:22 [PATCH 3.14 00/76] 3.14.61-stable review Greg Kroah-Hartman
2016-02-14 22:22 ` [PATCH 3.14 01/76] xhci: fix placement of call to usb_disabled() Greg Kroah-Hartman
2016-02-14 22:22 ` [PATCH 3.14 02/76] recordmcount: Fix endianness handling bug for nop_mcount Greg Kroah-Hartman
2016-02-14 22:22 ` [PATCH 3.14 03/76] crypto: algif_hash - Only export and import on sockets with data Greg Kroah-Hartman
2016-02-14 22:22 ` [PATCH 3.14 04/76] dm btree: fix leak of bufio-backed block in btree_split_sibling error path Greg Kroah-Hartman
2016-02-14 22:22 ` [PATCH 3.14 05/76] drivers/base/memory.c: prohibit offlining of memory blocks with missing sections Greg Kroah-Hartman
2016-02-14 22:22 ` [PATCH 3.14 06/76] HID: usbhid: fix recursive deadlock Greg Kroah-Hartman
2016-02-14 22:22 ` [PATCH 3.14 07/76] proc: actually make proc_fd_permission() thread-friendly Greg Kroah-Hartman
2016-02-14 22:22 ` [PATCH 3.14 08/76] remoteproc: avoid stack overflow in debugfs file Greg Kroah-Hartman
2016-02-14 22:22 ` [PATCH 3.14 09/76] fat: fix fake_offset handling on error path Greg Kroah-Hartman
2016-02-14 22:22 ` [PATCH 3.14 10/76] kernel/signal.c: unexport sigsuspend() Greg Kroah-Hartman
2016-02-14 22:22 ` [PATCH 3.14 11/76] ocfs2: fix SGID not inherited issue Greg Kroah-Hartman
2016-02-14 22:22 ` [PATCH 3.14 12/76] ocfs2/dlm: ignore cleaning the migration mle that is inuse Greg Kroah-Hartman
2016-02-14 22:22 ` [PATCH 3.14 13/76] ocfs2/dlm: clear refmap bit of recovery lock while doing local recovery cleanup Greg Kroah-Hartman
2016-02-14 22:22 ` [PATCH 3.14 14/76] sh64: fix __NR_fgetxattr Greg Kroah-Hartman
2016-02-14 22:22 ` [PATCH 3.14 15/76] Revert "dm mpath: fix stalls when handling invalid ioctls" Greg Kroah-Hartman
2016-02-14 22:22 ` [PATCH 3.14 16/76] spi: atmel: Fix DMA-setup for transfers with more than 8 bits per word Greg Kroah-Hartman
2016-02-14 22:22 ` [PATCH 3.14 17/76] spi: ti-qspi: Fix data corruption seen on r/w stress test Greg Kroah-Hartman
2016-02-14 22:22 ` [PATCH 3.14 18/76] spi: fix parent-device reference leak Greg Kroah-Hartman
2016-02-14 22:22 ` [PATCH 3.14 19/76] wlcore/wl12xx: spi: fix oops on firmware load Greg Kroah-Hartman
2016-02-14 22:22 ` [PATCH 3.14 20/76] wlcore/wl12xx: spi: fix NULL pointer dereference (Oops) Greg Kroah-Hartman
2016-02-14 22:22 ` [PATCH 3.14 21/76] vTPM: fix memory allocation flag for rtce buffer at kernel boot Greg Kroah-Hartman
2016-02-14 22:22 ` [PATCH 3.14 22/76] mtd: mtdpart: fix add_mtd_partitions error path Greg Kroah-Hartman
2016-02-14 22:22 ` [PATCH 3.14 23/76] PCI: Fix minimum allocation address overwrite Greg Kroah-Hartman
2016-02-14 22:22 ` [PATCH 3.14 24/76] tracing: Fix setting of start_index in find_next() Greg Kroah-Hartman
2016-02-14 22:22 ` [PATCH 3.14 25/76] jbd2: Fix unreclaimed pages after truncate in data=journal mode Greg Kroah-Hartman
2016-02-14 22:22 ` [PATCH 3.14 26/76] [PATCH] fix calculation of meta_bg descriptor backups Greg Kroah-Hartman
