linux/drivers/tty
Sahara 2b022ab754 pty: cancel pty slave port buf's work in tty_release
In case that CONFIG_SLUB_DEBUG is on and pty is used, races between
release_one_tty and flush_to_ldisc work threads may happen and lead
to use-after-free condition on tty->link->port. Because SLUB_DEBUG
is turned on, freed tty->link->port is filled with POISON_FREE value.
So far without SLUB_DEBUG, port was filled with zero and flush_to_ldisc
could return without a problem by checking if tty is NULL.

CPU 0                                 CPU 1
-----                                 -----
release_tty                           pty_write
   cancel_work_sync(tty)                 to = tty->link
   tty_kref_put(tty->link)               tty_schedule_flip(to->port)
      << workqueue >>                 ...
      release_one_tty                 ...
         pty_cleanup                  ...
            kfree(tty->link->port)       << workqueue >>
                                         flush_to_ldisc
                                            tty = READ_ONCE(port->itty)
                                            tty is 0x6b6b6b6b6b6b6b6b
                                            !!PANIC!! access tty->ldisc

 Unable to handle kernel paging request at virtual address 6b6b6b6b6b6b6b93
 pgd = ffffffc0eb1c3000
 [6b6b6b6b6b6b6b93] *pgd=0000000000000000, *pud=0000000000000000
 ------------[ cut here ]------------
 Kernel BUG at ffffff800851154c [verbose debug info unavailable]
 Internal error: Oops - BUG: 96000004 [#1] PREEMPT SMP
 CPU: 3 PID: 265 Comm: kworker/u8:9 Tainted: G        W 3.18.31-g0a58eeb #1
 Hardware name: Qualcomm Technologies, Inc. MSM 8996pro v1.1 + PMI8996 Carbide (DT)
 Workqueue: events_unbound flush_to_ldisc
 task: ffffffc0ed610ec0 ti: ffffffc0ed624000 task.ti: ffffffc0ed624000
 PC is at ldsem_down_read_trylock+0x0/0x4c
 LR is at tty_ldisc_ref+0x24/0x4c
 pc : [<ffffff800851154c>] lr : [<ffffff800850f6c0>] pstate: 80400145
 sp : ffffffc0ed627cd0
 x29: ffffffc0ed627cd0 x28: 0000000000000000
 x27: ffffff8009e05000 x26: ffffffc0d382cfa0
 x25: 0000000000000000 x24: ffffff800a012f08
 x23: 0000000000000000 x22: ffffffc0703fbc88
 x21: 6b6b6b6b6b6b6b6b x20: 6b6b6b6b6b6b6b93
 x19: 0000000000000000 x18: 0000000000000001
 x17: 00e80000f80d6f53 x16: 0000000000000001
 x15: 0000007f7d826fff x14: 00000000000000a0
 x13: 0000000000000000 x12: 0000000000000109
 x11: 0000000000000000 x10: 0000000000000000
 x9 : ffffffc0ed624000 x8 : ffffffc0ed611580
 x7 : 0000000000000000 x6 : ffffff800a42e000
 x5 : 00000000000003fc x4 : 0000000003bd1201
 x3 : 0000000000000001 x2 : 0000000000000001
 x1 : ffffff800851004c x0 : 6b6b6b6b6b6b6b93

