shinys000114/linux
1
0
Fork 0
mirror of https://github.com/hardkernel/linux.git synced 2026-04-08 14:13:05 +09:00
Code Issues Packages Projects Releases Wiki Activity
Files
f52aa97a9bd3ba520bf0e044f3f2fa2f7017ad65
linux/drivers
History
Peter Hurley f52aa97a9b UPSTREAM: tty: Prevent ldisc drivers from re-using stale tty fields 
(cherry picked from commit dd42bf1197)

Line discipline drivers may mistakenly misuse ldisc-related fields
when initializing. For example, a failure to initialize tty->receive_room
in the N_GIGASET_M101 line discipline was recently found and fixed [1].
Now, the N_X25 line discipline has been discovered accessing the previous
line discipline's already-freed private data [2].

Harden the ldisc interface against misuse by initializing revelant
tty fields before instancing the new line discipline.

[1]
    commit fd98e9419d
    Author: Tilman Schmidt <tilman@imap.cc>
    Date:   Tue Jul 14 00:37:13 2015 +0200

    isdn/gigaset: reset tty->receive_room when attaching ser_gigaset

[2] Report from Sasha Levin <sasha.levin@oracle.com>
    [  634.336761] ==================================================================
    [  634.338226] BUG: KASAN: use-after-free in x25_asy_open_tty+0x13d/0x490 at addr ffff8800a743efd0
    [  634.339558] Read of size 4 by task syzkaller_execu/8981
    [  634.340359] =============================================================================
    [  634.341598] BUG kmalloc-512 (Not tainted): kasan: bad access detected
    ...
    [  634.405018] Call Trace:
    [  634.405277] dump_stack (lib/dump_stack.c:52)
    [  634.405775] print_trailer (mm/slub.c:655)
    [  634.406361] object_err (mm/slub.c:662)
    [  634.406824] kasan_report_error (mm/kasan/report.c:138 mm/kasan/report.c:236)
    [  634.409581] __asan_report_load4_noabort (mm/kasan/report.c:279)
    [  634.411355] x25_asy_open_tty (drivers/net/wan/x25_asy.c:559 (discriminator 1))
    [  634.413997] tty_ldisc_open.isra.2 (drivers/tty/tty_ldisc.c:447)
    [  634.414549] tty_set_ldisc (drivers/tty/tty_ldisc.c:567)
    [  634.415057] tty_ioctl (drivers/tty/tty_io.c:2646 drivers/tty/tty_io.c:2879)
    [  634.423524] do_vfs_ioctl (fs/ioctl.c:43 fs/ioctl.c:607)
    [  634.427491] SyS_ioctl (fs/ioctl.c:622 fs/ioctl.c:613)
    [  634.427945] entry_SYSCALL_64_fastpath (arch/x86/entry/entry_64.S:188)

