linux

mirror of https://github.com/torvalds/linux.git synced 2026-06-08 22:52:35 +02:00

History

Sahara d06bff3512 pty: cancel pty slave port buf's work in tty_release [ Upstream commit `2b022ab754` ] In case that CONFIG_SLUB_DEBUG is on and pty is used, races between release_one_tty and flush_to_ldisc work threads may happen and lead to use-after-free condition on tty->link->port. Because SLUB_DEBUG is turned on, freed tty->link->port is filled with POISON_FREE value. So far without SLUB_DEBUG, port was filled with zero and flush_to_ldisc could return without a problem by checking if tty is NULL. CPU 0 CPU 1 ----- ----- release_tty pty_write cancel_work_sync(tty) to = tty->link tty_kref_put(tty->link) tty_schedule_flip(to->port) << workqueue >> ... release_one_tty ... pty_cleanup ... kfree(tty->link->port) << workqueue >> flush_to_ldisc tty = READ_ONCE(port->itty) tty is 0x6b6b6b6b6b6b6b6b !!PANIC!! access tty->ldisc Unable to handle kernel paging request at virtual address 6b6b6b6b6b6b6b93 pgd = ffffffc0eb1c3000 [6b6b6b6b6b6b6b93] pgd=0000000000000000, pud=0000000000000000 ------------[ cut here ]------------ Kernel BUG at ffffff800851154c [verbose debug info unavailable] Internal error: Oops - BUG: 96000004 [#1] PREEMPT SMP CPU: 3 PID: 265 Comm: kworker/u8:9 Tainted: G W 3.18.31-g0a58eeb #1 Hardware name: Qualcomm Technologies, Inc. MSM 8996pro v1.1 + PMI8996 Carbide (DT) Workqueue: events_unbound flush_to_ldisc task: ffffffc0ed610ec0 ti: ffffffc0ed624000 task.ti: ffffffc0ed624000 PC is at ldsem_down_read_trylock+0x0/0x4c LR is at tty_ldisc_ref+0x24/0x4c pc : [<ffffff800851154c>] lr : [<ffffff800850f6c0>] pstate: 80400145 sp : ffffffc0ed627cd0 x29: ffffffc0ed627cd0 x28: 0000000000000000 x27: ffffff8009e05000 x26: ffffffc0d382cfa0 x25: 0000000000000000 x24: ffffff800a012f08 x23: 0000000000000000 x22: ffffffc0703fbc88 x21: 6b6b6b6b6b6b6b6b x20: 6b6b6b6b6b6b6b93 x19: 0000000000000000 x18: 0000000000000001 x17: 00e80000f80d6f53 x16: 0000000000000001 x15: 0000007f7d826fff x14: 00000000000000a0 x13: 0000000000000000 x12: 0000000000000109 x11: 0000000000000000 x10: 0000000000000000 x9 : ffffffc0ed624000 x8 : ffffffc0ed611580 x7 : 0000000000000000 x6 : ffffff800a42e000 x5 : 00000000000003fc x4 : 0000000003bd1201 x3 : 0000000000000001 x2 : 0000000000000001 x1 : ffffff800851004c x0 : 6b6b6b6b6b6b6b93 Signed-off-by: Sahara <keun-o.park@darkmatter.ae> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2018-03-24 10:58:48 +01:00
..
hvc	tty: hvc_xen: hide xen_console_remove when unused	2018-02-25 11:03:46 +01:00
ipwireless	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial	2015-04-14 09:50:27 -07:00
serial	serial: 8250_pci: Add Brainboxes UC-260 4 port serial device	2018-03-18 11:17:53 +01:00
vt	vt: fix unchecked __put_user() in tioclinux ioctls	2017-07-21 07:44:57 +02:00
amiserial.c	tty: amiserial.c: move assignment out of if () block	2015-05-10 19:04:16 +02:00
bfin_jtag_comm.c	TTY: bfin_jtag_comm: remove incorrect wait_until_sent operation	2015-03-07 03:44:14 +01:00
cyclades.c	tty: Remove ASYNC_CLOSING checks in open()/hangup() methods	2015-10-17 21:11:29 -07:00
ehv_bytechan.c
goldfish.c	Revert "tty: goldfish: Fix a parameter of a call to free_irq"	2017-10-21 17:09:06 +02:00
isicom.c
Kconfig	tty: cyclades: cyz_interrupt is only used for PCI	2018-02-25 11:03:48 +01:00
Makefile	TTY: Add MIPS EJTAG Fast Debug Channel TTY driver	2015-03-31 12:04:12 +02:00
metag_da.c	tty/metag_da: Avoid module_init/module_exit in non-modular code	2015-06-16 14:12:31 -04:00
mips_ejtag_fdc.c	ttyFDC: Fix build problems due to use of module_{init,exit}	2015-10-17 21:29:21 -07:00
moxa.c
moxa.h
mxser.c
mxser.h
n_gsm.c	TTY: n_gsm, fix false positive WARN_ON	2016-06-01 12:15:52 -07:00
n_hdlc.c	tty: n_hdlc: get rid of racy n_hdlc.tbuf	2017-03-15 09:57:10 +08:00
n_r3964.c	tty: r3964: Replace/remove bogus tty lock use	2015-10-17 21:11:29 -07:00
n_tracerouter.c	n_tracerouter: stop including <asm-generic/bug>	2015-10-15 00:21:10 +02:00
n_tracesink.c	n_tracesink: stop including <asm-generic/bug>	2015-10-15 00:21:11 +02:00
n_tracesink.h
n_tty.c	n_tty: fix EXTPROC vs ICANON interaction with TIOCINQ (aka FIONREAD)	2018-01-02 20:33:28 +01:00
nozomi.c	tty: nozomi: avoid a harmless gcc warning	2017-04-30 05:49:27 +02:00
pty.c	tty: pty: Fix ldisc flush after userspace become aware of the data already	2017-05-20 14:27:02 +02:00
rocket_int.h
rocket.c	tty: Remove tty_port::close_wait	2015-10-17 21:11:29 -07:00
rocket.h	tty: rocket: fix comment of ROCKET_SPD_HI	2015-05-24 12:49:16 -07:00
synclink_gt.c	tty: Remove ASYNC_CLOSING checks in open()/hangup() methods	2015-10-17 21:11:29 -07:00
synclink.c	tty: synclink, fix indentation	2015-10-17 21:14:06 -07:00
synclinkmp.c	tty: Remove ASYNC_CLOSING checks in open()/hangup() methods	2015-10-17 21:11:29 -07:00
sysrq.c	sysrq: Fix warning in sysrq generated crash.	2018-01-17 09:35:28 +01:00
tty_audit.c	tty: audit: Fix audit source	2015-11-20 16:19:54 -08:00
tty_buffer.c	tty: fix __tty_insert_flip_char regression	2017-09-27 11:00:13 +02:00
tty_io.c	pty: cancel pty slave port buf's work in tty_release	2018-03-24 10:58:48 +01:00
tty_ioctl.c	tty: Fix tty_send_xchar() lock order inversion	2015-11-20 16:19:54 -08:00
tty_ldisc.c	tty: Prevent ldisc drivers from re-using stale tty fields	2016-11-21 10:06:40 +01:00
tty_ldsem.c	tty: tty_ldsem.c: move assignment out of if () block	2015-05-10 19:04:18 +02:00
tty_mutex.c	tty: Drop krefs for interrupted tty lock	2017-06-14 13:16:26 +02:00
tty_port.c	tty: Abstract tty buffer work	2015-10-17 21:32:21 -07:00