lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1452494468-21359-1-git-send-email-peter@hurleysoftware.com>
Date:	Sun, 10 Jan 2016 22:40:49 -0800
From:	Peter Hurley <peter@...leysoftware.com>
To:	Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc:	Jiri Slaby <jslaby@...e.cz>, linux-kernel@...r.kernel.org,
	Peter Hurley <peter@...leysoftware.com>
Subject: [PATCH v3 00/19] Fix driver crashes on hangup

Changes for v3:
	Marked "tty: Fix unsafe ldisc reference via ioctl(TIOCGETD)"  &
	       "n_tty: Fix unsafe reference to "other" ldisc" for stable
	Addressed Ben Hutchings comment regarding speakup_paste_selection()
	Integrated Fengguang's fix for "cons_filp != 0"

Changes for v2:
	Rebased on top of current tty-next
	Reduced changes/re-titled patch 19

NB: Marcel already picked up "bluetooth: hci_ldisc: Remove dead code" for
    bluetooth-next

---
Hi Greg,

This series fixes the underlying design problem that leads to driver crashes
during hangup (eg., Andi Kleen's report https://lkml.org/lkml/2015/11/9/786).

Quoting from patch 17/19:

    Currently, when the tty is hungup, the ldisc is re-instanced; ie., the
    current instance is destroyed and a new instance is created. The purpose
    of this design was to guarantee a valid, open ldisc for the lifetime of
    the tty.

    However, now that tty buffers are owned by and have lifetime equivalent
    to the tty_port (since v3.10), any data received immediately after the
    ldisc is re-instanced may cause continued driver i/o operations
    concurrently with the driver's hangup() operation. For drivers that
    shutdown h/w on hangup, this is unexpected and usually bad. For example,
    the serial core may free the xmit buffer page concurrently with an
    in-progress write() operation (triggered by echo).

    With the existing stable and robust ldisc reference handling, the
    cleaned-up tty_reopen(), the straggling unsafe ldisc use cleaned up, and
    the preparation to properly handle a NULL tty->ldisc, the ldisc instance
    can be destroyed and only re-instanced when the tty is re-opened.

With this patch series, the tty core now guarantees no further driver/ldisc
interactions after hangup.

Patch 1-4 remove direct tty->ldisc access outside the tty core.
Patch 5 removes the defunct chars_in_buffer() ldisc method (which has been
        deprecated since 3.12)
Patch 6 & 7 fix unsafe ldisc uses which coincidentally have been discovered
        to cause crashes (https://lkml.org/lkml/2015/11/26/173 and
	https://lkml.org/lkml/2015/11/26/253). These have been tagged for
	-stable.
Patch 8-16 are preparations; documenting existing functions and refactoring.
        Patch 12 adds handling for the possibility of NULL ldisc references
	after tty_ldisc_ref_wait(); that commit log details the logic of
	why/how that works.
Patch 17 implements the fix: the ldisc instance is killed and left dead.
        At tty_reopen() if the tty->ldisc is NULL, a new ldisc is instanced.
Patch 18-19 are minor add-ons.

Regards,


Peter Hurley (19):
  staging: digi: Replace open-coded tty_wakeup()
  serial: 68328: Remove bogus ldisc reset
  bluetooth: hci_ldisc: Remove dead code
  NFC: nci: Remove dead code
  tty: Remove chars_in_buffer() line discipline method
  tty: Fix unsafe ldisc reference via ioctl(TIOCGETD)
  n_tty: Fix unsafe reference to "other" ldisc
  tty: Reset c_line from driver's init_termios
  staging/speakup: Use tty_ldisc_ref() for paste kworker
  tty: Fix comments for tty_ldisc_get()
  tty: Fix comments for tty_ldisc_release()
  tty: Prepare for destroying line discipline on hangup
  tty: Handle NULL tty->ldisc
  tty: Move tty_ldisc_kill()
  tty: Use 'disc' for line discipline index name
  tty: Refactor tty_ldisc_reinit() for reuse
  tty: Destroy ldisc instance on hangup
  tty: Document c_line == N_TTY initial condition
  tty: Avoid unnecessary temporaries for tty->ldisc

 Documentation/serial/tty.txt        |   3 -
 drivers/bluetooth/hci_ldisc.c       |   8 +-
 drivers/staging/dgap/dgap.c         |  28 ++----
 drivers/staging/dgnc/dgnc_tty.c     |  18 +---
 drivers/staging/speakup/selection.c |   5 +-
 drivers/tty/amiserial.c             |   6 +-
 drivers/tty/cyclades.c              |   8 +-
 drivers/tty/n_gsm.c                 |  16 ----
 drivers/tty/n_tty.c                 |  30 +------
 drivers/tty/rocket.c                |   6 +-
 drivers/tty/serial/68328serial.c    |  12 +--
 drivers/tty/serial/crisv10.c        |  12 ++-
 drivers/tty/tty_io.c                |  64 +++++++++++---
 drivers/tty/tty_ldisc.c             | 171 ++++++++++++++++++++----------------
 drivers/tty/vt/selection.c          |   2 +
 include/linux/tty.h                 |   5 +-
 include/linux/tty_ldisc.h           |   7 --
 net/nfc/nci/uart.c                  |   9 +-
 18 files changed, 180 insertions(+), 230 deletions(-)

-- 
2.7.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