From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Colin Ian King <colin.king@canonical.com>
Subject: [PATCH 4.6 58/96] devpts: fix null pointer dereference on failed memory allocation
Date: Mon, 8 Aug 2016 21:11:21 +0200 [thread overview]
Message-ID: <20160808180246.441420831@linuxfoundation.org> (raw)
In-Reply-To: <20160808180243.898163389@linuxfoundation.org>
4.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Colin Ian King <colin.king@canonical.com>
commit 5353ed8deedee9e5acb9f896e9032158f5d998de upstream.
An ENOMEM when creating a pair tty in tty_ldisc_setup causes a null
pointer dereference in devpts_kill_index because tty->link->driver_data
is NULL. The oops was triggered with the pty stressor in stress-ng when
in a low memory condition.
tty_init_dev tries to clean up a tty_ldisc_setup ENOMEM error by calling
release_tty, however, this ultimately tries to clean up the NULL pair'd
tty in pty_unix98_remove, triggering the Oops.
Add check to pty_unix98_remove to only clean up fsi if it is not NULL.
Ooops:
[ 23.020961] Oops: 0000 [#1] SMP
[ 23.020976] Modules linked in: ppdev snd_hda_codec_generic snd_hda_intel snd_hda_codec parport_pc snd_hda_core snd_hwdep parport snd_pcm input_leds joydev snd_timer serio_raw snd soundcore i2c_piix4 mac_hid ib_iser rdma_cm iw_cm ib_cm ib_core configfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel qxl aes_x86_64 ttm lrw gf128mul glue_helper ablk_helper drm_kms_helper cryptd syscopyarea sysfillrect psmouse sysimgblt floppy fb_sys_fops drm pata_acpi jitterentropy_rng drbg ansi_cprng
[ 23.020978] CPU: 0 PID: 1452 Comm: stress-ng-pty Not tainted 4.7.0-rc4+ #2
[ 23.020978] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 23.020979] task: ffff88007ba30000 ti: ffff880078ea8000 task.ti: ffff880078ea8000
[ 23.020981] RIP: 0010:[<ffffffff813f11ff>] [<ffffffff813f11ff>] ida_remove+0x1f/0x120
[ 23.020981] RSP: 0018:ffff880078eabb60 EFLAGS: 00010a03
[ 23.020982] RAX: 4444444444444567 RBX: 0000000000000000 RCX: 000000000000001f
[ 23.020982] RDX: 000000000000014c RSI: 000000000000026f RDI: 0000000000000000
[ 23.020982] RBP: ffff880078eabb70 R08: 0000000000000004 R09: 0000000000000036
[ 23.020983] R10: 000000000000026f R11: 0000000000000000 R12: 000000000000026f
[ 23.020983] R13: 000000000000026f R14: ffff88007c944b40 R15: 000000000000026f
[ 23.020984] FS: 00007f9a2f3cc700(0000) GS:ffff88007fc00000(0000) knlGS:0000000000000000
[ 23.020984] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 23.020985] CR2: 0000000000000010 CR3: 000000006c81b000 CR4: 00000000001406f0
[ 23.020988] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 23.020988] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 23.020988] Stack:
[ 23.020989] 0000000000000000 000000000000026f ffff880078eabb90 ffffffff812a5a99
[ 23.020990] 0000000000000000 00000000fffffff4 ffff880078eabba8 ffffffff814f9cbe
[ 23.020991] ffff88007965c800 ffff880078eabbc8 ffffffff814eef43 fffffffffffffff4
[ 23.020991] Call Trace:
[ 23.021000] [<ffffffff812a5a99>] devpts_kill_index+0x29/0x50
[ 23.021002] [<ffffffff814f9cbe>] pty_unix98_remove+0x2e/0x50
[ 23.021006] [<ffffffff814eef43>] release_tty+0xb3/0x1b0
[ 23.021007] [<ffffffff814f18d4>] tty_init_dev+0xd4/0x1c0
[ 23.021011] [<ffffffff814f9fae>] ptmx_open+0xae/0x190
[ 23.021013] [<ffffffff812254ef>] chrdev_open+0xbf/0x1b0
[ 23.021015] [<ffffffff8121d973>] do_dentry_open+0x203/0x310
[ 23.021016] [<ffffffff81225430>] ? cdev_put+0x30/0x30
[ 23.021017] [<ffffffff8121ee44>] vfs_open+0x54/0x80
[ 23.021018] [<ffffffff8122b8fc>] ? may_open+0x8c/0x100
[ 23.021019] [<ffffffff8122f26b>] path_openat+0x2eb/0x1440
[ 23.021020] [<ffffffff81230534>] ? putname+0x54/0x60
[ 23.021022] [<ffffffff814f6f97>] ? n_tty_ioctl_helper+0x27/0x100
[ 23.021023] [<ffffffff81231651>] do_filp_open+0x91/0x100
[ 23.021024] [<ffffffff81230596>] ? getname_flags+0x56/0x1f0
[ 23.021026] [<ffffffff8123fc66>] ? __alloc_fd+0x46/0x190
[ 23.021027] [<ffffffff8121f1e4>] do_sys_open+0x124/0x210
[ 23.021028] [<ffffffff8121f2ee>] SyS_open+0x1e/0x20
[ 23.021035] [<ffffffff81845576>] entry_SYSCALL_64_fastpath+0x1e/0xa8
[ 23.021044] Code: 63 28 45 31 e4 eb dd 0f 1f 44 00 00 55 4c 63 d6 48 ba 89 88 88 88 88 88 88 88 4c 89 d0 b9 1f 00 00 00 48 f7 e2 48 89 e5 41 54 53 <8b> 47 10 48 89 fb 8d 3c c5 00 00 00 00 48 c1 ea 09 b8 01 00 00
[ 23.021045] RIP [<ffffffff813f11ff>] ida_remove+0x1f/0x120
[ 23.021045] RSP <ffff880078eabb60>
[ 23.021046] CR2: 0000000000000010
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/pty.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/drivers/tty/pty.c
+++ b/drivers/tty/pty.c
@@ -667,8 +667,11 @@ static void pty_unix98_remove(struct tty
fsi = tty->driver_data;
else
fsi = tty->link->driver_data;
- devpts_kill_index(fsi, tty->index);
- devpts_put_ref(fsi);
+
+ if (fsi) {
+ devpts_kill_index(fsi, tty->index);
+ devpts_put_ref(fsi);
+ }
}
static const struct tty_operations ptm_unix98_ops = {
next prev parent reply other threads:[~2016-08-08 19:19 UTC|newest]
Thread overview: 99+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CGME20160808191823uscas1p21b9903f952ca81e8d85ef950478b703e@uscas1p2.samsung.com>
