mm-mempolicy-fix-uninit-value-in-mpol_rebind_policy.patch
bpf-make-sure-mac_header-was-set-before-using-it.patch
alsa-memalloc-align-buffer-allocations-in-page-size.patch
+tty-drivers-tty-stop-using-tty_schedule_flip.patch
+tty-the-rest-stop-using-tty_schedule_flip.patch
+tty-drop-tty_schedule_flip.patch
+tty-extract-tty_flip_buffer_commit-from-tty_flip_buffer_push.patch
+tty-use-new-tty_insert_flip_string_and_push_buffer-in-pty_write.patch
--- /dev/null
+From 5f6a85158ccacc3f09744b3aafe8b11ab3b6c6f6 Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jslaby@suse.cz>
+Date: Mon, 22 Nov 2021 12:16:46 +0100
+Subject: tty: drivers/tty/, stop using tty_schedule_flip()
+
+From: Jiri Slaby <jslaby@suse.cz>
+
+commit 5f6a85158ccacc3f09744b3aafe8b11ab3b6c6f6 upstream.
+
+Since commit a9c3f68f3cd8d (tty: Fix low_latency BUG) in 2014,
+tty_flip_buffer_push() is only a wrapper to tty_schedule_flip(). We are
+going to remove the latter (as it is used less), so call the former in
+drivers/tty/.
+
+Cc: Vladimir Zapolskiy <vz@mleia.com>
+Reviewed-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Link: https://lore.kernel.org/r/20211122111648.30379-2-jslaby@suse.cz
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/cyclades.c | 6 +++---
+ drivers/tty/goldfish.c | 2 +-
+ drivers/tty/moxa.c | 4 ++--
+ drivers/tty/serial/lpc32xx_hs.c | 2 +-
+ drivers/tty/vt/keyboard.c | 6 +++---
+ drivers/tty/vt/vt.c | 2 +-
+ 6 files changed, 11 insertions(+), 11 deletions(-)
+
+--- a/drivers/tty/cyclades.c
++++ b/drivers/tty/cyclades.c
+@@ -556,7 +556,7 @@ static void cyy_chip_rx(struct cyclades_
+ }
+ info->idle_stats.recv_idle = jiffies;
+ }
+- tty_schedule_flip(port);
++ tty_flip_buffer_push(port);
+
+ /* end of service */
+ cyy_writeb(info, CyRIR, save_xir & 0x3f);
+@@ -998,7 +998,7 @@ static void cyz_handle_rx(struct cyclade
+ jiffies + 1);
+ #endif
+ info->idle_stats.recv_idle = jiffies;
+- tty_schedule_flip(&info->port);
++ tty_flip_buffer_push(&info->port);
+
+ /* Update rx_get */
+ cy_writel(&buf_ctrl->rx_get, new_rx_get);
+@@ -1174,7 +1174,7 @@ static void cyz_handle_cmd(struct cyclad
+ if (delta_count)
+ wake_up_interruptible(&info->port.delta_msr_wait);
+ if (special_count)
+- tty_schedule_flip(&info->port);
++ tty_flip_buffer_push(&info->port);
+ }
+ }
+
+--- a/drivers/tty/goldfish.c
++++ b/drivers/tty/goldfish.c
+@@ -85,7 +85,7 @@ static irqreturn_t goldfish_tty_interrup
+ writel(count, base + GOLDFISH_TTY_DATA_LEN);
+ writel(GOLDFISH_TTY_CMD_READ_BUFFER, base + GOLDFISH_TTY_CMD);
+ spin_unlock_irqrestore(&qtty->lock, irq_flags);
+- tty_schedule_flip(&qtty->port);
++ tty_flip_buffer_push(&qtty->port);
+ return IRQ_HANDLED;
+ }
+
+--- a/drivers/tty/moxa.c
++++ b/drivers/tty/moxa.c
+@@ -1397,7 +1397,7 @@ static int moxa_poll_port(struct moxa_po
+ if (inited && !tty_throttled(tty) &&
+ MoxaPortRxQueue(p) > 0) { /* RX */
+ MoxaPortReadData(p);
+- tty_schedule_flip(&p->port);
++ tty_flip_buffer_push(&p->port);
+ }
+ } else {
+ clear_bit(EMPTYWAIT, &p->statusflags);
+@@ -1422,7 +1422,7 @@ static int moxa_poll_port(struct moxa_po
+
+ if (tty && (intr & IntrBreak) && !I_IGNBRK(tty)) { /* BREAK */
+ tty_insert_flip_char(&p->port, 0, TTY_BREAK);
+- tty_schedule_flip(&p->port);
++ tty_flip_buffer_push(&p->port);
+ }
+
+ if (intr & IntrLine)
+--- a/drivers/tty/serial/lpc32xx_hs.c
++++ b/drivers/tty/serial/lpc32xx_hs.c
+@@ -350,7 +350,7 @@ static irqreturn_t serial_lpc32xx_interr
+ LPC32XX_HSUART_IIR(port->membase));
+ port->icount.overrun++;
+ tty_insert_flip_char(tport, 0, TTY_OVERRUN);
