aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2018-07-01 15:05:53 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2018-07-01 15:05:53 -0400
commit652788a90d8e4603104582fd1e2fcb95afad13d9 (patch)
treea7df3cf1c3846fd5d1baa269d0599aff26fbc1c0
parentc2aee376cf35d609feb8926afeb1d11e069a378c (diff)
parent21eff69aaaa0e766ca0ce445b477698dc6a9f55a (diff)
Merge tag 'tty-4.18-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty
Pull tty/serial fixes from Greg KH: "Here are five fixes for the tty core and some serial drivers. The tty core ones fix some security and other issues reported by the syzbot that I have taken too long in responding to (sorry Tetsuo!). The 8350 serial driver fix resolves an issue of devices that used to work properly stopping working as they shouldn't have been added to a blacklist. All of these have been in linux-next for a few days with no reported issues" * tag 'tty-4.18-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty: vt: prevent leaking uninitialized data to userspace via /dev/vcs* serdev: fix memleak on module unload serial: 8250_pci: Remove stalled entries in blacklist n_tty: Access echo_* variables carefully. n_tty: Fix stall at n_tty_receive_char_special().
Diffstat
-rw-r--r--drivers/tty/n_tty.c55
-rw-r--r--drivers/tty/serdev/core.c1
-rw-r--r--drivers/tty/serial/8250/8250_pci.c2
-rw-r--r--drivers/tty/vt/vt.c4
4 files changed, 35 insertions, 27 deletions
diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
index cbe98bc2b998..431742201709 100644
--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -124,6 +124,8 @@ struct n_tty_data {
124 struct mutex output_lock; 124 struct mutex output_lock;
125}; 125};
126 126
127#define MASK(x) ((x) & (N_TTY_BUF_SIZE - 1))
128
127static inline size_t read_cnt(struct n_tty_data *ldata) 129static inline size_t read_cnt(struct n_tty_data *ldata)
128{ 130{
129 return ldata->read_head - ldata->read_tail; 131 return ldata->read_head - ldata->read_tail;
@@ -141,6 +143,7 @@ static inline unsigned char *read_buf_addr(struct n_tty_data *ldata, size_t i)
141 143
142static inline unsigned char echo_buf(struct n_tty_data *ldata, size_t i) 144static inline unsigned char echo_buf(struct n_tty_data *ldata, size_t i)
143{ 145{
146 smp_rmb(); /* Matches smp_wmb() in add_echo_byte(). */
144 return ldata->echo_buf[i & (N_TTY_BUF_SIZE - 1)]; 147 return ldata->echo_buf[i & (N_TTY_BUF_SIZE - 1)];
145} 148}
146 149
@@ -316,9 +319,7 @@ static inline void put_tty_queue(unsigned char c, struct n_tty_data *ldata)
316static void reset_buffer_flags(struct n_tty_data *ldata) 319static void reset_buffer_flags(struct n_tty_data *ldata)
317{ 320{
318 ldata->read_head = ldata->canon_head = ldata->read_tail = 0; 321 ldata->read_head = ldata->canon_head = ldata->read_tail = 0;
319 ldata->echo_head = ldata->echo_tail = ldata->echo_commit = 0;
320 ldata->commit_head = 0; 322 ldata->commit_head = 0;
321 ldata->echo_mark = 0;
322 ldata->line_start = 0; 323 ldata->line_start = 0;
323 324
324 ldata->erasing = 0; 325 ldata->erasing = 0;
@@ -617,13 +618,20 @@ static size_t __process_echoes(struct tty_struct *tty)
617 old_space = space = tty_write_room(tty); 618 old_space = space = tty_write_room(tty);
618 619
619 tail = ldata->echo_tail; 620 tail = ldata->echo_tail;
620 while (ldata->echo_commit != tail) { 621 while (MASK(ldata->echo_commit) != MASK(tail)) {
621 c = echo_buf(ldata, tail); 622 c = echo_buf(ldata, tail);
622 if (c == ECHO_OP_START) { 623 if (c == ECHO_OP_START) {
623 unsigned char op; 624 unsigned char op;
624 int no_space_left = 0; 625 int no_space_left = 0;
625 626
626 /* 627 /*
628 * Since add_echo_byte() is called without holding
629 * output_lock, we might see only portion of multi-byte
630 * operation.
