| From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
| Date: Mon, 16 Apr 2018 20:06:34 +0900 |
| Subject: tty: Avoid possible error pointer dereference at tty_ldisc_restore(). |
| |
| commit 598c2d41ff44889dd8eced4f117403e472158d85 upstream. |
| |
| syzbot is reporting crashes [1] triggered by memory allocation failure at |
| tty_ldisc_get() from tty_ldisc_restore(). While syzbot stops at WARN_ON() |
| due to panic_on_warn == true, panic_on_warn == false will after all trigger |
| an OOPS by dereferencing old->ops->num if IS_ERR(old) == true. |
| |
| We can simplify tty_ldisc_restore() as three calls (old->ops->num, N_TTY, |
| N_NULL) to tty_ldisc_failto() in addition to avoiding possible error |
| pointer dereference. |
| |
| If someone reports kernel panic triggered by forcing all memory allocations |
| for tty_ldisc_restore() to fail, we can consider adding __GFP_NOFAIL for |
| tty_ldisc_restore() case. |
| |
| [1] https://syzkaller.appspot.com/bug?id=6ac359c61e71d22e06db7f8f88243feb11d927e7 |
| |
| Reported-by: syzbot+40b7287c2dc987c48c81@syzkaller.appspotmail.com |
| Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
| Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| Cc: Jiri Slaby <jslaby@suse.com> |
| Cc: Dmitry Vyukov <dvyukov@google.com> |
| Cc: Johannes Weiner <hannes@cmpxchg.org> |
| Cc: Alan Cox <alan@llwyncelyn.cymru> |
| Cc: Christoph Hellwig <hch@lst.de> |
| Cc: Michal Hocko <mhocko@suse.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| [bwh: Backported to 3.16: tty_name() requires a buffer] |
| Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
| --- |
| drivers/tty/tty_ldisc.c | 13 +++++-------- |
| 1 file changed, 5 insertions(+), 8 deletions(-) |
| |
| --- a/drivers/tty/tty_ldisc.c |
| +++ b/drivers/tty/tty_ldisc.c |
| @@ -510,19 +510,16 @@ static void tty_ldisc_restore(struct tty |
| char buf[64]; |
| |
| /* There is an outstanding reference here so this is safe */ |
| - old = tty_ldisc_get(tty, old->ops->num); |
| - WARN_ON(IS_ERR(old)); |
| - tty->ldisc = old; |
| - tty_set_termios_ldisc(tty, old->ops->num); |
| - if (tty_ldisc_open(tty, old) < 0) { |
| - tty_ldisc_put(old); |
| + if (tty_ldisc_failto(tty, old->ops->num) < 0) { |
| + const char *name = tty_name(tty, buf); |
| + |
| + pr_warn("Falling back ldisc for %s.\n", name); |
| /* The traditional behaviour is to fall back to N_TTY, we |
| want to avoid falling back to N_NULL unless we have no |
| choice to avoid the risk of breaking anything */ |
| if (tty_ldisc_failto(tty, N_TTY) < 0 && |
| tty_ldisc_failto(tty, N_NULL) < 0) |
| - panic("Couldn't open N_NULL ldisc for %s.", |
| - tty_name(tty, buf)); |
| + panic("Couldn't open N_NULL ldisc for %s.", name); |
| } |
| } |
| |