github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-09 07:03:37 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
efb020924a
linux/drivers
History
Duoming Zhou efb020924a drivers: net: slip: fix NPD bug in sl_tx_timeout() 
[ Upstream commit ec4eb8a86a ]

When a slip driver is detaching, the slip_close() will act to
cleanup necessary resources and sl->tty is set to NULL in
slip_close(). Meanwhile, the packet we transmit is blocked,
sl_tx_timeout() will be called. Although slip_close() and
sl_tx_timeout() use sl->lock to synchronize, we don`t judge
whether sl->tty equals to NULL in sl_tx_timeout() and the
null pointer dereference bug will happen.

   (Thread 1)                 |      (Thread 2)
                              | slip_close()
                              |   spin_lock_bh(&sl->lock)
                              |   ...
...                           |   sl->tty = NULL //(1)
sl_tx_timeout()               |   spin_unlock_bh(&sl->lock)
  spin_lock(&sl->lock);       |
  ...                         |   ...
  tty_chars_in_buffer(sl->tty)|
    if (tty->ops->..) //(2)   |
    ...                       |   synchronize_rcu()

We set NULL to sl->tty in position (1) and dereference sl->tty
in position (2).

This patch adds check in sl_tx_timeout(). If sl->tty equals to
NULL, sl_tx_timeout() will goto out.

Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
Link: https://lore.kernel.org/r/20220405132206.55291-1-duoming@zju.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2022-04-20 09:34:17 +02:00
..
accessibility speakup-dectlk: Restore pitch setting 2022-02-16 12:56:37 +01:00
acpi ACPI: processor: idle: fix lockup regression on 32-bit ThinkPad T40 2022-04-20 09:34:04 +02:00
amba
android
ata ata: libata-core: Disable READ LOG DMA EXT for Samsung 840 EVOs 2022-04-20 09:34:16 +02:00
atm atm: eni: Add check for dma_map_single 2022-03-23 09:16:41 +01:00
auxdisplay auxdisplay: lcd2s: Use proper API to free the instance of charlcd object 2022-03-08 19:12:47 +01:00
base net: mdio: don't defer probe forever if PHY IRQ provider is missing 2022-04-20 09:34:10 +02:00
bcma
block drbd: set QUEUE_FLAG_STABLE_WRITES 2022-04-20 09:34:17 +02:00
bluetooth Bluetooth: btmtksdio: Fix kernel oops in btmtksdio_interrupt 2022-04-08 14:23:41 +02:00
bus mips: cdmm: Fix refcount leak in mips_cdmm_phys_base 2022-04-08 14:23:39 +02:00
cdrom
char virtio_console: eliminate anonymous module_init & module_exit 2022-04-13 20:59:13 +02:00
clk clk: Enforce that disjoints limits are invalid 2022-04-13 20:59:12 +02:00
clocksource clocksource: acpi_pm: fix return value of __setup handler 2022-04-08 14:23:09 +02:00
comedi
connector
counter
cpufreq cpufreq: CPPC: Fix performance/frequency conversion 2022-04-13 20:59:11 +02:00
cpuidle
crypto crypto: hisilicon/sec - not need to enable sm4 extra mode at HW V3 2022-04-08 14:23:55 +02:00
cxl cxl/regs: Fix size of CXL Capability Header Register 2022-04-08 14:23:30 +02:00
dax dax: make sure inodes are flushed before destroy cache 2022-04-08 14:23:31 +02:00
dca
devfreq
dio
dma dmaengine: Revert "dmaengine: shdma: Fix runtime PM imbalance on error" 2022-04-13 20:59:26 +02:00
dma-buf udmabuf: validate ubuf->pagecount 2022-04-08 14:23:24 +02:00
edac EDAC: Fix calculation of returned address and next offset in edac_align_ptr() 2022-02-23 12:03:20 +01:00
eisa
extcon
firewire
firmware firmware: arm_scmi: Fix sorting of retrieved clock rates 2022-04-20 09:34:09 +02:00
fpga
fsi fsi: Aspeed: Fix a potential double free 2022-04-08 14:23:44 +02:00
gnss
gpio gpiolib: acpi: use correct format characters 2022-04-20 09:34:10 +02:00
gpu drm/amd/display: Fix allocate_mst_payload assert on resume 2022-04-20 09:34:17 +02:00
greybus greybus: svc: fix an error handling bug in gb_svc_hello() 2022-04-08 14:22:50 +02:00
hid HID: i2c-hid: fix GET/SET_REPORT for unnumbered reports 2022-04-08 14:23:31 +02:00
hsi
hv Drivers: hv: balloon: Disable balloon and hot-add accordingly 2022-04-20 09:34:16 +02:00
hwmon hwmon: (pmbus) Add Vin unit off handling 2022-04-08 14:23:09 +02:00
hwspinlock
hwtracing coresight: syscfg: Fix memleak on registration failure in cscfg_create_device 2022-04-08 14:22:50 +02:00
i2c i2c: mux: demux-pinctrl: do not deactivate a master that is not active 2022-04-08 14:23:42 +02:00
i3c i3c: master: dw: check return of dw_i3c_master_get_free_pos() 2022-03-08 19:12:37 +01:00
idle
iio iio: adc: Add check for devm_request_threaded_irq 2022-04-08 14:23:46 +02:00
infiniband RDMA/hfi1: Fix use-after-free bug for mm struct 2022-04-13 20:59:23 +02:00
input Revert "Input: clear BTN_RIGHT/MIDDLE on buttonpads" 2022-04-08 14:22:55 +02:00
interconnect interconnect: qcom: rpm: Prevent integer overflow in rate 2022-01-27 11:05:00 +01:00
iommu iommu/omap: Fix regression in probe for NULL pointer dereference 2022-04-13 20:59:20 +02:00
ipack
irqchip irqchip/gic, gic-v3: Prevent GSI to SGI translations 2022-04-13 20:59:28 +02:00
isdn isdn: hfcpci: check the return value of dma_set_mask() in setup_hw() 2022-03-16 14:23:36 +01:00
leds
macintosh
mailbox mailbox: imx: fix wakeup failure from freeze mode 2022-04-08 14:24:10 +02:00
mcb
md dm mpath: only use ktime_get_ns() in historical selector 2022-04-20 09:34:13 +02:00
media media: rockchip/rga: do proper error checking in probe 2022-04-20 09:34:09 +02:00
memory memory: atmel-ebi: Fix missing of_node_put in atmel_ebi_probe 2022-04-20 09:34:09 +02:00
memstick
message
mfd mfd: asic3: Add missing iounmap() on error asic3_mfd_probe 2022-04-08 14:23:43 +02:00