631 */
632 if (MASK(ldata->echo_commit) == MASK(tail + 1))
633 goto not_yet_stored;
634 /*
627 * If the buffer byte is the start of a multi-byte 635 * If the buffer byte is the start of a multi-byte
628 * operation, get the next byte, which is either the 636 * operation, get the next byte, which is either the
629 * op code or a control character value. 637 * op code or a control character value.
@@ -634,6 +642,8 @@ static size_t __process_echoes(struct tty_struct *tty)
634 unsigned int num_chars, num_bs; 642 unsigned int num_chars, num_bs;
635 643
636 case ECHO_OP_ERASE_TAB: 644 case ECHO_OP_ERASE_TAB:
645 if (MASK(ldata->echo_commit) == MASK(tail + 2))
646 goto not_yet_stored;
637 num_chars = echo_buf(ldata, tail + 2); 647 num_chars = echo_buf(ldata, tail + 2);
638 648
639 /* 649 /*
@@ -728,7 +738,8 @@ static size_t __process_echoes(struct tty_struct *tty)
728 /* If the echo buffer is nearly full (so that the possibility exists 738 /* If the echo buffer is nearly full (so that the possibility exists
729 * of echo overrun before the next commit), then discard enough 739 * of echo overrun before the next commit), then discard enough
730 * data at the tail to prevent a subsequent overrun */ 740 * data at the tail to prevent a subsequent overrun */
731 while (ldata->echo_commit - tail >= ECHO_DISCARD_WATERMARK) { 741 while (ldata->echo_commit > tail &&
742 ldata->echo_commit - tail >= ECHO_DISCARD_WATERMARK) {
732 if (echo_buf(ldata, tail) == ECHO_OP_START) { 743 if (echo_buf(ldata, tail) == ECHO_OP_START) {
733 if (echo_buf(ldata, tail + 1) == ECHO_OP_ERASE_TAB) 744 if (echo_buf(ldata, tail + 1) == ECHO_OP_ERASE_TAB)
734 tail += 3; 745 tail += 3;
@@ -738,6 +749,7 @@ static size_t __process_echoes(struct tty_struct *tty)
738 tail++; 749 tail++;
739 } 750 }
740 751
752 not_yet_stored:
741 ldata->echo_tail = tail; 753 ldata->echo_tail = tail;
742 return old_space - space; 754 return old_space - space;
743} 755}
@@ -748,6 +760,7 @@ static void commit_echoes(struct tty_struct *tty)
748 size_t nr, old, echoed; 760 size_t nr, old, echoed;
749 size_t head; 761 size_t head;
750 762
763 mutex_lock(&ldata->output_lock);
751 head = ldata->echo_head; 764 head = ldata->echo_head;
752 ldata->echo_mark = head; 765 ldata->echo_mark = head;
753 old = ldata->echo_commit - ldata->echo_tail; 766 old = ldata->echo_commit - ldata->echo_tail;
@@ -756,10 +769,12 @@ static void commit_echoes(struct tty_struct *tty)
756 * is over the threshold (and try again each time another 769 * is over the threshold (and try again each time another
757 * block is accumulated) */ 770 * block is accumulated) */
758 nr = head - ldata->echo_tail; 771 nr = head - ldata->echo_tail;
759 if (nr < ECHO_COMMIT_WATERMARK || (nr % ECHO_BLOCK > old % ECHO_BLOCK)) 772 if (nr < ECHO_COMMIT_WATERMARK ||
773 (nr % ECHO_BLOCK > old % ECHO_BLOCK)) {
774 mutex_unlock(&ldata->output_lock);
760 return; 775 return;
776 }
761 777
762 mutex_lock(&ldata->output_lock);
763 ldata->echo_commit = head; 778 ldata->echo_commit = head;
764 echoed = __process_echoes(tty); 779 echoed = __process_echoes(tty);
765 mutex_unlock(&ldata->output_lock); 780 mutex_unlock(&ldata->output_lock);
@@ -810,7 +825,9 @@ static void flush_echoes(struct tty_struct *tty)
810 825
811static inline void add_echo_byte(unsigned char c, struct n_tty_data *ldata) 826static inline void add_echo_byte(unsigned char c, struct n_tty_data *ldata)
812{ 827{
813 *echo_buf_addr(ldata, ldata->echo_head++) = c; 828 *echo_buf_addr(ldata, ldata->echo_head) = c;
829 smp_wmb(); /* Matches smp_rmb() in echo_buf(). */
830 ldata->echo_head++;
814} 831}
815 832
816/** 833/**
@@ -978,14 +995,15 @@ static void eraser(unsigned char c, struct tty_struct *tty)
978 } 995 }
979 996
980 seen_alnums = 0; 997 seen_alnums = 0;
981 while (ldata->read_head != ldata->canon_head) { 998 while (MASK(ldata->read_head) != MASK(ldata->canon_head)) {
982 head = ldata->read_head; 999 head = ldata->read_head;
983 1000
984 /* erase a single possibly multibyte character */ 1001 /* erase a single possibly multibyte character */
985 do { 1002 do {
986 head--; 1003 head--;
987 c = read_buf(ldata, head); 1004 c = read_buf(ldata, head);
988 } while (is_continuation(c, tty) && head != ldata->canon_head); 1005 } while (is_continuation(c, tty) &&
1006 MASK(head) != MASK(ldata->canon_head));
989 1007
990 /* do not partially erase */ 1008 /* do not partially erase */
991 if (is_continuation(c, tty)) 1009 if (is_continuation(c, tty))
@@ -1027,7 +1045,7 @@ static void eraser(unsigned char c, struct tty_struct *tty)
1027 * This info is used to go back the correct 1045 * This info is used to go back the correct
1028 * number of columns. 1046 * number of columns.
