From: Ben Hutchings <ben@decadent.org.uk>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: akpm@linux-foundation.org,
"Peter Hurley" <peter@hurleysoftware.com>,
"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Dmitry Vyukov" <dvyukov@google.com>
Subject: [PATCH 3.2 08/70] tty: Fix GPF in flush_to_ldisc()
Date: Mon, 18 Jan 2016 03:18:35 +0000 [thread overview]
Message-ID: <lsq.1453087115.441708884@decadent.org.uk> (raw)
In-Reply-To: <lsq.1453087114.713093519@decadent.org.uk>
3.2.76-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Peter Hurley <peter@hurleysoftware.com>
commit 9ce119f318ba1a07c29149301f1544b6c4bea52a upstream.
A line discipline which does not define a receive_buf() method can
can cause a GPF if data is ever received [1]. Oddly, this was known
to the author of n_tracesink in 2011, but never fixed.
[1] GPF report
BUG: unable to handle kernel NULL pointer dereference at (null)
IP: [< (null)>] (null)
PGD 3752d067 PUD 37a7b067 PMD 0
Oops: 0010 [#1] SMP KASAN
Modules linked in:
CPU: 2 PID: 148 Comm: kworker/u10:2 Not tainted 4.4.0-rc2+ #51
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: events_unbound flush_to_ldisc
task: ffff88006da94440 ti: ffff88006db60000 task.ti: ffff88006db60000
RIP: 0010:[<0000000000000000>] [< (null)>] (null)
RSP: 0018:ffff88006db67b50 EFLAGS: 00010246
RAX: 0000000000000102 RBX: ffff88003ab32f88 RCX: 0000000000000102
RDX: 0000000000000000 RSI: ffff88003ab330a6 RDI: ffff88003aabd388
RBP: ffff88006db67c48 R08: ffff88003ab32f9c R09: ffff88003ab31fb0
R10: ffff88003ab32fa8 R11: 0000000000000000 R12: dffffc0000000000
R13: ffff88006db67c20 R14: ffffffff863df820 R15: ffff88003ab31fb8
FS: 0000000000000000(0000) GS:ffff88006dc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000000000 CR3: 0000000037938000 CR4: 00000000000006e0
Stack:
ffffffff829f46f1 ffff88006da94bf8 ffff88006da94bf8 0000000000000000
ffff88003ab31fb0 ffff88003aabd438 ffff88003ab31ff8 ffff88006430fd90
ffff88003ab32f9c ffffed0007557a87 1ffff1000db6cf78 ffff88003ab32078
Call Trace:
[<ffffffff8127cf91>] process_one_work+0x8f1/0x17a0 kernel/workqueue.c:2030
[<ffffffff8127df14>] worker_thread+0xd4/0x1180 kernel/workqueue.c:2162
[<ffffffff8128faaf>] kthread+0x1cf/0x270 drivers/block/aoe/aoecmd.c:1302
[<ffffffff852a7c2f>] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468
Code: Bad RIP value.
RIP [< (null)>] (null)
RSP <ffff88006db67b50>
CR2: 0000000000000000
---[ end trace a587f8947e54d6ea ]---
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/tty/tty_buffer.c
+++ b/drivers/tty/tty_buffer.c
@@ -442,10 +442,12 @@ static void flush_to_ldisc(struct work_s
char_buf = head->char_buf_ptr + head->read;
flag_buf = head->flag_buf_ptr + head->read;
head->read += count;
- spin_unlock_irqrestore(&tty->buf.lock, flags);
- disc->ops->receive_buf(tty, char_buf,
+ if (disc->ops->receive_buf) {
+ spin_unlock_irqrestore(&tty->buf.lock, flags);
+ disc->ops->receive_buf(tty, char_buf,
flag_buf, count);
- spin_lock_irqsave(&tty->buf.lock, flags);
+ spin_lock_irqsave(&tty->buf.lock, flags);
+ }
}
clear_bit(TTY_FLUSHING, &tty->flags);
}
next prev parent reply other threads:[~2016-01-18 3:40 UTC|newest]
Thread overview: 77+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-18 3:18 [PATCH 3.2 00/70] 3.2.76-rc1 review Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 23/70] xen-blkback: only read request operation from shared ring once Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 34/70] ipv6/addrlabel: fix ip6addrlbl_get() Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 47/70] vmstat: allocate vmstat_wq before it is used Ben Hutchings
2016-01-18 22:26 ` Luis Henriques
2016-01-18 3:18 ` [PATCH 3.2 64/70] i2c: i801: Add DeviceIDs for SunrisePoint LP Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 29/70] xen/pciback: Don't allow MSI-X ops if PCI_COMMAND_MEMORY is not set Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 50/70] ahci: Remove Device ID for Intel Sunrise Point PCH Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 22/70] xen-netback: use RING_COPY_REQUEST() throughout Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 09/70] ALSA: tlv: compute TLV_*_ITEM lengths automatically Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 17/70] net: fix warnings in 'make htmldocs' by moving macro definition out of field declaration Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 63/70] i2c: i801: Add Device IDs for Intel Sunrise Point PCH Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 28/70] xen/pciback: For XEN_PCI_OP_disable_msi[|x] only disable if device has MSI(X) enabled Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 51/70] ahci: Add Marvell 88se91a2 device id Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 52/70] ahci: add new Intel device IDs Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 19/70] s390/dis: Fix handling of format specifiers Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 24/70] xen/pciback: Save xen_pci_op commands before processing it Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 04/70] crypto: skcipher - Copy iv from desc even for 0-len walks Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 30/70] USB: ipaq.c: fix a timeout loop Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 70/70] HID: dragonrise: fix HID Descriptor for 0x0006 PID Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 32/70] KEYS: Fix race between read and revoke Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 40/70] genirq: Prevent chip buslock deadlock Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 54/70] ahci: Order SATA device IDs for codename Lewisburg Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 31/70] USB: fix invalid memory access in hub_activate() Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 33/70] parisc: Fix syscall restarts Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 16/70] scripts: recordmcount: break hardlinks Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 12/70] sh_eth: fix TX buffer byte-swapping Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 43/70] KVM: x86: Reload pit counters for all channels when restoring state Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 05/70] rfkill: copy the name into the rfkill struct Ben Hutchings
