[PATCH 2.6.32 30/42] tty: Fix GPF in flush_to_ldisc()

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Willy Tarreau <w@1wt.eu>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Dmitry Vyukov <dvyukov@google.com>,
	Peter Hurley <peter@hurleysoftware.com>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Ben Hutchings <ben@decadent.org.uk>, Willy Tarreau <w@1wt.eu>
Subject: [PATCH 2.6.32 30/42] tty: Fix GPF in flush_to_ldisc()
Date: Sat, 23 Jan 2016 15:12:51 +0100	[thread overview]
Message-ID: <20160123141223.285379115@1wt.eu> (raw)
In-Reply-To: <aa387f55227cb730b41e3d621bf460ff@local>

2.6.32-longterm review patch.  If anyone has any objections, please let me know.

------------------

From: Peter Hurley <peter@hurleysoftware.com>

commit 9ce119f318ba1a07c29149301f1544b6c4bea52a upstream.

A line discipline which does not define a receive_buf() method can
can cause a GPF if data is ever received [1]. Oddly, this was known
to the author of n_tracesink in 2011, but never fixed.

[1] GPF report
    BUG: unable to handle kernel NULL pointer dereference at           (null)
    IP: [<          (null)>]           (null)
    PGD 3752d067 PUD 37a7b067 PMD 0
    Oops: 0010 [#1] SMP KASAN
    Modules linked in:
    CPU: 2 PID: 148 Comm: kworker/u10:2 Not tainted 4.4.0-rc2+ #51
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
    Workqueue: events_unbound flush_to_ldisc
    task: ffff88006da94440 ti: ffff88006db60000 task.ti: ffff88006db60000
    RIP: 0010:[<0000000000000000>]  [<          (null)>]           (null)
    RSP: 0018:ffff88006db67b50  EFLAGS: 00010246
    RAX: 0000000000000102 RBX: ffff88003ab32f88 RCX: 0000000000000102
    RDX: 0000000000000000 RSI: ffff88003ab330a6 RDI: ffff88003aabd388
    RBP: ffff88006db67c48 R08: ffff88003ab32f9c R09: ffff88003ab31fb0
    R10: ffff88003ab32fa8 R11: 0000000000000000 R12: dffffc0000000000
    R13: ffff88006db67c20 R14: ffffffff863df820 R15: ffff88003ab31fb8
    FS:  0000000000000000(0000) GS:ffff88006dc00000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
    CR2: 0000000000000000 CR3: 0000000037938000 CR4: 00000000000006e0
    Stack:
     ffffffff829f46f1 ffff88006da94bf8 ffff88006da94bf8 0000000000000000
     ffff88003ab31fb0 ffff88003aabd438 ffff88003ab31ff8 ffff88006430fd90
     ffff88003ab32f9c ffffed0007557a87 1ffff1000db6cf78 ffff88003ab32078
    Call Trace:
     [<ffffffff8127cf91>] process_one_work+0x8f1/0x17a0 kernel/workqueue.c:2030
     [<ffffffff8127df14>] worker_thread+0xd4/0x1180 kernel/workqueue.c:2162
     [<ffffffff8128faaf>] kthread+0x1cf/0x270 drivers/block/aoe/aoecmd.c:1302
     [<ffffffff852a7c2f>] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468
    Code:  Bad RIP value.
    RIP  [<          (null)>]           (null)
     RSP <ffff88006db67b50>
    CR2: 0000000000000000
    ---[ end trace a587f8947e54d6ea ]---

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
(cherry picked from commit b23324ffa8ef8cc96865db76db938905d61d949a)
[wt: applied to drivers/char/tty_buffer.c instead]
Signed-off-by: Willy Tarreau <w@1wt.eu>
---
 drivers/char/tty_buffer.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/drivers/char/tty_buffer.c b/drivers/char/tty_buffer.c
index 9605ee5..fbc5824 100644
--- a/drivers/char/tty_buffer.c
+++ b/drivers/char/tty_buffer.c
@@ -450,10 +450,12 @@ static void flush_to_ldisc(struct work_struct *work)
 			char_buf = head->char_buf_ptr + head->read;
 			flag_buf = head->flag_buf_ptr + head->read;
 			head->read += count;
-			spin_unlock_irqrestore(&tty->buf.lock, flags);
-			disc->ops->receive_buf(tty, char_buf,
+			if (disc->ops->receive_buf) {
+				spin_unlock_irqrestore(&tty->buf.lock, flags);
+				disc->ops->receive_buf(tty, char_buf,
 							flag_buf, count);
-			spin_lock_irqsave(&tty->buf.lock, flags);
+				spin_lock_irqsave(&tty->buf.lock, flags);
+			}
 		}
 		clear_bit(TTY_FLUSHING, &tty->flags);
 	}
-- 
1.7.12.2.21.g234cd45.dirty

next prev parent reply	other threads:[~2016-01-23 14:12 UTC|newest]

