From: Greg Kroah-Hartman <gregkh@suse.de>
To: linux-serial@vger.kernel.org
Cc: Jiri Slaby <jslaby@suse.cz>, stable <stable@vger.kernel.org>,
Alan Cox <alan@lxorguk.ukuu.org.uk>,
Pekka Enberg <penberg@kernel.org>,
Greg Kroah-Hartman <gregkh@suse.de>
Subject: [PATCH 69/79] TTY: make tty_add_file non-failing
Date: Wed, 26 Oct 2011 14:13:14 +0200 [thread overview]
Message-ID: <1319631204-23262-69-git-send-email-gregkh@suse.de> (raw)
In-Reply-To: <1319631204-23262-1-git-send-email-gregkh@suse.de>
From: Jiri Slaby <jslaby@suse.cz>
If tty_add_file fails at the point it is now, we have to revert all
the changes we did to the tty. It means either decrease all refcounts
if this was a tty reopen or delete the tty if it was newly allocated.
There was a try to fix this in v3.0-rc2 using tty_release in 0259894c7
(TTY: fix fail path in tty_open). But instead it introduced a NULL
dereference. It's because tty_release dereferences
filp->private_data, but that one is set even in our tty_add_file. And
when tty_add_file fails, it's still NULL/garbage. Hence tty_release
cannot be called there.
To circumvent the original leak (and the current NULL deref) we split
tty_add_file into two functions, making the latter non-failing. In
that case we may do the former early in open, where handling failures
is easy. The latter stays as it is now. So there is no change in
functionality.
The original bug (leak) was introduced by f573bd176 (tty: Remove
__GFP_NOFAIL from tty_add_file()). Thanks Dan for reporting this.
Later, we may split tty_release into more functions and call only some
of them in this fail path instead. (If at all possible.)
Introduced-in: v2.6.37-rc2
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: stable <stable@vger.kernel.org>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: Pekka Enberg <penberg@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/tty/pty.c | 16 +++++++++++-----
drivers/tty/tty_io.c | 47 +++++++++++++++++++++++++++++++++++------------
include/linux/tty.h | 4 +++-
3 files changed, 49 insertions(+), 18 deletions(-)
diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c
index 98b6e3b..7613f95 100644
--- a/drivers/tty/pty.c
+++ b/drivers/tty/pty.c
@@ -657,12 +657,18 @@ static int ptmx_open(struct inode *inode, struct file *filp)
nonseekable_open(inode, filp);
+ retval = tty_alloc_file(filp);
+ if (retval)
+ return retval;
+
/* find a device that is not in use. */
tty_lock();
index = devpts_new_index(inode);
tty_unlock();
- if (index < 0)
- return index;
+ if (index < 0) {
+ retval = index;
+ goto err_file;
+ }
mutex_lock(&tty_mutex);
tty_lock();
@@ -676,9 +682,7 @@ static int ptmx_open(struct inode *inode, struct file *filp)
set_bit(TTY_PTY_LOCK, &tty->flags); /* LOCK THE SLAVE */
- retval = tty_add_file(tty, filp);
- if (retval)
- goto out;
+ tty_add_file(tty, filp);
retval = devpts_pty_new(inode, tty->link);
if (retval)
@@ -697,6 +701,8 @@ out2:
out:
devpts_kill_index(inode, index);
tty_unlock();
+err_file:
+ tty_free_file(filp);
return retval;
}
diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
index 6913da8..767ecbb 100644
--- a/drivers/tty/tty_io.c
+++ b/drivers/tty/tty_io.c
@@ -194,8 +194,7 @@ static inline struct tty_struct *file_tty(struct file *file)
return ((struct tty_file_private *)file->private_data)->tty;
}
-/* Associate a new file with the tty structure */
-int tty_add_file(struct tty_struct *tty, struct file *file)
+int tty_alloc_file(struct file *file)
{
struct tty_file_private *priv;
@@ -203,15 +202,36 @@ int tty_add_file(struct tty_struct *tty, struct file *file)
if (!priv)
return -ENOMEM;
+ file->private_data = priv;
+
+ return 0;
+}
+
+/* Associate a new file with the tty structure */
+void tty_add_file(struct tty_struct *tty, struct file *file)
+{
+ struct tty_file_private *priv = file->private_data;
+
priv->tty = tty;
priv->file = file;
- file->private_data = priv;
spin_lock(&tty_files_lock);
list_add(&priv->list, &tty->tty_files);
spin_unlock(&tty_files_lock);
+}
- return 0;
+/**
+ * tty_free_file - free file->private_data
+ *
+ * This shall be used only for fail path handling when tty_add_file was not
+ * called yet.
