From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Alex Elder <elder@linaro.org>,
Johan Hovold <johan@kernel.org>
Subject: [PATCH 5.10 015/103] staging: greybus: uart: fix tty use after free
Date: Mon, 27 Sep 2021 19:01:47 +0200 [thread overview]
Message-ID: <20210927170226.239304897@linuxfoundation.org> (raw)
In-Reply-To: <20210927170225.702078779@linuxfoundation.org>
From: Johan Hovold <johan@kernel.org>
commit 92dc0b1f46e12cfabd28d709bb34f7a39431b44f upstream.
User space can hold a tty open indefinitely and tty drivers must not
release the underlying structures until the last user is gone.
Switch to using the tty-port reference counter to manage the life time
of the greybus tty state to avoid use after free after a disconnect.
Fixes: a18e15175708 ("greybus: more uart work")
Cc: stable@vger.kernel.org # 4.9
Reviewed-by: Alex Elder <elder@linaro.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20210906124538.22358-1-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/greybus/uart.c | 62 +++++++++++++++++++++--------------------
1 file changed, 32 insertions(+), 30 deletions(-)
--- a/drivers/staging/greybus/uart.c
+++ b/drivers/staging/greybus/uart.c
@@ -778,6 +778,17 @@ out:
gbphy_runtime_put_autosuspend(gb_tty->gbphy_dev);
}
+static void gb_tty_port_destruct(struct tty_port *port)
+{
+ struct gb_tty *gb_tty = container_of(port, struct gb_tty, port);
+
+ if (gb_tty->minor != GB_NUM_MINORS)
+ release_minor(gb_tty);
+ kfifo_free(&gb_tty->write_fifo);
+ kfree(gb_tty->buffer);
+ kfree(gb_tty);
+}
+
static const struct tty_operations gb_ops = {
.install = gb_tty_install,
.open = gb_tty_open,
@@ -803,6 +814,7 @@ static const struct tty_port_operations
.dtr_rts = gb_tty_dtr_rts,
.activate = gb_tty_port_activate,
.shutdown = gb_tty_port_shutdown,
+ .destruct = gb_tty_port_destruct,
};
static int gb_uart_probe(struct gbphy_device *gbphy_dev,
@@ -815,17 +827,11 @@ static int gb_uart_probe(struct gbphy_de
int retval;
int minor;
- gb_tty = kzalloc(sizeof(*gb_tty), GFP_KERNEL);
- if (!gb_tty)
- return -ENOMEM;
-
connection = gb_connection_create(gbphy_dev->bundle,
le16_to_cpu(gbphy_dev->cport_desc->id),
gb_uart_request_handler);
- if (IS_ERR(connection)) {
- retval = PTR_ERR(connection);
- goto exit_tty_free;
- }
+ if (IS_ERR(connection))
+ return PTR_ERR(connection);
max_payload = gb_operation_get_payload_size_max(connection);
if (max_payload < sizeof(struct gb_uart_send_data_request)) {
@@ -833,13 +839,23 @@ static int gb_uart_probe(struct gbphy_de
goto exit_connection_destroy;
}
+ gb_tty = kzalloc(sizeof(*gb_tty), GFP_KERNEL);
+ if (!gb_tty) {
+ retval = -ENOMEM;
+ goto exit_connection_destroy;
+ }
+
+ tty_port_init(&gb_tty->port);
+ gb_tty->port.ops = &gb_port_ops;
+ gb_tty->minor = GB_NUM_MINORS;
+
gb_tty->buffer_payload_max = max_payload -
sizeof(struct gb_uart_send_data_request);
gb_tty->buffer = kzalloc(gb_tty->buffer_payload_max, GFP_KERNEL);
if (!gb_tty->buffer) {
retval = -ENOMEM;
- goto exit_connection_destroy;
+ goto exit_put_port;
}
INIT_WORK(&gb_tty->tx_work, gb_uart_tx_write_work);
@@ -847,7 +863,7 @@ static int gb_uart_probe(struct gbphy_de
retval = kfifo_alloc(&gb_tty->write_fifo, GB_UART_WRITE_FIFO_SIZE,
GFP_KERNEL);
if (retval)
- goto exit_buf_free;
+ goto exit_put_port;
gb_tty->credits = GB_UART_FIRMWARE_CREDITS;
init_completion(&gb_tty->credits_complete);
@@ -861,7 +877,7 @@ static int gb_uart_probe(struct gbphy_de
} else {
retval = minor;
}
- goto exit_kfifo_free;
+ goto exit_put_port;
}
gb_tty->minor = minor;
@@ -870,9 +886,6 @@ static int gb_uart_probe(struct gbphy_de
init_waitqueue_head(&gb_tty->wioctl);
mutex_init(&gb_tty->mutex);
- tty_port_init(&gb_tty->port);
- gb_tty->port.ops = &gb_port_ops;
-
gb_tty->connection = connection;
gb_tty->gbphy_dev = gbphy_dev;
gb_connection_set_data(connection, gb_tty);
@@ -880,7 +893,7 @@ static int gb_uart_probe(struct gbphy_de
retval = gb_connection_enable_tx(connection);
if (retval)
- goto exit_release_minor;
+ goto exit_put_port;
send_control(gb_tty, gb_tty->ctrlout);
@@ -907,16 +920,10 @@ static int gb_uart_probe(struct gbphy_de
exit_connection_disable:
gb_connection_disable(connection);
-exit_release_minor:
- release_minor(gb_tty);
-exit_kfifo_free:
- kfifo_free(&gb_tty->write_fifo);
-exit_buf_free:
- kfree(gb_tty->buffer);
+exit_put_port:
+ tty_port_put(&gb_tty->port);
exit_connection_destroy:
gb_connection_destroy(connection);