Cc: Tilman Schmidt <tilman@imap.cc>
Cc: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: Ibed6feadfb9706d478f93feec3b240aecfc64af3
Bug: 30951112
2016-09-14 14:44:29 +05:30
..
accessibility
acpi
ACPI / osi: Fix an issue that acpi_osi=!* cannot disable ACPICA internal strings
2016-06-01 12:15:50 -07:00
amba
android
Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android
2016-03-14 15:32:21 +08:00
ata
libata: LITE-ON CX1-JB256-HP needs lower max_sectors
2016-08-10 11:49:29 +02:00
atm
auxdisplay
base
Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android
2016-07-29 21:38:37 +01:00
bcma
x86/quirks: Add early quirk to reset Apple AirPort card
2016-08-10 11:49:24 +02:00
block
nbd: ratelimit error msgs after socket close
2016-05-11 11:21:10 +02:00
bluetooth
Bluetooth: vhci: Fix race at creating hci device
2016-06-01 12:15:50 -07:00
bus
bus: imx-weim: Take the 'status' property value into account
2016-05-04 14:48:54 -07:00
cdrom
char
Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android
2016-08-18 12:33:31 +08:00
clk
clk: rockchip: initialize flags of clk_init_data in mmc-phase clock
2016-08-10 11:49:28 +02:00
clocksource
clockevents/tcb_clksrc: Prevent disabling an already disabled clock
2016-03-03 15:07:15 -08:00
connector
connector: bump skb->users before callback invocation
2016-01-04 21:46:45 -05:00
cpufreq
cpufreq: interactive: drop cpufreq_{get,put}_global_kobject func calls
2016-05-19 12:35:13 +05:30
cpuidle
Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android
2016-06-14 17:08:03 +08:00
crypto
crypto: qat - make qat_asym_algs.o depend on asn1 headers
2016-07-27 09:47:40 -07:00
dca
devfreq
dio
dma
dmaengine: at_xdmac: double FIFO flush needed to compute residue
2016-08-10 11:49:25 +02:00
dma-buf
CHROMIUM: android: fix warning when releasing active sync point
2016-02-16 13:53:25 -08:00
edac
EDAC, sb_edac: Fix rank lookup on Broadwell
2016-07-27 09:47:27 -07:00
eisa
extcon
extcon: max77843: Use correct size for reading the interrupt register
2016-05-04 14:48:54 -07:00
firewire
Merge tag 'firewire-update' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394
2015-11-11 10:21:34 -08:00
firmware
arm64: kaslr: increase randomization granularity
2016-07-29 18:59:49 +02:00
fmc
fpga
fpga manager: Fix firmware resource leak on error
2015-11-24 15:25:46 -08:00
gpio
Revert "gpiolib: Split GPIO flags parsing and GPIO configuration"
2016-07-27 09:47:29 -07:00
gpu
Merge remote-tracking branch 'v4.4/topic/mm-kaslr-pax_usercopy' into linux-linaro-lsk-v4.4
2016-08-27 11:27:14 +08:00
hid
Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android
2016-08-18 12:33:31 +08:00
hsi
hsi: controllers:remove redundant code
2015-10-30 16:10:40 +01:00
hv
Drivers: hv: vmbus: Fix a Host signaling bug
2016-03-03 15:07:16 -08:00
hwmon
hwmon: (dell-smm) Cache fan_type() calls and change fan detection
2016-07-27 09:47:37 -07:00
hwspinlock
drivers/hwspinlock: fix race between radix tree insertion and lookup
2016-02-25 12:01:23 -08:00
hwtracing
Merge tag 'v4.4.17' into linux-linaro-lsk-v4.4
2016-08-11 12:15:51 +08:00
i2c
i2c: i801: Allow ACPI SystemIO OpRegion to conflict with PCI BAR
2016-08-16 09:30:48 +02:00
ide
mm, page_alloc: rename __GFP_WAIT to __GFP_RECLAIM
2015-11-06 17:50:42 -08:00
idle
intel_idle: prevent SKL-H boot failure when C8+C9+C10 enabled
2016-04-12 09:09:05 -07:00
iio
iio:ad7266: Fix probe deferral for vref
2016-07-27 09:47:37 -07:00
infiniband
IB/mlx4: Properly initialize GRH TClass and FlowLabel in AHs
2016-07-27 09:47:27 -07:00
input
Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android
2016-08-11 12:15:55 +08:00
iommu
iommu/amd: Fix unity mapping initialization race
2016-07-27 09:47:32 -07:00
ipack
irqchip
irqchip/gic-v3: Configure all interrupts as non-secure Group-1
2016-06-01 12:15:49 -07:00
isdn
ser_gigaset: remove unnecessary kfree() calls from release method
2015-12-15 13:24:21 -05:00
leds
Merge tag 'spi-v4.4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi
2015-11-05 13:15:12 -08:00
lguest
lightnvm
lightnvm: wrong offset in bad blk lun calculation
2015-12-29 08:28:32 -07:00
macintosh
drivers/macintosh: adb: fix misleading Kconfig help text
2015-10-15 20:31:59 +11:00
mailbox
mailbox: mailbox-test: avoid reading iomem twice
2015-11-04 14:03:04 +05:30
mcb
mcb: Fixed bar number assignment for the gdd
2016-06-01 12:15:53 -07:00
md
ANDROID: dm: android-verity: Allow android-verity to be compiled as an independent module
2016-09-14 14:26:20 +05:30
media
UPSTREAM: [media] xc2028: unlock on error in xc2028_set_config()
2016-09-14 14:26:32 +05:30
memory