Signed-off-by: Sahara <keun-o.park@darkmatter.ae>

Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-12-19 09:59:51 +01:00
..
hvc TTY/Serial patches for 4.15-rc1 2017-11-13 21:05:31 -08:00
ipwireless treewide: setup_timer() -> timer_setup() 2017-11-21 15:57:07 -08:00
serdev serdev: ttyport: do not used keyed wakeup in write_wakeup 2017-12-18 12:25:14 +01:00
serial serial: max310x: Reduce RX work starvation 2017-12-19 09:59:02 +01:00
vt tty: vt: replace _manual_ swap with swap macro in set_selection 2017-11-28 15:32:32 +01:00
amiserial.c tty: add SPDX identifiers to all remaining files in drivers/tty/ 2017-11-08 13:08:12 +01:00
bfin_jtag_comm.c tty: Remove redundant license text 2017-11-08 13:08:12 +01:00
cyclades.c treewide: Switch DEFINE_TIMER callbacks to struct timer_list * 2017-11-21 15:57:05 -08:00
ehv_bytechan.c tty: ehv_bytechan: fix spelling mistake 2017-11-08 14:27:10 +01:00
goldfish.c tty: goldfish: Enable 'earlycon' only if built-in 2017-12-15 20:27:44 +01:00
isicom.c tty/isicom: Fix a possible sleep-in-atomic bug in WaitTillCardIsFree 2017-12-15 20:24:14 +01:00
Kconfig tty: goldfish: Enable 'earlycon' only if built-in 2017-12-15 20:27:44 +01:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
metag_da.c tty: Remove redundant license text 2017-11-08 13:08:12 +01:00
mips_ejtag_fdc.c tty: Remove redundant license text 2017-11-08 13:08:12 +01:00
moxa.c tty: moxa: Add support for CMSPAR 2017-11-28 15:32:33 +01:00
moxa.h tty: moxa: Add support for CMSPAR 2017-11-28 15:32:33 +01:00
mxser.c tty: Remove redundant license text 2017-11-08 13:08:12 +01:00
mxser.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
n_gsm.c tty: n_gsm: remove redundant pointer gsm 2017-11-28 15:32:32 +01:00
n_hdlc.c tty: Remove redundant license text 2017-11-08 13:08:12 +01:00
n_null.c tty: Remove redundant license text 2017-11-08 13:08:12 +01:00
n_r3964.c treewide: setup_timer() -> timer_setup() 2017-11-21 15:57:07 -08:00
n_tracerouter.c tty: Remove redundant license text 2017-11-08 13:08:12 +01:00
n_tracesink.c tty: Remove redundant license text 2017-11-08 13:08:12 +01:00
n_tracesink.h tty: Remove redundant license text 2017-11-08 13:08:12 +01:00
n_tty.c tty: Remove redundant license text 2017-11-08 13:08:12 +01:00
nozomi.c tty: Remove redundant license text 2017-11-08 13:08:12 +01:00
pty.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
rocket_int.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
rocket.c treewide: Switch DEFINE_TIMER callbacks to struct timer_list * 2017-11-21 15:57:05 -08:00
rocket.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
synclink_gt.c treewide: setup_timer() -> timer_setup() 2017-11-21 15:57:07 -08:00
synclink.c treewide: setup_timer() -> timer_setup() 2017-11-21 15:57:07 -08:00
synclinkmp.c treewide: setup_timer() -> timer_setup() 2017-11-21 15:57:07 -08:00
sysrq.c TTY/Serial patches for 4.15-rc1 2017-11-13 21:05:31 -08:00
tty_audit.c tty: Remove redundant license text 2017-11-08 13:08:12 +01:00
tty_baudrate.c tty: add SPDX identifiers to all remaining files in drivers/tty/ 2017-11-08 13:08:12 +01:00
tty_buffer.c tty: add SPDX identifiers to all remaining files in drivers/tty/ 2017-11-08 13:08:12 +01:00
tty_io.c pty: cancel pty slave port buf's work in tty_release 2017-12-19 09:59:51 +01:00
tty_ioctl.c tty: add SPDX identifiers to all remaining files in drivers/tty/ 2017-11-08 13:08:12 +01:00
tty_jobctrl.c tty: add SPDX identifiers to all remaining files in drivers/tty/ 2017-11-08 13:08:12 +01:00
tty_ldisc.c TTY/Serial patches for 4.15-rc1 2017-11-13 21:05:31 -08:00
tty_ldsem.c tty: Remove redundant license text 2017-11-08 13:08:12 +01:00
tty_mutex.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
tty_port.c tty: add SPDX identifiers to all remaining files in drivers/tty/ 2017-11-08 13:08:12 +01:00
vcc.c tty: vcc: Convert timers to use timer_setup() 2017-11-04 12:01:54 +01:00