-exit_tty_free:
- kfree(gb_tty);
return retval;
}
@@ -947,15 +954,10 @@ static void gb_uart_remove(struct gbphy_
gb_connection_disable_rx(connection);
tty_unregister_device(gb_tty_driver, gb_tty->minor);
- /* FIXME - free transmit / receive buffers */
-
gb_connection_disable(connection);
- tty_port_destroy(&gb_tty->port);
gb_connection_destroy(connection);
- release_minor(gb_tty);
- kfifo_free(&gb_tty->write_fifo);
- kfree(gb_tty->buffer);
- kfree(gb_tty);
+
+ tty_port_put(&gb_tty->port);
}
static int gb_tty_init(void)
next prev parent reply other threads:[~2021-09-27 17:08 UTC|newest]
Thread overview: 115+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-27 17:01 [PATCH 5.10 000/103] 5.10.70-rc1 review Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 001/103] PCI: aardvark: Increase polling delay to 1.5s while waiting for PIO response Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 002/103] ocfs2: drop acl cache for directories too Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 003/103] mm: fix uninitialized use in overcommit_policy_handler Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 004/103] usb: gadget: r8a66597: fix a loop in set_feature() Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 005/103] usb: dwc2: gadget: Fix ISOC flow for BDMA and Slave Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 006/103] usb: dwc2: gadget: Fix ISOC transfer complete handling for DDMA Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 007/103] usb: musb: tusb6010: uninitialized data in tusb_fifo_write_unaligned() Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 008/103] cifs: fix incorrect check for null pointer in header_assemble Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 009/103] xen/x86: fix PV trap handling on secondary processors Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 010/103] usb-storage: Add quirk for ScanLogic SL11R-IDE older than 2.6c Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 011/103] USB: serial: cp210x: add ID for GW Instek GDM-834x Digital Multimeter Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 012/103] USB: cdc-acm: fix minor-number release Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 013/103] Revert "USB: bcma: Add a check for devm_gpiod_get" Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 014/103] binder: make sure fd closes complete Greg Kroah-Hartman
2021-09-27 17:01 ` Greg Kroah-Hartman [this message]
2021-09-27 17:01 ` [PATCH 5.10 016/103] Re-enable UAS for LaCie Rugged USB3-FW with fk quirk Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 017/103] usb: dwc3: core: balance phy init and exit Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 018/103] usb: core: hcd: Add support for deferring roothub registration Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 019/103] USB: serial: mos7840: remove duplicated 0xac24 device ID Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 020/103] USB: serial: option: add Telit LN920 compositions Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 021/103] USB: serial: option: remove duplicate USB device ID Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 022/103] USB: serial: option: add device id for Foxconn T99W265 Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 023/103] mcb: fix error handling in mcb_alloc_bus() Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 024/103] erofs: fix up erofs_lookup tracepoint Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 025/103] btrfs: prevent __btrfs_dump_space_info() to underflow its free space Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 026/103] xhci: Set HCD flag to defer primary roothub registration Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 027/103] serial: 8250: 8250_omap: Fix RX_LVL register offset Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 028/103] serial: mvebu-uart: fix drivers tx_empty callback Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 029/103] scsi: sd_zbc: Ensure buffer size is aligned to SECTOR_SIZE Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 030/103] drm/amd/pm: Update intermediate power state for SI Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 031/103] net: hso: fix muxed tty registration Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 032/103] comedi: Fix memory leak in compat_insnlist() Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 