2016-08-08 19:10 ` [PATCH 4.6 00/96] 4.6.6-stable review Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 02/96] x86/quirks: Apply nvidia_bugs quirk only on root bus Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 03/96] x86/quirks: Reintroduce scanning of secondary buses Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 05/96] dmaengine: at_xdmac: align descriptors on 64 bits Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 06/96] dmaengine: at_xdmac: fix residue corruption Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 07/96] dmaengine: at_xdmac: double FIFO flush needed to compute residue Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 08/96] mm, sl[au]b: add __GFP_ATOMIC to the GFP reclaim mask Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 09/96] memcg: mem_cgroup_migrate() may be called with irq disabled Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 10/96] memcg: css_alloc should return an ERR_PTR value on error Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 11/96] mm/swap.c: flush lru pvecs on compound page arrival Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 12/96] mm, compaction: abort free scanner if split fails Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 13/96] fs/nilfs2: fix potential underflow in call to crc32_le Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 14/96] mm, compaction: prevent VM_BUG_ON when terminating freeing scanner Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 15/96] uapi: export lirc.h header Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 16/96] mm, meminit: always return a valid node from early_pfn_to_nid Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 17/96] mm, meminit: ensure node is online before checking whether pages are uninitialised Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 18/96] vmlinux.lds: account for destructor sections Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 19/96] mm: thp: refix false positive BUG in page_move_anon_rmap() Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 20/96] mm: memcontrol: fix cgroup creation failure after many small jobs Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 21/96] radix-tree: fix radix_tree_iter_retry() for tagged iterators Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 22/96] pps: do not crash when failed to register Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 23/96] kernel/sysrq, watchdog, sched/core: Reset watchdog on all CPUs while processing sysrq-w Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 24/96] sched/debug: Fix deadlock when enabling sched events Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 25/96] arc: unwind: warn only once if DW2_UNWIND is disabled Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 26/96] ARC: unwind: ensure that .debug_frame is generated (vs. .eh_frame) Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 27/96] xen/pciback: Fix conf_space read/write overlap check Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 28/96] xen-blkfront: save uncompleted reqs in blkfront_resume() Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 29/96] xenbus: dont BUG() on user mode induced condition Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 30/96] xenbus: dont bail early from xenbus_dev_request_and_reply() Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 31/96] xen-blkfront: fix resume issues after a migration Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 32/96] xen-blkfront: dont call talk_to_blkback when already connected to blkback Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 36/96] Input: vmmouse - remove port reservation Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 37/96] Input: elantech - add more IC body types to the list Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 38/96] Input: xpad - fix oops when attaching an unknown Xbox One gamepad Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 39/96] Input: wacom_w8001 - w8001_MAX_LENGTH should be 13 Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 40/96] Input: wacom_w8001 - ignore invalid pen data packets Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 41/96] Input: xpad - validate USB endpoint count during probe Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 42/96] Revert "Input: wacom_w8001 - drop use of ABS_MT_TOOL_TYPE" Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 43/96] Input: synaptics-rmi4 - fix maximum size check for F12 control register 8 Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 45/96] pvclock: Add CPU barriers to get correct version value Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 46/96] pinctrl: single: Fix missing flush of posted write for a wakeirq Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 47/96] pinctrl: imx: Do not treat a PIN without MUX register as an error Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 48/96] cgroup: remove redundant cleanup in css_create Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 49/96] cgroup: set css->id to -1 during init Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 50/96] cgroup: Disable IRQs while holding css_set_lock Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 51/96] power_supply: power_supply_read_temp only if use_cnt > 0 Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 52/96] locks: use file_inode() Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 53/96] Revert "ecryptfs: forbid opening files without mmap handler" Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 54/96] ecryptfs: dont allow mmap when the lower fs doesnt support it Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 55/96] ext4: verify extent header depth Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 56/96] 9p: use file_dentry() Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 57/96] cpufreq: Avoid false-positive WARN_ON()s in cpufreq_update_policy() Greg Kroah-Hartman