+ */
+void tty_free_file(struct file *file)
+{
+ struct tty_file_private *priv = file->private_data;
+
+ file->private_data = NULL;
+ kfree(priv);
}
/* Delete file from its tty */
@@ -222,8 +242,7 @@ void tty_del_file(struct file *file)
spin_lock(&tty_files_lock);
list_del(&priv->list);
spin_unlock(&tty_files_lock);
- file->private_data = NULL;
- kfree(priv);
+ tty_free_file(file);
}
@@ -1812,6 +1831,10 @@ static int tty_open(struct inode *inode, struct file *filp)
nonseekable_open(inode, filp);
retry_open:
+ retval = tty_alloc_file(filp);
+ if (retval)
+ return -ENOMEM;
+
noctty = filp->f_flags & O_NOCTTY;
index = -1;
retval = 0;
@@ -1824,6 +1847,7 @@ retry_open:
if (!tty) {
tty_unlock();
mutex_unlock(&tty_mutex);
+ tty_free_file(filp);
return -ENXIO;
}
driver = tty_driver_kref_get(tty->driver);
@@ -1856,6 +1880,7 @@ retry_open:
}
tty_unlock();
mutex_unlock(&tty_mutex);
+ tty_free_file(filp);
return -ENODEV;
}
@@ -1863,6 +1888,7 @@ retry_open:
if (!driver) {
tty_unlock();
mutex_unlock(&tty_mutex);
+ tty_free_file(filp);
return -ENODEV;
}
got_driver:
@@ -1874,6 +1900,7 @@ got_driver:
tty_unlock();
mutex_unlock(&tty_mutex);
tty_driver_kref_put(driver);
+ tty_free_file(filp);
return PTR_ERR(tty);
}
}
@@ -1889,15 +1916,11 @@ got_driver:
tty_driver_kref_put(driver);
if (IS_ERR(tty)) {
tty_unlock();
+ tty_free_file(filp);
return PTR_ERR(tty);
}
- retval = tty_add_file(tty, filp);
- if (retval) {
- tty_unlock();
- tty_release(inode, filp);
- return retval;
- }
+ tty_add_file(tty, filp);
check_tty_count(tty, "tty_open");
if (tty->driver->type == TTY_DRIVER_TYPE_PTY &&
diff --git a/include/linux/tty.h b/include/linux/tty.h
index 64c12a3..ff2925a 100644
--- a/include/linux/tty.h
+++ b/include/linux/tty.h
@@ -471,7 +471,9 @@ extern void proc_clear_tty(struct task_struct *p);
extern struct tty_struct *get_current_tty(void);
extern void tty_default_fops(struct file_operations *fops);
extern struct tty_struct *alloc_tty_struct(void);
-extern int tty_add_file(struct tty_struct *tty, struct file *file);
+extern int tty_alloc_file(struct file *file);
+extern void tty_add_file(struct tty_struct *tty, struct file *file);
+extern void tty_free_file(struct file *file);
extern void free_tty_struct(struct tty_struct *tty);
extern void initialize_tty_struct(struct tty_struct *tty,
struct tty_driver *driver, int idx);
--
1.7.7
next prev parent reply other threads:[~2011-10-26 12:14 UTC|newest]
Thread overview: 87+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-10-26 11:42 [GIT PATCH] TTY/serial driver patches for 3.2 Greg KH
2011-10-26 12:12 ` [PATCH 01/79] tty/powerpc: introduce the ePAPR embedded hypervisor byte channel driver Greg Kroah-Hartman
2011-10-26 12:12 ` [PATCH 02/79] drivers/tty/synclink: remove double comment Greg Kroah-Hartman
