| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 7 Apr 2017 05:12:05 +0100
From: Al Viro <viro@...IV.linux.org.uk>
To: Michael Neuling <mikey@...ling.org>
Cc: greg@...ah.com, johan Hovold <johan@...nel.org>,
Peter Hurley <peter@...leysoftware.com>,
Alexander Popov <alex.popov@...ux.com>,
Rob Herring <robh@...nel.org>,
Mikulas Patocka <mpatocka@...hat.com>,
Dmitry Vyukov <dvyukov@...gle.com>,
benh <benh@...nel.crashing.org>,
LKML <linux-kernel@...r.kernel.org>,
Wang YanQing <udknight@...il.com>, Jiri Slaby <jslaby@...e.com>
Subject: Re: [PATCH] tty: Fix crash with flush_to_ldisc()
On Fri, Apr 07, 2017 at 01:50:53PM +1000, Michael Neuling wrote:
> diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
> index bdf0e6e899..a2a9832a42 100644
> --- a/drivers/tty/n_tty.c
> +++ b/drivers/tty/n_tty.c
> @@ -1668,11 +1668,17 @@ static int
> n_tty_receive_buf_common(struct tty_struct *tty, const unsigned char *cp,
> char *fp, int count, int flow)
> {
> - struct n_tty_data *ldata = tty->disc_data;
> + struct n_tty_data *ldata;
> int room, n, rcvd = 0, overflow;
>
> down_read(&tty->termios_rwsem);
>
> + ldata = tty->disc_data;
> + if (!ldata) {
> + up_read(&tty->termios_rwsem);
I very much doubt that it's correct. It shouldn't have been called after
the n_tty_close(); apparently it has been. ->termios_rwsem won't serialize
against it, and something apparently has gone wrong with the exclusion there.
At the very least I would like to see what's to prevent n_tty_close() from
overlapping the exection of this function - if *that* is what broke, your
patch will only paper over the problem.
Powered by blists - more mailing lists