2016-08-08 19:11 ` Greg Kroah-Hartman [this message]
2016-08-08 19:11 ` [PATCH 4.6 59/96] namespace: update event counter when umounting a deleted dentry Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 60/96] spi: rockchip: Signal unfinished DMA transfers Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 61/96] spi: sunxi: fix transfer timeout Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 62/96] spi: sun4i: fix FIFO limit Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 63/96] clk: rockchip: initialize flags of clk_init_data in mmc-phase clock Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 64/96] clk: at91: fix clk_programmable_set_parent() Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 65/96] lockd: unregister notifier blocks if the service fails to come up completely Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 66/96] platform/chrome: cros_ec_dev - double fetch bug in ioctl Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 67/96] qeth: delete napi struct when removing a qeth device Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 68/96] init/Kconfig: keep Expert users menu together Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 69/96] block: fix use-after-free in sys_ioprio_get() Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 70/96] mmc: block: fix free of uninitialized idata->buf Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 71/96] mmc: block: fix packed command header endianness Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 72/96] sched/fair: Fix effective_load() to consistently use smoothed load Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 73/96] can: at91_can: RX queue could get stuck at high bus load Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 74/96] can: c_can: Update D_CAN TX and RX functions to 32 bit - fix Altera Cyclone access Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 75/96] can: fix handling of unmodifiable configuration options fix Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 76/96] can: fix oops caused by wrong rtnl dellink usage Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 77/96] RDS: fix rds_tcp_init() error path Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 78/96] irqchip/mips-gic: Map to VPs using HW VPNum Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 79/96] irqchip/mips-gic: Match IPI IRQ domain by bus token only Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 81/96] SCSI: fix new bug in scsi_dev_info_list string matching Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 82/96] ipr: Clear interrupt on croc/crocodile when running with LSI Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 83/96] media: fix airspy usb probe error path Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 84/96] posix_cpu_timer: Exit early when process has been reaped Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 85/96] cpu/hotplug: Keep enough storage space if SMP=n to avoid array out of bounds scribble Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 86/96] [media] adv7604: Dont ignore pad number in subdev DV timings pad operations Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 87/96] i2c: qup: Fix wrong value of index variable Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 88/96] i2c: mux: reg: wrong condition checked for of_address_to_resource return value Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 89/96] libata: LITE-ON CX1-JB256-HP needs lower max_sectors Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 90/96] libceph: apply new_state before new_up_client on incrementals Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 91/96] net: mvneta: set real interrupt per packet for tx_done Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 92/96] cfg80211: handle failed skb allocation Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 93/96] intel_th: pci: Add Kaby Lake PCH-H support Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 94/96] intel_th: Fix a deadlock in modprobing Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 95/96] vfs: ioctl: prevent double-fetch in dedupe ioctl Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 96/96] vfs: fix deadlock in file_remove_privs() on overlayfs Greg Kroah-Hartman
2016-08-09 5:03 ` [PATCH 4.6 00/96] 4.6.6-stable review Guenter Roeck
2016-08-09 8:24 ` Greg Kroah-Hartman
2016-08-09 8:33 ` Paul Burton
2016-08-09 8:37 ` Greg Kroah-Hartman
2016-08-09 16:19 ` Guenter Roeck
2016-08-09 17:22 ` Greg Kroah-Hartman
2016-08-10 1:25 ` Guenter Roeck
2016-08-09 15:10 ` Shuah Khan
2016-08-09 17:22 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160808180246.441420831@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=colin.king@canonical.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).