2011-10-26 12:12 ` [PATCH 03/79] TTY: serial, remove BTM from wait_until_sent Greg Kroah-Hartman
2011-10-26 12:12 ` [PATCH 04/79] TTY: msm_serial, remove unneeded console set Greg Kroah-Hartman
2011-10-26 12:12 ` [PATCH 05/79] TTY: serial, remove tasklet for tty_wakeup Greg Kroah-Hartman
2011-10-26 12:12 ` [PATCH 06/79] TTY: ami_serial, remove BTM from wait_until_sent Greg Kroah-Hartman
2011-10-26 12:12 ` [PATCH 07/79] TTY: remove tty_locked Greg Kroah-Hartman
2011-10-26 12:12 ` [PATCH 08/79] TTY: mxser+cyclades remove wait_until_sent debug code Greg Kroah-Hartman
2011-10-26 12:12 ` [PATCH 09/79] serial:blackfin: Correct coding style in bfin serial driver Greg Kroah-Hartman
2011-10-26 12:12 ` [PATCH 10/79] serial:blackfin: rename Blackfin serial driver to bfin_uart.c Greg Kroah-Hartman
2011-10-26 12:12 ` [PATCH 11/79] tty: clearify structure initializer in notify_write() Greg Kroah-Hartman
2011-10-26 12:12 ` [PATCH 12/79] serial:bfin_uart: Put TX IRQ in individual platform resource Greg Kroah-Hartman
2011-10-26 12:12 ` [PATCH 13/79] serial: samsung: Add unified interrupt handler for s3c64xx and later SoC's Greg Kroah-Hartman
2011-10-26 12:12 ` [PATCH 14/79] ARM: SAMSUNG: Remove uart irq handling from plaform code Greg Kroah-Hartman
2011-10-26 12:12 ` [PATCH 15/79] tty: serial: allow ports to override the irq handler Greg Kroah-Hartman
2011-10-26 12:12 ` [PATCH 16/79] tty: serial8250: allow platforms to override " Greg Kroah-Hartman
2011-10-26 12:12 ` [PATCH 17/79] mips: msp71xx/serial: convert to pr_foo() helpers Greg Kroah-Hartman
2011-10-26 12:12 ` [PATCH 18/79] mips: msp71xx/serial: add workaround for DW UART Greg Kroah-Hartman
2011-10-26 12:12 ` [PATCH 19/79] tty: serial8250: remove UPIO_DWAPB{,32} Greg Kroah-Hartman
2011-10-26 12:12 ` [PATCH 20/79] tty: serial8250: add helpers for the DesignWare 8250 Greg Kroah-Hartman
2011-10-26 12:12 ` [PATCH 21/79] tty: of_serial: add support " Greg Kroah-Hartman
2011-10-26 12:12 ` [PATCH 22/79] Revert "tty: of_serial: add support for the DesignWare 8250" Greg Kroah-Hartman
2011-10-26 12:12 ` [PATCH 23/79] Revert "tty: serial8250: add helpers " Greg Kroah-Hartman
2011-10-26 12:12 ` [PATCH 24/79] serial/imx: support to handle break character Greg Kroah-Hartman
2011-10-26 12:12 ` [PATCH 25/79] atmel_serial: RS485: receiving enabled when sending data Greg Kroah-Hartman
2011-10-26 12:12 ` [PATCH 26/79] tty: Add support serial for EXYNOS4212 SoC Greg Kroah-Hartman
2011-10-26 12:12 ` [PATCH 27/79] jsm: remove remaining flip buffer code Greg Kroah-Hartman
2011-10-26 12:12 ` [PATCH 28/79] jsm: remove buggy write queue Greg Kroah-Hartman
2011-10-26 12:12 ` [PATCH 29/79] jsm: print byte we are dequeing Greg Kroah-Hartman