1029 */ 1047 */
1030 while (tail != ldata->canon_head) { 1048 while (MASK(tail) != MASK(ldata->canon_head)) {
1031 tail--; 1049 tail--;
1032 c = read_buf(ldata, tail); 1050 c = read_buf(ldata, tail);
1033 if (c == '\t') { 1051 if (c == '\t') {
@@ -1302,7 +1320,7 @@ n_tty_receive_char_special(struct tty_struct *tty, unsigned char c)
1302 finish_erasing(ldata); 1320 finish_erasing(ldata);
1303 echo_char(c, tty); 1321 echo_char(c, tty);
1304 echo_char_raw('\n', ldata); 1322 echo_char_raw('\n', ldata);
1305 while (tail != ldata->read_head) { 1323 while (MASK(tail) != MASK(ldata->read_head)) {
1306 echo_char(read_buf(ldata, tail), tty); 1324 echo_char(read_buf(ldata, tail), tty);
1307 tail++; 1325 tail++;
1308 } 1326 }
@@ -1878,30 +1896,21 @@ static int n_tty_open(struct tty_struct *tty)
1878 struct n_tty_data *ldata; 1896 struct n_tty_data *ldata;
1879 1897
1880 /* Currently a malloc failure here can panic */ 1898 /* Currently a malloc failure here can panic */
1881 ldata = vmalloc(sizeof(*ldata)); 1899 ldata = vzalloc(sizeof(*ldata));
1882 if (!ldata) 1900 if (!ldata)
1883 goto err; 1901 return -ENOMEM;
1884 1902
1885 ldata->overrun_time = jiffies; 1903 ldata->overrun_time = jiffies;
1886 mutex_init(&ldata->atomic_read_lock); 1904 mutex_init(&ldata->atomic_read_lock);
1887 mutex_init(&ldata->output_lock); 1905 mutex_init(&ldata->output_lock);
1888 1906
1889 tty->disc_data = ldata; 1907 tty->disc_data = ldata;
1890 reset_buffer_flags(tty->disc_data);
1891 ldata->column = 0;
1892 ldata->canon_column = 0;
1893 ldata->num_overrun = 0;
1894 ldata->no_room = 0;
1895 ldata->lnext = 0;
1896 tty->closing = 0; 1908 tty->closing = 0;
1897 /* indicate buffer work may resume */ 1909 /* indicate buffer work may resume */
1898 clear_bit(TTY_LDISC_HALTED, &tty->flags); 1910 clear_bit(TTY_LDISC_HALTED, &tty->flags);
1899 n_tty_set_termios(tty, NULL); 1911 n_tty_set_termios(tty, NULL);
1900 tty_unthrottle(tty); 1912 tty_unthrottle(tty);
1901
1902 return 0; 1913 return 0;
1903err:
1904 return -ENOMEM;
1905} 1914}
1906 1915
1907static inline int input_available_p(struct tty_struct *tty, int poll) 1916static inline int input_available_p(struct tty_struct *tty, int poll)
@@ -2411,7 +2420,7 @@ static unsigned long inq_canon(struct n_tty_data *ldata)
2411 tail = ldata->read_tail; 2420 tail = ldata->read_tail;
2412 nr = head - tail; 2421 nr = head - tail;
2413 /* Skip EOF-chars.. */ 2422 /* Skip EOF-chars.. */
2414 while (head != tail) { 2423 while (MASK(head) != MASK(tail)) {
2415 if (test_bit(tail & (N_TTY_BUF_SIZE - 1), ldata->read_flags) && 2424 if (test_bit(tail & (N_TTY_BUF_SIZE - 1), ldata->read_flags) &&
2416 read_buf(ldata, tail) == __DISABLED_CHAR) 2425 read_buf(ldata, tail) == __DISABLED_CHAR)