2016-02-14 22:22 ` [PATCH 3.14 27/76] parisc: Drop unused MADV_xxxK_PAGES flags from asm/mman.h Greg Kroah-Hartman
2016-02-14 22:22 ` [PATCH 3.14 28/76] parisc: Fix syscall restarts Greg Kroah-Hartman
2016-02-14 22:22 ` [PATCH 3.14 29/76] parisc: Fix __ARCH_SI_PREAMBLE_SIZE Greg Kroah-Hartman
2016-02-14 22:22 ` [PATCH 3.14 30/76] [media] v4l2-compat-ioctl32: fix alignment for ARM64 Greg Kroah-Hartman
2016-02-14 22:22 ` [PATCH 3.14 31/76] [media] media: vb2 dma-contig: Fully cache synchronise buffers in prepare and finish Greg Kroah-Hartman
2016-02-14 22:22 ` [PATCH 3.14 32/76] fix sysvfs symlinks Greg Kroah-Hartman
2016-02-14 22:23 ` [PATCH 3.14 33/76] ALSA: usb-audio: Fix TEAC UD-501/UD-503/NT-503 usb delay Greg Kroah-Hartman
2016-02-14 22:23 ` [PATCH 3.14 34/76] ALSA: usb-audio: avoid freeing umidi object twice Greg Kroah-Hartman
2016-02-14 22:23 ` [PATCH 3.14 35/76] ALSA: compress: Disable GET_CODEC_CAPS ioctl for some architectures Greg Kroah-Hartman
2016-02-14 22:23 ` [PATCH 3.14 36/76] ALSA: dummy: Disable switching timer backend via sysfs Greg Kroah-Hartman
2016-02-14 22:23 ` [PATCH 3.14 37/76] ALSA: seq: Fix incorrect sanity check at snd_seq_oss_synth_cleanup() Greg Kroah-Hartman
2016-02-14 22:23 ` [PATCH 3.14 38/76] ALSA: rawmidi: Remove kernel WARNING for NULL user-space buffer check Greg Kroah-Hartman
2016-02-14 22:23 ` [PATCH 3.14 39/76] ALSA: rawmidi: Fix race at copying & updating the position Greg Kroah-Hartman
2016-02-14 22:23 ` [PATCH 3.14 40/76] ALSA: pcm: Fix potential deadlock in OSS emulation Greg Kroah-Hartman
2016-02-14 22:23 ` [PATCH 3.14 41/76] ASoC: dpcm: fix the BE state on hw_free Greg Kroah-Hartman
2016-02-14 22:23 ` [PATCH 3.14 42/76] ALSA: seq: Fix yet another races among ALSA timer accesses Greg Kroah-Hartman
2016-02-14 22:23 ` [PATCH 3.14 43/76] ALSA: seq: Fix race at closing in virmidi driver Greg Kroah-Hartman
2016-02-14 22:23 ` [PATCH 3.14 44/76] ALSA: seq: Fix lockdep warnings due to double mutex locks Greg Kroah-Hartman
2016-02-14 22:23 ` [PATCH 3.14 45/76] ALSA: timer: Code cleanup Greg Kroah-Hartman
2016-02-14 22:23 ` [PATCH 3.14 46/76] ALSA: timer: Fix leftover link at closing Greg Kroah-Hartman
2016-02-14 22:23 ` [PATCH 3.14 47/76] ALSA: timer: Fix link corruption due to double start or stop Greg Kroah-Hartman
2016-02-14 22:23 ` [PATCH 3.14 48/76] ALSA: timer: Fix wrong instance passed to slave callbacks Greg Kroah-Hartman
2016-02-14 22:23 ` [PATCH 3.14 49/76] ALSA: timer: Fix race between stop and interrupt Greg Kroah-Hartman
2016-02-14 22:23 ` [PATCH 3.14 50/76] ALSA: hda - Add fixup for Mac Mini 7,1 model Greg Kroah-Hartman
2016-02-14 22:23 ` [PATCH 3.14 51/76] ALSA: hda - Fix static checker warning in patch_hdmi.c Greg Kroah-Hartman
2016-02-14 22:23 ` [PATCH 3.14 52/76] ALSA: hda - Fix speaker output from VAIO AiO machines Greg Kroah-Hartman
2016-02-14 22:23 ` [PATCH 3.14 53/76] ALSA: dummy: Implement timer backend switching more safely Greg Kroah-Hartman