2011-10-26 12:12 ` [PATCH 30/79] TTY: serial, use ASYNCB_CLOSING in uart_close Greg Kroah-Hartman
2011-10-26 12:12 ` [PATCH 31/79] TTY: serial, move locking " Greg Kroah-Hartman
2011-10-26 12:12 ` [PATCH 32/79] TTY: define tty_wait_until_sent_from_close Greg Kroah-Hartman
2011-10-26 12:12 ` [PATCH 33/79] TTY: use tty_wait_until_sent_from_close in tty_port_close_start Greg Kroah-Hartman
2011-10-26 12:12 ` [PATCH 34/79] TTY: use tty_wait_until_sent_from_close in other drivers Greg Kroah-Hartman
2011-10-26 12:12 ` [PATCH 35/79] hsu: add runtime pm support Greg Kroah-Hartman
2011-10-26 12:12 ` [PATCH 36/79] n_gsm: update TODO list Greg Kroah-Hartman
2011-10-26 12:12 ` [PATCH 37/79] n_gsm: Send CLD command on exit Greg Kroah-Hartman
2011-10-26 12:12 ` [PATCH 38/79] max3110: wake up fixes Greg Kroah-Hartman
2011-10-26 12:12 ` [PATCH 39/79] x86/mrst: Add platform data for Max3110 devices Greg Kroah-Hartman
2011-10-26 12:12 ` [PATCH 40/79] max3110: add sysrq support Greg Kroah-Hartman
2011-10-26 12:12 ` [PATCH 41/79] max3110: Fix up port->tty backreferencing Greg Kroah-Hartman
2011-10-26 12:12 ` [PATCH 42/79] tty/powerpc: fix build break with ehv_bytechan.c on allyesconfig Greg Kroah-Hartman
2011-10-26 12:12 ` [PATCH 43/79] tty: 8250: export serial8250_handle_irq Greg Kroah-Hartman
2011-10-26 12:12 ` [PATCH 44/79] tty: add a DesignWare 8250 driver Greg Kroah-Hartman
2011-10-26 12:12 ` [PATCH 45/79] serial: pxa: work around for errata #20 Greg Kroah-Hartman
2011-10-26 12:12 ` [PATCH 46/79] TTY: serial: Move mutex_unlock in uart_close function Greg Kroah-Hartman
2011-10-26 12:12 ` [PATCH 47/79] TTY: serial, remove dead code from 68328 Greg Kroah-Hartman
2011-10-26 12:26 ` Geert Uytterhoeven
2011-10-26 12:12 ` [PATCH 48/79] TTY: serial, fix includes in some drivers Greg Kroah-Hartman
2011-10-26 12:12 ` [PATCH 49/79] cris: fix a build error in drivers/tty/serial/crisv10.c Greg Kroah-Hartman
2011-10-26 12:12 ` [PATCH 50/79] serial: Support the EFR-register of XR1715x uarts Greg Kroah-Hartman
2011-10-26 12:12 ` [PATCH 51/79] cris: lower the printk level in cris serial driver Greg Kroah-Hartman
2011-10-26 12:12 ` [PATCH 52/79] TTY: serial, move 68360 driver to staging Greg Kroah-Hartman
2011-10-26 12:27 ` Geert Uytterhoeven
2011-10-26 12:12 ` [PATCH 53/79] keyboard: Do not include <linux/irq.> Greg Kroah-Hartman
2011-10-26 12:12 ` [PATCH 54/79] serial: mfd: Initconst section fixes Greg Kroah-Hartman
2011-10-26 12:13 ` [PATCH 55/79] serial-core: power up uart port early before we do set_termios when resuming Greg Kroah-Hartman
2011-10-26 12:13 ` [PATCH 56/79] TTY: irq: Remove IRQF_DISABLED Greg Kroah-Hartman
2011-10-26 12:13 ` [PATCH 57/79] drivers/tty: don't use the byte channel handle as a parameter in ehv_bytechan.c Greg Kroah-Hartman