Thread overview: 43+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <aa387f55227cb730b41e3d621bf460ff@local>
2016-01-23 14:12 ` [PATCH 2.6.32 01/42] ip6mr: call del_timer_sync() in ip6mr_free_table() Willy Tarreau
2016-01-23 14:12 ` [PATCH 2.6.32 02/42] isdn_ppp: Add checks for allocation failure in isdn_ppp_open() Willy Tarreau
2016-01-23 14:12 ` [PATCH 2.6.32 04/42] RDS: fix race condition when sending a message on unbound socket Willy Tarreau
2016-01-23 14:12 ` [PATCH 2.6.32 05/42] unix: avoid use-after-free in ep_remove_wait_queue Willy Tarreau
2016-01-23 14:12 ` [PATCH 2.6.32 06/42] ext4: Fix null dereference in ext4_fill_super() Willy Tarreau
2016-01-23 14:12 ` [PATCH 2.6.32 07/42] Revert "net: add length argument to skb_copy_and_csum_datagram_iovec" Willy Tarreau
2016-01-23 14:12 ` [PATCH 2.6.32 08/42] udp: properly support MSG_PEEK with truncated buffers Willy Tarreau
2016-01-23 14:12 ` [PATCH 2.6.32 09/42] KEYS: Fix race between read and revoke Willy Tarreau
2016-01-23 14:12 ` [PATCH 2.6.32 11/42] net: fix warnings in make htmldocs by moving macro definition out of field declaration Willy Tarreau
2016-01-23 14:12 ` [PATCH 2.6.32 12/42] bluetooth: Validate socket address length in sco_sock_bind() Willy Tarreau
2016-01-23 14:12 ` [PATCH 2.6.32 13/42] sctp: translate host order to network order when setting a hmacid Willy Tarreau
2016-01-23 14:12 ` [PATCH 2.6.32 14/42] fuse: break infinite loop in fuse_fill_write_pages() Willy Tarreau
2016-01-23 14:12 ` [PATCH 2.6.32 15/42] fix sysvfs symlinks Willy Tarreau
2016-01-23 14:12 ` [PATCH 2.6.32 16/42] vfs: Avoid softlockups with sendfile(2) Willy Tarreau
2016-01-23 14:12 ` [PATCH 2.6.32 17/42] ext4: Fix handling of extended tv_sec Willy Tarreau
2016-01-23 14:12 ` [PATCH 2.6.32 18/42] nfs: if we have no valid attrs, then dont declare the attribute cache valid Willy Tarreau
2016-01-23 14:12 ` [PATCH 2.6.32 19/42] wan/x25: Fix use-after-free in x25_asy_open_tty() Willy Tarreau
2016-01-23 14:12 ` [PATCH 2.6.32 20/42] ipv4: igmp: Allow removing groups from a removed interface Willy Tarreau
2016-01-23 14:12 ` [PATCH 2.6.32 21/42] sched/core: Remove false-positive warning from wake_up_process() Willy Tarreau
2016-01-23 14:12 ` [PATCH 2.6.32 22/42] ipmi: move timer init to before irq is setup Willy Tarreau
2016-01-23 14:12 ` [PATCH 2.6.32 23/42] tcp: initialize tp->copied_seq in case of cross SYN connection Willy Tarreau
2016-01-23 14:12 ` [PATCH 2.6.32 24/42] net, scm: fix PaX detected msg_controllen overflow in scm_detach_fds Willy Tarreau
2016-01-23 14:12 ` [PATCH 2.6.32 25/42] sctp: update the netstamp_needed counter when copying sockets Willy Tarreau
2016-01-23 14:12 ` [PATCH 2.6.32 26/42] af_unix: fix a fatal race with bit fields Willy Tarreau
2016-01-23 14:12 ` [PATCH 2.6.32 27/42] rfkill: copy the name into the rfkill struct Willy Tarreau
2016-01-23 14:12 ` [PATCH 2.6.32 28/42] ses: Fix problems with simple enclosures Willy Tarreau
2016-01-23 14:12 ` [PATCH 2.6.32 29/42] ses: fix additional element traversal bug Willy Tarreau
2016-01-23 14:12 ` Willy Tarreau [this message]
2016-01-23 14:12 ` [PATCH 2.6.32 31/42] mISDN: fix a loop count Willy Tarreau
2016-01-23 14:12 ` [PATCH 2.6.32 32/42] ser_gigaset: fix deallocation of platform device structure Willy Tarreau
2016-01-23 14:12 ` [PATCH 2.6.32 33/42] spi: fix parent-device reference leak Willy Tarreau
2016-01-23 14:12 ` [PATCH 2.6.32 34/42] s390/dis: Fix handling of format specifiers Willy Tarreau
2016-01-23 14:12 ` [PATCH 2.6.32 35/42] USB: ipaq.c: fix a timeout loop Willy Tarreau
2016-01-23 14:12 ` [PATCH 2.6.32 36/42] USB: fix invalid memory access in hub_activate() Willy Tarreau
2016-01-23 14:12 ` [PATCH 2.6.32 37/42] MIPS: Fix restart of indirect syscalls Willy Tarreau
2016-01-23 14:12 ` [PATCH 2.6.32 38/42] parisc: Fix syscall restarts Willy Tarreau
2016-01-23 14:13 ` [PATCH 2.6.32 39/42] ipv6/addrlabel: fix ip6addrlbl_get() Willy Tarreau
2016-01-23 14:13 ` [PATCH 2.6.32 40/42] mm/memory_hotplug.c: check for missing sections in test_pages_in_a_zone() Willy Tarreau
2016-01-23 18:13   ` Ben Hutchings
2016-01-23 18:29     ` Willy Tarreau
2016-01-23 19:05       ` Willy Tarreau
2016-01-23 14:13 ` [PATCH 2.6.32 41/42] KVM: x86: Reload pit counters for all channels when restoring state Willy Tarreau
2016-01-23 14:13 ` [PATCH 2.6.32 42/42] kvm: x86: only channel 0 of the i8254 is linked to the HPET Willy Tarreau

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:9605ee5 dfblob:fbc5824 )
 OR (
bs:"[PATCH 2.6.32 30/42] tty: Fix GPF in flush_to_ldisc()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20160123141223.285379115@1wt.eu \
    --to=w@1wt.eu \
    --cc=ben@decadent.org.uk \
    --cc=dvyukov@google.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=peter@hurleysoftware.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).