memory: omap-gpmc: Fix omap gpmc EXTRADELAY timing
2016-07-27 09:47:35 -07:00
memstick
message
Merge tag '4.4-scsi-mkp' into misc
2015-11-12 07:06:18 -05:00
mfd
mfd: intel_soc_pmic_core: Terminate panel control GPIO lookup table correctly
2016-06-07 18:14:34 -07:00
misc
Implement memory_state_time, used by qcom,cpubw
2016-08-18 18:56:03 +05:30
mmc
Android: MMC/UFS IO Latency Histograms.
2016-09-14 14:43:34 +05:30
mtd
Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android
2016-07-29 21:38:37 +01:00
net
BACKPORT: brcmfmac: defer DPC processing during probe
2016-08-18 18:56:03 +05:30
nfc
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2015-11-10 18:11:41 -08:00
ntb
NTB: fix 32-bit compiler warning
2015-11-08 16:24:43 -05:00
nubus
nvdimm
libnvdimm, pfn: fix uuid validation
2016-04-20 15:41:54 +09:00
nvme
NVMe: IO ending fixes on surprise removal
2015-12-22 10:12:04 -07:00
nvmem
nvmem: mxs-ocotp: fix buffer overflow in read
2016-05-11 11:21:21 +02:00
of
Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android
2016-07-29 21:38:37 +01:00
oprofile
parisc
parisc iommu: fix panic due to trying to allocate too large region
2015-12-12 16:07:25 +01:00
parport
pci
PCI: Disable all BAR sizing for devices with non-compliant BARs
2016-06-07 18:14:35 -07:00
pcmcia
pcmcia: db1xxx_ss: fix last irq_to_gpio user
2016-04-20 15:42:09 +09:00
perf
Merge tag 'arm64-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux
2015-11-04 14:47:13 -08:00
phy
phy: core: fix wrong err handle for phy_power_on
2016-03-03 15:07:28 -08:00
pinctrl
pinctrl: imx: Do not treat a PIN without MUX register as an error
2016-08-10 11:49:27 +02:00
platform
Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android
2016-08-11 12:15:55 +08:00
pnp
PNP: Add Broadwell to Intel MCH size workaround
2016-08-16 09:30:48 +02:00
power
Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android
2016-08-11 12:15:55 +08:00
powercap
powercap / RAPL: fix BIOS lock check
2015-12-12 02:31:11 +01:00
pps
pps: do not crash when failed to register
2016-08-10 11:49:25 +02:00
ps3
ptp
pwm
pwm: brcmstb: Fix check of devm_ioremap_resource() return code
2016-05-04 14:48:47 -07:00
rapidio
ras
regulator
regulator: axp20x: Fix axp22x ldo_io voltage ranges
2016-05-18 17:06:51 -07:00
remoteproc
remoteproc: fix memory leak of remoteproc ida cache layers
2015-11-26 17:44:28 +02:00
reset
rpmsg
rtc
Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android
2016-05-12 09:27:18 +08:00
s390
qeth: delete napi struct when removing a qeth device
2016-08-10 11:49:28 +02:00
sbus
scsi
Android: MMC/UFS IO Latency Histograms.
2016-09-14 14:43:34 +05:30
sfi
sh
drivers: sh: Restore legacy clock domain on SuperH platforms
2016-03-09 15:34:49 -08:00
sn
soc
soc: rockchip: power-domain: fix err handle while probing
2016-05-11 11:21:11 +02:00
spi
spi: sun4i: fix FIFO limit
2016-08-10 11:49:28 +02:00
spmi
Merge tag 'char-misc-4.4-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc
2015-11-04 22:15:15 -08:00
ssb
ssb: add Kconfig entry for compiling SoC related code
2015-10-28 21:05:21 +02:00
staging
Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android
2016-08-18 12:33:31 +08:00
target
target: Fix target_release_cmd_kref shutdown comp leak
2016-04-12 09:09:02 -07:00
tc
thermal
thermal: cpu_cooling: fix improper order during initialization
2016-07-27 09:47:29 -07:00
thunderbolt
thunderbolt: Fix double free of drom buffer
2016-06-01 12:15:53 -07:00
tty
UPSTREAM: tty: Prevent ldisc drivers from re-using stale tty fields
2016-09-14 14:44:29 +05:30
uio
usb
UPSTREAM: usb: gadget: configfs: add mutex lock before unregister gadget
2016-08-18 18:56:03 +05:30
uwb
Merge tag 'driver-core-4.4-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core
2015-11-04 21:50:37 -08:00
vfio
vfio: fix ioctl error handling
2016-03-09 15:34:50 -08:00
vhost
vhost: replace % with & on data path
2015-12-07 17:28:10 +02:00
video
Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android
2016-05-12 09:27:18 +08:00
virt
virtio
virtio_balloon: fix PFN format for virtio-1
2016-07-27 09:47:34 -07:00
vlynq
vme
Merge tag 'char-misc-4.4-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc
2015-11-04 22:15:15 -08:00
w1
w1: ds2482: Manage SLPZ pin sleep state
2016-02-16 13:54:18 -08:00
watchdog
watchdog: rc32434_wdt: fix ioctl error handling
2016-04-12 09:08:54 -07:00
xen
xenbus: don't bail early from xenbus_dev_request_and_reply()
2016-08-10 11:49:26 +02:00
zorro
Kconfig
Revert "switch: switch class and GPIO drivers."
2016-05-19 12:32:41 +05:30
Makefile
Revert "switch: switch class and GPIO drivers."
2016-05-19 12:32:41 +05:30