2011-10-26 12:13 ` [PATCH 58/79] tty/n_gsm: fix bug in tiocmset Greg Kroah-Hartman
2011-10-26 12:13 ` [PATCH 59/79] 8250: ratelimit LSR safety check engaged warning Greg Kroah-Hartman
2011-10-26 12:13 ` [PATCH 60/79] tty/n_gsm: fix a bug in gsm_dlci_data_output (adaption = 2 case) Greg Kroah-Hartman
2011-10-26 12:13 ` [PATCH 61/79] tty/n_gsm: avoid fifo overflow in gsm_dlci_data_output Greg Kroah-Hartman
2011-10-26 12:13 ` [PATCH 62/79] TTY: snyclinkmp: forever loop in tx_load_dma_buffer() Greg Kroah-Hartman
2011-10-26 12:13 ` [PATCH 63/79] hvc_console: display printk messages on console Greg Kroah-Hartman
2011-10-26 12:13 ` [PATCH 64/79] tty: Support compat_ioctl get/set termios_locked Greg Kroah-Hartman
2011-10-26 12:13 ` [PATCH 65/79] parport_pc: release IO region properly if unsupported ITE887x card is found Greg Kroah-Hartman
2011-10-26 12:13 ` [PATCH 66/79] h8300: drivers/serial/Kconfig was moved Greg Kroah-Hartman
2011-10-26 12:13 ` [PATCH 67/79] 8250_pci: Fix kernel panic when pch_uart is disabled Greg Kroah-Hartman
2011-10-26 12:13 ` [PATCH 68/79] TTY: drop driver reference in tty_open fail path Greg Kroah-Hartman
2011-10-26 12:13 ` Greg Kroah-Hartman [this message]
2011-10-26 12:13 ` [PATCH 70/79] TTY: pty, release tty in all ptmx_open fail paths Greg Kroah-Hartman
2011-10-26 12:13 ` [PATCH 71/79] TTY: call tty_driver_lookup_tty unconditionally Greg Kroah-Hartman
2011-10-26 12:13 ` [PATCH 72/79] tty/serial: RS485 bindings for device tree Greg Kroah-Hartman
2011-10-26 12:13 ` [PATCH 73/79] tty/serial: atmel_serial: change platform_data variable name Greg Kroah-Hartman
2011-10-26 12:13 ` [PATCH 74/79] tty/serial: atmel_serial: whitespace and braces modifications Greg Kroah-Hartman
2011-10-26 12:13 ` [PATCH 75/79] tty/serial: atmel_serial: auto-enumerate ports Greg Kroah-Hartman
2011-10-26 12:13 ` [PATCH 76/79] tty/serial: atmel_serial: add device tree support Greg Kroah-Hartman
2011-10-26 12:13 ` [PATCH 77/79] Revert "TTY: call tty_driver_lookup_tty unconditionally" Greg Kroah-Hartman
2011-10-26 12:13 ` [PATCH 78/79] tty/serial: atmel_serial: bootconsole removed from auto-enumerates Greg Kroah-Hartman
2011-10-26 12:13 ` [PATCH 79/79] TTY: serial_core: Fix crash if DCD drop during suspend Greg Kroah-Hartman
2011-10-26 13:18 ` [GIT PATCH] TTY/serial driver patches for 3.2 Linus Torvalds
2011-10-26 13:34 ` Greg KH
2011-10-26 14:16 ` Domenico Andreoli
2011-10-26 21:38 ` Jiri Kosina
2011-10-26 15:01 ` Nicolas Ferre
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1319631204-23262-69-git-send-email-gregkh@suse.de \
--to=gregkh@suse.de \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=jslaby@suse.cz \
--cc=linux-serial@vger.kernel.org \
--cc=penberg@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).