From: Johannes Weiner <hannes@cmpxchg.org> To: Andrew Morton <akpm@linux-foundation.org> Cc: Alan Cox <alan@llwyncelyn.cymru>, Christoph Hellwig <hch@lst.de>, Michal Hocko <mhocko@suse.com>, linux-mm@kvack.org, linux-kernel@vger.kernel.org, kernel-team@fb.com Subject: [PATCH 2/2] tty: fall back to N_NULL if switching to N_TTY fails during hangup Date: Wed, 4 Oct 2017 14:59:59 -0400 [thread overview] Message-ID: <20171004185959.GC2136@cmpxchg.org> (raw) In-Reply-To: <20171004185813.GA2136@cmpxchg.org> We have seen NULL-pointer dereference crashes in tty->disc_data when the N_TTY fallback driver failed to open during hangup. The immediate cause of this open to fail has been addressed in the preceding patch to vmalloc(), but this code could be more robust. As Alan pointed out in 8a8dabf2dd68 ("tty: handle the case where we cannot restore a line discipline"), the N_TTY driver, historically the safe fallback that could never fail, can indeed fail, but the surrounding code is not prepared to handle this. To avoid crashes he added a new N_NULL driver to take N_TTY's place as the last resort. Hook that fallback up to the hangup path. Update tty_ldisc_reinit() to reflect the reality that n_tty_open can indeed fail. Signed-off-by: Johannes Weiner <hannes@cmpxchg.org> --- drivers/tty/tty_ldisc.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/drivers/tty/tty_ldisc.c b/drivers/tty/tty_ldisc.c index 2fe216b276e2..84a8ac2a779f 100644 --- a/drivers/tty/tty_ldisc.c +++ b/drivers/tty/tty_ldisc.c @@ -694,10 +694,8 @@ int tty_ldisc_reinit(struct tty_struct *tty, int disc) tty_set_termios_ldisc(tty, disc); retval = tty_ldisc_open(tty, tty->ldisc); if (retval) { - if (!WARN_ON(disc == N_TTY)) { - tty_ldisc_put(tty->ldisc); - tty->ldisc = NULL; - } + tty_ldisc_put(tty->ldisc); + tty->ldisc = NULL; } return retval; } @@ -752,8 +750,9 @@ void tty_ldisc_hangup(struct tty_struct *tty, bool reinit) if (tty->ldisc) { if (reinit) { - if (tty_ldisc_reinit(tty, tty->termios.c_line) < 0) - tty_ldisc_reinit(tty, N_TTY); + if (tty_ldisc_reinit(tty, tty->termios.c_line) < 0 && + tty_ldisc_reinit(tty, N_TTY) < 0) + WARN_ON(tty_ldisc_reinit(tty, N_NULL) < 0); } else tty_ldisc_kill(tty); } -- 2.14.1
WARNING: multiple messages have this Message-ID (diff)
From: Johannes Weiner <hannes@cmpxchg.org> To: Andrew Morton <akpm@linux-foundation.org> Cc: Alan Cox <alan@llwyncelyn.cymru>, Christoph Hellwig <hch@lst.de>, Michal Hocko <mhocko@suse.com>, linux-mm@kvack.org, linux-kernel@vger.kernel.org, kernel-team@fb.com Subject: [PATCH 2/2] tty: fall back to N_NULL if switching to N_TTY fails during hangup Date: Wed, 4 Oct 2017 14:59:59 -0400 [thread overview] Message-ID: <20171004185959.GC2136@cmpxchg.org> (raw) In-Reply-To: <20171004185813.GA2136@cmpxchg.org> We have seen NULL-pointer dereference crashes in tty->disc_data when the N_TTY fallback driver failed to open during hangup. The immediate cause of this open to fail has been addressed in the preceding patch to vmalloc(), but this code could be more robust. As Alan pointed out in 8a8dabf2dd68 ("tty: handle the case where we cannot restore a line discipline"), the N_TTY driver, historically the safe fallback that could never fail, can indeed fail, but the surrounding code is not prepared to handle this. To avoid crashes he added a new N_NULL driver to take N_TTY's place as the last resort. Hook that fallback up to the hangup path. Update tty_ldisc_reinit() to reflect the reality that n_tty_open can indeed fail. Signed-off-by: Johannes Weiner <hannes@cmpxchg.org> --- drivers/tty/tty_ldisc.