2417 nr--; 2426 nr--;
diff --git a/drivers/tty/serdev/core.c b/drivers/tty/serdev/core.c
index df93b727e984..9e59f4788589 100644
--- a/drivers/tty/serdev/core.c
+++ b/drivers/tty/serdev/core.c
@@ -617,6 +617,7 @@ EXPORT_SYMBOL_GPL(__serdev_device_driver_register);
617static void __exit serdev_exit(void) 617static void __exit serdev_exit(void)
618{ 618{
619 bus_unregister(&serdev_bus_type); 619 bus_unregister(&serdev_bus_type);
620 ida_destroy(&ctrl_ida);
620} 621}
621module_exit(serdev_exit); 622module_exit(serdev_exit);
622 623
diff --git a/drivers/tty/serial/8250/8250_pci.c b/drivers/tty/serial/8250/8250_pci.c
index 3296a05cda2d..f80a300b5d68 100644
--- a/drivers/tty/serial/8250/8250_pci.c
+++ b/drivers/tty/serial/8250/8250_pci.c
@@ -3339,9 +3339,7 @@ static const struct pci_device_id blacklist[] = {
3339 /* multi-io cards handled by parport_serial */ 3339 /* multi-io cards handled by parport_serial */
3340 { PCI_DEVICE(0x4348, 0x7053), }, /* WCH CH353 2S1P */ 3340 { PCI_DEVICE(0x4348, 0x7053), }, /* WCH CH353 2S1P */
3341 { PCI_DEVICE(0x4348, 0x5053), }, /* WCH CH353 1S1P */ 3341 { PCI_DEVICE(0x4348, 0x5053), }, /* WCH CH353 1S1P */
3342 { PCI_DEVICE(0x4348, 0x7173), }, /* WCH CH355 4S */
3343 { PCI_DEVICE(0x1c00, 0x3250), }, /* WCH CH382 2S1P */ 3342 { PCI_DEVICE(0x1c00, 0x3250), }, /* WCH CH382 2S1P */
3344 { PCI_DEVICE(0x1c00, 0x3470), }, /* WCH CH384 4S */
3345 3343
3346 /* Moxa Smartio MUE boards handled by 8250_moxa */ 3344 /* Moxa Smartio MUE boards handled by 8250_moxa */
3347 { PCI_VDEVICE(MOXA, 0x1024), }, 3345 { PCI_VDEVICE(MOXA, 0x1024), },
diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
index 1eb1a376a041..15eb6c829d39 100644
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -784,7 +784,7 @@ int vc_allocate(unsigned int currcons) /* return 0 on success */
784 if (!*vc->vc_uni_pagedir_loc) 784 if (!*vc->vc_uni_pagedir_loc)
785 con_set_default_unimap(vc); 785 con_set_default_unimap(vc);
786 786
787 vc->vc_screenbuf = kmalloc(vc->vc_screenbuf_size, GFP_KERNEL); 787 vc->vc_screenbuf = kzalloc(vc->vc_screenbuf_size, GFP_KERNEL);
788 if (!vc->vc_screenbuf) 788 if (!vc->vc_screenbuf)
789 goto err_free; 789 goto err_free;
790 790
@@ -871,7 +871,7 @@ static int vc_do_resize(struct tty_struct *tty, struct vc_data *vc,
871 871
872 if (new_screen_size > (4 << 20)) 872 if (new_screen_size > (4 << 20))
873 return -EINVAL; 873 return -EINVAL;
874 newscreen = kmalloc(new_screen_size, GFP_USER); 874 newscreen = kzalloc(new_screen_size, GFP_USER);
875 if (!newscreen) 875 if (!newscreen)
876 return -ENOMEM; 876 return -ENOMEM;
877 877
generated by cgit v1.2.2 (git 2.25.0) at 2025-08-30 16:30:26 -0400