2016-02-14 22:23 ` [PATCH 3.14 54/76] [media] saa7134-alsa: Only frees registered sound cards Greg Kroah-Hartman
2016-02-14 22:23 ` [PATCH 3.14 55/76] USB: serial: visor: fix crash on detecting device without write_urbs Greg Kroah-Hartman
2016-02-14 22:23 ` [PATCH 3.14 56/76] USB: visor: fix null-deref at probe Greg Kroah-Hartman
2016-02-14 22:23 ` [PATCH 3.14 57/76] usb: hub: do not clear BOS field during reset device Greg Kroah-Hartman
2016-02-14 22:23 ` [PATCH 3.14 58/76] USB: serial: ftdi_sio: add support for Yaesu SCU-18 cable Greg Kroah-Hartman
2016-02-14 22:23 ` [PATCH 3.14 59/76] USB: cp210x: add ID for IAI USB to RS485 adaptor Greg Kroah-Hartman
2016-02-14 22:23 ` [PATCH 3.14 60/76] USB: serial: option: Adding support for Telit LE922 Greg Kroah-Hartman
2016-02-14 22:23 ` [PATCH 3.14 61/76] USB: option: fix Cinterion AHxx enumeration Greg Kroah-Hartman
2016-02-14 22:23 ` Greg Kroah-Hartman [this message]
2016-02-14 22:23 ` [PATCH 3.14 63/76] tty: Fix unsafe ldisc reference via ioctl(TIOCGETD) Greg Kroah-Hartman
2016-02-14 22:23 ` [PATCH 3.14 64/76] xhci: fix usb2 resume timing and races Greg Kroah-Hartman
2016-02-14 22:23 ` [PATCH 3.14 65/76] ext4: Fix handling of extended tv_sec Greg Kroah-Hartman
2016-02-14 22:23 ` [PATCH 3.14 66/76] crypto: af_alg - Disallow bind/setkey/... after accept(2) Greg Kroah-Hartman
2016-02-14 22:23 ` [PATCH 3.14 67/76] crypto: af_alg - Fix socket double-free when accept fails Greg Kroah-Hartman
2016-02-14 22:23 ` [PATCH 3.14 68/76] AHCI: Fix softreset failed issue of Port Multiplier Greg Kroah-Hartman
2016-02-14 22:23 ` [PATCH 3.14 69/76] libata: disable forced PORTS_IMPL for >= AHCI 1.3 Greg Kroah-Hartman
2016-02-14 22:23 ` [PATCH 3.14 70/76] ahci: Intel DNV device IDs SATA Greg Kroah-Hartman
2016-02-14 22:23 ` [PATCH 3.14 71/76] crypto: algif_hash - wait for crypto_ahash_init() to complete Greg Kroah-Hartman
2016-02-14 22:23 ` [PATCH 3.14 72/76] EVM: Use crypto_memneq() for digest comparisons Greg Kroah-Hartman
2016-02-14 22:23 ` [PATCH 3.14 73/76] crypto: user - lock crypto_alg_list on alg dump Greg Kroah-Hartman
2016-02-14 22:23 ` [PATCH 3.14 74/76] FS-Cache: Increase reference of parent after registering, netfs success Greg Kroah-Hartman
2016-02-14 22:23 ` [PATCH 3.14 75/76] FS-Cache: Dont override netfss primary_index if registering failed Greg Kroah-Hartman
2016-02-14 22:23 ` [PATCH 3.14 76/76] binfmt_elf: Dont clobber passed executables file header Greg Kroah-Hartman
2016-02-15 15:47 ` [PATCH 3.14 00/76] 3.14.61-stable review Guenter Roeck
2016-02-17 20:39   ` Greg Kroah-Hartman
2016-02-15 17:07 ` Shuah Khan
2016-02-17 20:38   ` Greg Kroah-Hartman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20160214222221.152900464@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=dvyukov@google.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=peter@hurleysoftware.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.