033/103] afs: Fix incorrect triggering of sillyrename on 3rd-party invalidation Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 034/103] afs: Fix updating of i_blocks on file/dir extension Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 035/103] platform/x86/intel: punit_ipc: Drop wrong use of ACPI_PTR() Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 036/103] enetc: Fix illegal access when reading affinity_hint Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 037/103] enetc: Fix uninitialized struct dim_sample field usage Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 038/103] bnxt_en: Fix TX timeout when TX ring size is set to the smallest Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 039/103] net: hns3: fix change RSS hfunc ineffective issue Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 040/103] net: hns3: check queue id range before using Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 041/103] net/smc: add missing error check in smc_clc_prfx_set() Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 042/103] net/smc: fix workqueue leaked lock in smc_conn_abort_work Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 043/103] net: dsa: dont allocate the slave_mii_bus using devres Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 044/103] net: dsa: realtek: register the MDIO bus under devres Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 045/103] kselftest/arm64: signal: Add SVE to the set of features we can check for Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 046/103] kselftest/arm64: signal: Skip tests if required features are missing Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 047/103] s390/qeth: fix NULL deref in qeth_clear_working_pool_list() Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 048/103] s390/qeth: fix deadlock during failing recovery Greg Kroah-Hartman
2021-09-27 17:45 ` Naresh Kamboju
2021-09-27 18:25 ` Naresh Kamboju
2021-09-28 7:16 ` Greg Kroah-Hartman
2021-09-28 10:29 ` Julian Wiedmann
2021-09-27 17:02 ` [PATCH 5.10 049/103] gpio: uniphier: Fix void functions to remove return value Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 050/103] qed: rdma - dont wait for resources under hw error recovery flow Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 051/103] net/mlx4_en: Dont allow aRFS for encapsulated packets Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 052/103] atlantic: Fix issue in the pm resume flow Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 053/103] scsi: iscsi: Adjust iface sysfs attr detection Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 054/103] scsi: target: Fix the pgr/alua_support_store functions Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 055/103] tty: synclink_gt, drop unneeded forward declarations Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 056/103] tty: synclink_gt: rename a conflicting function name Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 057/103] fpga: machxo2-spi: Return an error on failure Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 058/103] fpga: machxo2-spi: Fix missing error code in machxo2_write_complete() Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 059/103] nvme-tcp: fix incorrect h2cdata pdu offset accounting Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 060/103] treewide: Change list_sort to use const pointers Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 061/103] nvme: keep ctrl->namespaces ordered Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 062/103] thermal/core: Potential buffer overflow in thermal_build_list_of_policies() Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 063/103] cifs: fix a sign extension bug Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 064/103] scsi: qla2xxx: Restore initiator in dual mode Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 065/103] scsi: lpfc: Use correct scnprintf() limit Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 066/103] irqchip/goldfish-pic: Select GENERIC_IRQ_CHIP to fix build Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 067/103] irqchip/gic-v3-its: Fix potential VPE leak on error Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 068/103] md: fix a lock order reversal in md_alloc Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 069/103] x86/asm: Add