misc habanalabs: fix possible memory leak in MMU DR fini 2022-04-13 20:59:12 +02:00
mmc mmc: core: Fixup support for writeback-cache for eMMC and SD 2022-04-13 20:59:21 +02:00
most
mtd ubi: fastmap: Return error code if memory allocation fails in add_aeb() 2022-04-08 14:24:15 +02:00
mux
net drivers: net: slip: fix NPD bug in sl_tx_timeout() 2022-04-20 09:34:17 +02:00
nfc nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION 2022-03-28 09:58:42 +02:00
ntb ntb: intel: fix port config status offset for SPR 2022-03-08 19:12:44 +01:00
nubus
nvdimm nvdimm/region: Fix default alignment for small regions 2022-04-08 14:23:48 +02:00
nvme nvme: fix the read-only state for zoned namespaces with unsupposed features 2022-04-08 14:24:09 +02:00
nvmem nvmem: core: Fix a conflict between MTD and NVMEM on wp-gpios property 2022-03-02 11:48:06 +01:00
of of: net: move of_net under net/ 2022-03-08 19:12:41 +01:00
opp opp: Expose of-node's name in debugfs 2022-04-13 20:59:11 +02:00
parisc parisc: Fix CPU affinity for Lasi, WAX and Dino chips 2022-04-13 20:59:14 +02:00
parport
pci PCI: hv: Propagate coherence from VMbus device to PCI device 2022-04-20 09:34:15 +02:00
pcmcia
perf perf: qcom_l2_pmu: fix an incorrect NULL check on list iterator 2022-04-13 20:59:24 +02:00
phy phy: amlogic: meson8b-usb2: fix shared reset control use 2022-04-13 20:59:11 +02:00
pinctrl pinctrl: nuvoton: npcm7xx: Use %zu printk format for ARRAY_SIZE() 2022-04-08 14:24:11 +02:00
platform platform/chrome: cros_ec_typec: Check for EC device 2022-04-08 14:24:12 +02:00
pnp
power power: supply: axp288-charger: Set Vhold to 4.4V 2022-04-13 20:59:05 +02:00
powercap
pps pps: clients: gpio: Propagate return value from pps_gpio_probe 2022-04-08 14:23:44 +02:00
ps3
ptp ptp: replace snprintf with sysfs_emit 2022-04-13 20:59:01 +02:00
pwm pwm: lpc18xx-sct: Initialize driver data and hardware before pwmchip_add() 2022-04-08 14:23:44 +02:00
rapidio
ras
regulator regulator: wm8994: Add an off-on delay for WM8994 variant 2022-04-20 09:34:16 +02:00
remoteproc remoteproc: qcom_q6v5_mss: Fix some leaks in q6v5_alloc_memory_region 2022-04-08 14:23:47 +02:00
reset
rpmsg rpmsg: char: Fix race between the release of rpmsg_eptdev and cdev 2022-02-01 17:27:07 +01:00
rtc rtc: mc146818-lib: fix signedness bug in mc146818_get_time() 2022-04-13 20:59:26 +02:00
s390 block: drop unused includes in <linux/genhd.h> 2022-03-16 14:23:46 +01:00
sbus
scsi scsi: megaraid_sas: Target with invalid LUN ID is deleted during scan 2022-04-20 09:34:17 +02:00
sh
siox
slimbus
soc soc: qcom: aoss: Expose send for generic usecase 2022-04-20 09:34:04 +02:00
soundwire ASoC: Intel: sof_sdw: fix quirks for 2022 HP Spectre x360 13" 2022-04-08 14:24:02 +02:00
spi spi: cadence-quadspi: fix protocol setup for non-1-1-X operations 2022-04-20 09:34:16 +02:00
spmi
ssb
staging staging: wfx: fix an error handling in wfx_init_common() 2022-04-13 20:59:11 +02:00
target scsi: target: tcmu: Fix possible page UAF 2022-04-20 09:34:15 +02:00
tc
tee optee: use driver internal tee_context for some rpc 2022-03-02 11:47:51 +01:00
thermal thermal: int340x: Check for NULL after calling kmemdup() 2022-04-08 14:23:05 +02:00
thunderbolt
tty serial: samsung_tty: do not unlock port->lock for uart_write_wakeup() 2022-04-13 20:59:13 +02:00
uio
usb usb: dwc3: omap: fix "unbalanced disables for smps10_out1" on omap5evm 2022-04-13 20:59:09 +02:00
vdpa vdpa: mlx5: prevent cvq work from hogging CPU 2022-04-13 20:59:15 +02:00
vfio vfio/pci: Fix vf_token mechanism when device-specific VF drivers are used 2022-04-20 09:34:13 +02:00
vhost tuntap: add sanity checks about msg_controllen in sendmsg 2022-04-13 20:59:07 +02:00
video fbdev: Fix unregistering of framebuffers without device 2022-04-13 20:59:24 +02:00
virt virt: acrn: fix a memory leak in acrn_dev_ioctl() 2022-04-08 14:23:50 +02:00
virtio virtio: acknowledge all features before access 2022-03-16 14:23:43 +01:00
visorbus
vlynq
vme
w1 w1: w1_therm: fixes w1_seq for ds28ea00 sensors 2022-04-13 20:59:11 +02:00
watchdog watchdog: rti-wdt: Add missing pm_runtime_disable() in probe function 2022-04-08 14:24:11 +02:00
xen swiotlb: Support aligned swiotlb buffers 2022-04-08 14:24:17 +02:00
zorro
Kconfig
Makefile