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/drivers/tty/tty_ldisc.c b/drivers/tty/tty_ldisc.c index 2fe216b276e2..84a8ac2a779f 100644 --- a/drivers/tty/tty_ldisc.c +++ b/drivers/tty/tty_ldisc.c @@ -694,10 +694,8 @@ int tty_ldisc_reinit(struct tty_struct *tty, int disc) tty_set_termios_ldisc(tty, disc); retval = tty_ldisc_open(tty, tty->ldisc); if (retval) { - if (!WARN_ON(disc == N_TTY)) { - tty_ldisc_put(tty->ldisc); - tty->ldisc = NULL; - } + tty_ldisc_put(tty->ldisc); + tty->ldisc = NULL; } return retval; } @@ -752,8 +750,9 @@ void tty_ldisc_hangup(struct tty_struct *tty, bool reinit) if (tty->ldisc) { if (reinit) { - if (tty_ldisc_reinit(tty, tty->termios.c_line) < 0) - tty_ldisc_reinit(tty, N_TTY); + if (tty_ldisc_reinit(tty, tty->termios.c_line) < 0 && + tty_ldisc_reinit(tty, N_TTY) < 0) + WARN_ON(tty_ldisc_reinit(tty, N_NULL) < 0); } else tty_ldisc_kill(tty); } -- 2.14.1 -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2017-10-04 19:00 UTC|newest] Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top 2017-10-03 22:55 tty crash due to auto-failing vmalloc Johannes Weiner 2017-10-03 22:55 ` Johannes Weiner 2017-10-03 23:51 ` Alan Cox 2017-10-03 23:51 ` Alan Cox 2017-10-04 8:33 ` Michal Hocko 2017-10-04 8:33 ` Michal Hocko 2017-10-04 18:58 ` Johannes Weiner 2017-10-04 18:58 ` Johannes Weiner 2017-10-04 18:59 ` [PATCH 1/2] Revert "vmalloc: back off when the current task is killed" Johannes Weiner 2017-10-04 18:59 ` Johannes Weiner 2017-10-04 20:49 ` Tetsuo Handa 2017-10-04 20:49 ` Tetsuo Handa 2017-10-04 21:00 ` Johannes Weiner 2017-10-04 21:00 ` Johannes Weiner 2017-10-04 21:42 ` Tetsuo Handa 2017-10-04 21:42 ` Tetsuo Handa 2017-10-04 23:21 ` Johannes Weiner 2017-10-04 23:21 ` Johannes Weiner 2017-10-04 22:32 ` Andrew Morton 2017-10-04 22:32 ` Andrew Morton 2017-10-04 23:18 ` Johannes Weiner 2017-10-04 23:18 ` Johannes Weiner 2017-10-05 7:57 ` Michal Hocko 2017-10-05 7:57 ` Michal Hocko 2017-10-05 10:36 ` Tetsuo Handa 2017-10-05 10:36 ` Tetsuo Handa 2017-10-05 10:49 ` Michal Hocko 2017-10-05 10:49 ` Michal Hocko 2017-10-07 2:21 ` Tetsuo Handa 2017-10-07 2:21 ` Tetsuo Handa 2017-10-07 2:51 ` Johannes Weiner 2017-10-07 2:51 ` Johannes Weiner 2017-10-07 4:05 ` Tetsuo Handa 2017-10-07 4:05 ` Tetsuo Handa 2017-10-07 7:59 ` Michal Hocko 2017-10-07 7:59 ` Michal Hocko 2017-10-07 9:57 ` Tetsuo Handa 2017-10-07 9:57 ` Tetsuo Handa 2017-10-05 6:49 ` Vlastimil Babka 2017-10-05 6:49 ` Vlastimil Babka 2017-10-05 7:54 ` Michal Hocko 2017-10-05 7:54 ` Michal Hocko 2017-10-04 18:59 ` Johannes Weiner [this message] 2017-10-04 18:59 ` [PATCH 2/2] tty: fall back to N_NULL if switching to N_TTY fails during hangup Johannes Weiner
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20171004185959.GC2136@cmpxchg.org \ --to=hannes@cmpxchg.org \ --cc=akpm@linux-foundation.org \ --cc=alan@llwyncelyn.cymru \ --cc=hch@lst.de \ --cc=kernel-team@fb.com \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-mm@kvack.org \ --cc=mhocko@suse.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.