a missing __iomem annotation in enqcmds() Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 070/103] x86/asm: Fix SETZ size enqcmds() build failure Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 071/103] io_uring: put provided buffer meta data under memcg accounting Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 072/103] blktrace: Fix uaf in blk_trace access after removing by sysfs Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 073/103] net: phylink: Update SFP selected interface on advertising changes Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 074/103] net: macb: fix use after free on rmmod Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 075/103] net: stmmac: allow CSR clock of 300MHz Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 076/103] blk-mq: avoid to iterate over stale request Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 077/103] m68k: Double cast io functions to unsigned long Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 078/103] ipv6: delay fib6_sernum increase in fib6_add Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 079/103] cpufreq: intel_pstate: Override parameters if HWP forced by BIOS Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 080/103] bpf: Add oversize check before call kvcalloc() Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 081/103] xen/balloon: use a kernel thread instead a workqueue Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 082/103] nvme-multipath: fix ANA state updates when a namespace is not present Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 083/103] nvme-rdma: destroy cm id before destroy qp to avoid use after free Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 084/103] sparc32: page align size in arch_dma_alloc Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 085/103] amd/display: downgrade validation failure log level Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 086/103] block: check if a profile is actually registered in blk_integrity_unregister Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 087/103] block: flush the integrity workqueue " Greg Kroah-Hartman
2021-09-27 17:03 ` [PATCH 5.10 088/103] blk-cgroup: fix UAF by grabbing blkcg lock before destroying blkg pd Greg Kroah-Hartman
2021-09-27 17:03 ` [PATCH 5.10 089/103] compiler.h: Introduce absolute_pointer macro Greg Kroah-Hartman
2021-09-27 17:03 ` [PATCH 5.10 090/103] net: i825xx: Use absolute_pointer for memcpy from fixed memory location Greg Kroah-Hartman
2021-09-27 17:03 ` [PATCH 5.10 091/103] sparc: avoid stringop-overread errors Greg Kroah-Hartman
2021-09-27 17:03 ` [PATCH 5.10 092/103] qnx4: " Greg Kroah-Hartman
2021-09-27 17:03 ` [PATCH 5.10 093/103] parisc: Use absolute_pointer() to define PAGE0 Greg Kroah-Hartman
2021-09-27 17:03 ` [PATCH 5.10 094/103] arm64: Mark __stack_chk_guard as __ro_after_init Greg Kroah-Hartman
2021-09-27 17:03 ` [PATCH 5.10 095/103] alpha: Declare virt_to_phys and virt_to_bus parameter as pointer to volatile Greg Kroah-Hartman
2021-09-27 17:03 ` [PATCH 5.10 096/103] net: 6pack: Fix tx timeout and slot time Greg Kroah-Hartman
2021-09-27 17:03 ` [PATCH 5.10 097/103] spi: Fix tegra20 build with CONFIG_PM=n Greg Kroah-Hartman
2021-09-27 17:03 ` [PATCH 5.10 098/103] EDAC/synopsys: Fix wrong value type assignment for edac_mode Greg Kroah-Hartman
2021-09-27 17:03 ` [PATCH 5.10 099/103] EDAC/dmc520: Assign the proper type to dimm->edac_mode Greg Kroah-Hartman
2021-09-27 17:03 ` [PATCH 5.10 100/103] thermal/drivers/int340x: Do not set a wrong tcc offset on resume Greg Kroah-Hartman
2021-09-27 17:03 ` [PATCH 5.10 101/103] USB: serial: cp210x: fix dropped characters with CP2102 Greg Kroah-Hartman
2021-09-27 17:03 ` [PATCH 5.10 102/103] xen/balloon: fix balloon kthread freezing Greg Kroah-Hartman
2021-09-27 17:03 ` [PATCH 5.10 103/103] qnx4: work around gcc false positive warning bug Greg Kroah-Hartman
2021-09-27 17:43 ` [PATCH 5.10 000/103] 5.10.70-rc1 review Naresh Kamboju
2021-09-27 18:05 ` Florian Fainelli
2021-09-27 20:59 ` Pavel Machek
2021-09-27 22:36 ` Fox Chen
2021-09-27 22:58 ` Shuah Khan
2021-09-28 7:00 ` Jon Hunter
2021-09-28 7:58 ` Samuel Zou
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210927170226.239304897@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=elder@linaro.org \
--cc=johan@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox