From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linuxfoundation.org ([140.211.169.12]:50550 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751746AbdLJRH1 (ORCPT ); Sun, 10 Dec 2017 12:07:27 -0500 Subject: Patch "serdev: ttyport: fix NULL-deref on hangup" has been added to the 4.14-stable tree To: johan@kernel.org, gregkh@linuxfoundation.org Cc: , From: Date: Sun, 10 Dec 2017 18:07:12 +0100 Message-ID: <1512925632244174@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org List-ID: This is a note to let you know that I've just added the patch titled serdev: ttyport: fix NULL-deref on hangup to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: serdev-ttyport-fix-null-deref-on-hangup.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >>From 8bcd4e6a8decac251d55c4377e2e67f052777ce0 Mon Sep 17 00:00:00 2001 From: Johan Hovold Date: Fri, 3 Nov 2017 15:30:55 +0100 Subject: serdev: ttyport: fix NULL-deref on hangup From: Johan Hovold commit 8bcd4e6a8decac251d55c4377e2e67f052777ce0 upstream. Make sure to use a properly refcounted tty_struct in write_wake up to avoid dereferencing a NULL-pointer when a port is being hung up. Fixes: bed35c6dfa6a ("serdev: add a tty port controller driver") Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman --- drivers/tty/serdev/serdev-ttyport.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) --- a/drivers/tty/serdev/serdev-ttyport.c +++ b/drivers/tty/serdev/serdev-ttyport.c @@ -57,12 +57,19 @@ static void ttyport_write_wakeup(struct { struct serdev_controller *ctrl = port->client_data; struct serport *serport = serdev_controller_get_drvdata(ctrl); + struct tty_struct *tty; - if (test_and_clear_bit(TTY_DO_WRITE_WAKEUP, &port->tty->flags) && + tty = tty_port_tty_get(port); + if (!tty) + return; + + if (test_and_clear_bit(TTY_DO_WRITE_WAKEUP, &tty->flags) && test_bit(SERPORT_ACTIVE, &serport->flags)) serdev_controller_write_wakeup(ctrl); - wake_up_interruptible_poll(&port->tty->write_wait, POLLOUT); + wake_up_interruptible_poll(&tty->write_wait, POLLOUT); + + tty_kref_put(tty); } static const struct tty_port_client_operations client_ops = { Patches currently in stable-queue which might be from johan@kernel.org are queue-4.14/serdev-ttyport-fix-null-deref-on-hangup.patch queue-4.14/serdev-ttyport-fix-tty-locking-in-close.patch queue-4.14/serdev-ttyport-add-missing-receive_buf-sanity-checks.patch