2016-01-18 3:18 ` Ben Hutchings [this message]
2016-01-18 3:18 ` [PATCH 3.2 35/70] ocfs2: fix BUG when calculate new backup super Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 42/70] net: possible use after free in dst_release Ben Hutchings
2016-01-18 3:49 ` Francesco Ruggeri
2016-01-18 11:50 ` Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 61/70] i2c: i801: Add device ID for Intel Wildcat Point PCH Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 69/70] cdrom: Random writing support for BD-RE media Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 02/70] ipv6: sctp: fix lockdep splat in sctp_v6_get_dst() Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 26/70] xen/pciback: Return error on XEN_PCI_OP_enable_msix when device has MSI or MSI-X enabled Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 07/70] ses: fix additional element traversal bug Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 49/70] ahci: Add JMicron 362 device IDs Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 27/70] xen/pciback: Do not install an IRQ handler for MSI interrupts Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 68/70] i2c: i801: add Intel Lewisburg device IDs Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 45/70] Revert "net: add length argument to skb_copy_and_csum_datagram_iovec" Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 14/70] ser_gigaset: fix deallocation of platform device structure Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 36/70] mm/memory_hotplug.c: check for missing sections in test_pages_in_a_zone() Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 66/70] i2c: i801: Add support for Intel Broxton Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 44/70] kvm: x86: only channel 0 of the i8254 is linked to the HPET Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 39/70] net/core: revert "net: fix __netdev_update_features return.." and add comment Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 46/70] udp: properly support MSG_PEEK with truncated buffers Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 38/70] drm/radeon: fix hotplug race at startup Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 15/70] spi: fix parent-device reference leak Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 48/70] ahci: Add Device IDs for Intel Wellsburg PCH Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 11/70] ALSA: usb-audio: Add a more accurate volume quirk for AudioQuest DragonFly Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 53/70] ahci: Add Device ID for Intel Sunrise Point PCH Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 01/70] sctp: start t5 timer only when peer rwnd is 0 and local state is SHUTDOWN_PENDING Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 58/70] i2c: i801: Add Device IDs for Intel Wildcat Point-LP PCH Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 37/70] MIPS: Fix restart of indirect syscalls Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 06/70] ses: Fix problems with simple enclosures Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 55/70] i2c: i801: SMBus patch for Intel Avoton DeviceIDs Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 60/70] i2c: i801: Fix the alignment of the device table Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 10/70] ALSA: tlv: add DECLARE_TLV_DB_RANGE() Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 03/70] video: fbdev: fsl: Fix kernel crash when diu_ops is not implemented Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 59/70] i2c: i801: enable Intel BayTrail SMBUS Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 57/70] i2c: i801: SMBus patch for Intel Coleto Creek DeviceIDs Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 67/70] i2c: i801: Document Intel DNV and Broxton Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 13/70] mISDN: fix a loop count Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 65/70] i2c: i801: Add support for Intel DNV Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 25/70] xen/pciback: Return error on XEN_PCI_OP_enable_msi when device has MSI or MSI-X enabled Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 20/70] xen: Add RING_COPY_REQUEST() Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 62/70] i2c: i801: Add PCI ID for Intel Braswell Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 56/70] i2c: i801: Add Device IDs for Intel Wellsburg PCH Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 41/70] ftrace/scripts: Fix incorrect use of sprintf in recordmcount Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 18/70] ftrace/scripts: Have recordmcount copy the object file Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 21/70] xen-netback: don't use last request to determine minimum Tx credit Ben Hutchings
2016-01-18 3:45 ` [PATCH 3.2 00/70] 3.2.76-rc1 review Ben Hutchings
2016-01-18 9:12 ` Guenter Roeck
2016-01-18 11:50 ` Ben Hutchings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=lsq.1453087115.441708884@decadent.org.uk \
--to=ben@decadent.org.uk \
--cc=akpm@linux-foundation.org \
--cc=dvyukov@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=peter@hurleysoftware.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox