releases/3.16.60/tty-avoid-possible-error-pointer-dereference-at-tty_ldisc_restore.patch - pub/scm/linux/kernel/git/bwh/linux-stable-queue - Git at Google

 From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
 Date: Mon, 16 Apr 2018 20:06:34 +0900
 Subject: tty: Avoid possible error pointer dereference at tty_ldisc_restore().

 commit 598c2d41ff44889dd8eced4f117403e472158d85 upstream.

 syzbot is reporting crashes [1] triggered by memory allocation failure at
 tty_ldisc_get() from tty_ldisc_restore(). While syzbot stops at WARN_ON()
 due to panic_on_warn == true, panic_on_warn == false will after all trigger
 an OOPS by dereferencing old->ops->num if IS_ERR(old) == true.

 We can simplify tty_ldisc_restore() as three calls (old->ops->num, N_TTY,
 N_NULL) to tty_ldisc_failto() in addition to avoiding possible error
 pointer dereference.

 If someone reports kernel panic triggered by forcing all memory allocations
 for tty_ldisc_restore() to fail, we can consider adding __GFP_NOFAIL for
 tty_ldisc_restore() case.

 [1] https://syzkaller.appspot.com/bug?id=6ac359c61e71d22e06db7f8f88243feb11d927e7

 Reported-by: syzbot+40b7287c2dc987c48c81@syzkaller.appspotmail.com
 Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
 Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 Cc: Jiri Slaby <jslaby@suse.com>
 Cc: Dmitry Vyukov <dvyukov@google.com>
 Cc: Johannes Weiner <hannes@cmpxchg.org>
 Cc: Alan Cox <alan@llwyncelyn.cymru>
 Cc: Christoph Hellwig <hch@lst.de>
 Cc: Michal Hocko <mhocko@suse.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 [bwh: Backported to 3.16: tty_name() requires a buffer]
 Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 ---
  drivers/tty/tty_ldisc.c | 13 +++++--------
  1 file changed, 5 insertions(+), 8 deletions(-)

 --- a/drivers/tty/tty_ldisc.c
 +++ b/drivers/tty/tty_ldisc.c
 @@ -510,19 +510,16 @@ static void tty_ldisc_restore(struct tty
  	char buf[64];

  	/* There is an outstanding reference here so this is safe */
 -	old = tty_ldisc_get(tty, old->ops->num);
 -	WARN_ON(IS_ERR(old));
 -	tty->ldisc = old;
 -	tty_set_termios_ldisc(tty, old->ops->num);
 -	if (tty_ldisc_open(tty, old) < 0) {
 -		tty_ldisc_put(old);
 +	if (tty_ldisc_failto(tty, old->ops->num) < 0) {
 +		const char *name = tty_name(tty, buf);
 +
 +		pr_warn("Falling back ldisc for %s.\n", name);
  		/* The traditional behaviour is to fall back to N_TTY, we
  		   want to avoid falling back to N_NULL unless we have no
  		   choice to avoid the risk of breaking anything */
  		if (tty_ldisc_failto(tty, N_TTY) < 0 &&
  		    tty_ldisc_failto(tty, N_NULL) < 0)
 -			panic("Couldn't open N_NULL ldisc for %s.",
 -			      tty_name(tty, buf));
 +			panic("Couldn't open N_NULL ldisc for %s.", name);
  	}
  }
	From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
	Date: Mon, 16 Apr 2018 20:06:34 +0900
	Subject: tty: Avoid possible error pointer dereference at tty_ldisc_restore().

	commit 598c2d41ff44889dd8eced4f117403e472158d85 upstream.

	syzbot is reporting crashes [1] triggered by memory allocation failure at
	tty_ldisc_get() from tty_ldisc_restore(). While syzbot stops at WARN_ON()
	due to panic_on_warn == true, panic_on_warn == false will after all trigger
	an OOPS by dereferencing old->ops->num if IS_ERR(old) == true.

	We can simplify tty_ldisc_restore() as three calls (old->ops->num, N_TTY,
	N_NULL) to tty_ldisc_failto() in addition to avoiding possible error
	pointer dereference.

	If someone reports kernel panic triggered by forcing all memory allocations
	for tty_ldisc_restore() to fail, we can consider adding __GFP_NOFAIL for
	tty_ldisc_restore() case.

	[1] https://syzkaller.appspot.com/bug?id=6ac359c61e71d22e06db7f8f88243feb11d927e7

	Reported-by: syzbot+40b7287c2dc987c48c81@syzkaller.appspotmail.com
	Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
	Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Cc: Jiri Slaby <jslaby@suse.com>
	Cc: Dmitry Vyukov <dvyukov@google.com>
	Cc: Johannes Weiner <hannes@cmpxchg.org>
	Cc: Alan Cox <alan@llwyncelyn.cymru>
	Cc: Christoph Hellwig <hch@lst.de>
	Cc: Michal Hocko <mhocko@suse.com>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	[bwh: Backported to 3.16: tty_name() requires a buffer]
	Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
	---
	drivers/tty/tty_ldisc.c \| 13 +++++--------
	1 file changed, 5 insertions(+), 8 deletions(-)

	--- a/drivers/tty/tty_ldisc.c
	+++ b/drivers/tty/tty_ldisc.c
	@@ -510,19 +510,16 @@ static void tty_ldisc_restore(struct tty
	char buf[64];

	/* There is an outstanding reference here so this is safe */
	- old = tty_ldisc_get(tty, old->ops->num);
	- WARN_ON(IS_ERR(old));
	- tty->ldisc = old;
	- tty_set_termios_ldisc(tty, old->ops->num);
	- if (tty_ldisc_open(tty, old) < 0) {
	- tty_ldisc_put(old);
	+ if (tty_ldisc_failto(tty, old->ops->num) < 0) {
	+ const char *name = tty_name(tty, buf);
	+
	+ pr_warn("Falling back ldisc for %s.\n", name);
	/* The traditional behaviour is to fall back to N_TTY, we
	want to avoid falling back to N_NULL unless we have no
	choice to avoid the risk of breaking anything */
	if (tty_ldisc_failto(tty, N_TTY) < 0 &&
	tty_ldisc_failto(tty, N_NULL) < 0)
	- panic("Couldn't open N_NULL ldisc for %s.",
	- tty_name(tty, buf));
	+ panic("Couldn't open N_NULL ldisc for %s.", name);
	}
	}