+- tty_schedule_flip(tport);
++ tty_flip_buffer_push(tport);
+ }
+
+ /* Data received? */
+--- a/drivers/tty/vt/keyboard.c
++++ b/drivers/tty/vt/keyboard.c
+@@ -308,7 +308,7 @@ int kbd_rate(struct kbd_repeat *rpt)
+ static void put_queue(struct vc_data *vc, int ch)
+ {
+ tty_insert_flip_char(&vc->port, ch, 0);
+- tty_schedule_flip(&vc->port);
++ tty_flip_buffer_push(&vc->port);
+ }
+
+ static void puts_queue(struct vc_data *vc, char *cp)
+@@ -317,7 +317,7 @@ static void puts_queue(struct vc_data *v
+ tty_insert_flip_char(&vc->port, *cp, 0);
+ cp++;
+ }
+- tty_schedule_flip(&vc->port);
++ tty_flip_buffer_push(&vc->port);
+ }
+
+ static void applkey(struct vc_data *vc, int key, char mode)
+@@ -562,7 +562,7 @@ static void fn_inc_console(struct vc_dat
+ static void fn_send_intr(struct vc_data *vc)
+ {
+ tty_insert_flip_char(&vc->port, 0, TTY_BREAK);
+- tty_schedule_flip(&vc->port);
++ tty_flip_buffer_push(&vc->port);
+ }
+
+ static void fn_scroll_forw(struct vc_data *vc)
+--- a/drivers/tty/vt/vt.c
++++ b/drivers/tty/vt/vt.c
+@@ -1484,7 +1484,7 @@ static void respond_string(const char *p
+ tty_insert_flip_char(port, *p, 0);
+ p++;
+ }
+- tty_schedule_flip(port);
++ tty_flip_buffer_push(port);
+ }
+
+ static void cursor_report(struct vc_data *vc, struct tty_struct *tty)
--- /dev/null
+From 5db96ef23bda6c2a61a51693c85b78b52d03f654 Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jslaby@suse.cz>
+Date: Mon, 22 Nov 2021 12:16:48 +0100
+Subject: tty: drop tty_schedule_flip()
+
+From: Jiri Slaby <jslaby@suse.cz>
+
+commit 5db96ef23bda6c2a61a51693c85b78b52d03f654 upstream.
+
+Since commit a9c3f68f3cd8d (tty: Fix low_latency BUG) in 2014,
+tty_flip_buffer_push() is only a wrapper to tty_schedule_flip(). All
+users were converted in the previous patches, so remove
+tty_schedule_flip() completely while inlining its body into
+tty_flip_buffer_push().
+
+One less exported function.
+
+Reviewed-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Link: https://lore.kernel.org/r/20211122111648.30379-4-jslaby@suse.cz
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/tty_buffer.c | 30 ++++++++----------------------
+ include/linux/tty_flip.h | 1 -
+ 2 files changed, 8 insertions(+), 23 deletions(-)
+
+--- a/drivers/tty/tty_buffer.c
++++ b/drivers/tty/tty_buffer.c
+@@ -389,27 +389,6 @@ int __tty_insert_flip_char(struct tty_po
+ EXPORT_SYMBOL(__tty_insert_flip_char);
+
+ /**
+- * tty_schedule_flip - push characters to ldisc
+- * @port: tty port to push from
+- *
+- * Takes any pending buffers and transfers their ownership to the
+- * ldisc side of the queue. It then schedules those characters for
+- * processing by the line discipline.
+- */
+-
+-void tty_schedule_flip(struct tty_port *port)
+-{
+- struct tty_bufhead *buf = &port->buf;
+-
+- /* paired w/ acquire in flush_to_ldisc(); ensures
+- * flush_to_ldisc() sees buffer data.
+- */
+- smp_store_release(&buf->tail->commit, buf->tail->used);
+- queue_work(system_unbound_wq, &buf->work);
+-}
+-EXPORT_SYMBOL(tty_schedule_flip);
+-
+-/**
+ * tty_prepare_flip_string - make room for characters
+ * @port: tty port
+ * @chars: return pointer for character write area
+@@ -560,7 +539,14 @@ static void flush_to_ldisc(struct work_s
+
+ void tty_flip_buffer_push(struct tty_port *port)
+ {
+- tty_schedule_flip(port);
++ struct tty_bufhead *buf = &port->buf;
++
++ /*
++ * Paired w/ acquire in flush_to_ldisc(); ensures flush_to_ldisc() sees
++ * buffer data.
++ */
++ smp_store_release(&buf->tail->commit, buf->tail->used);
++ queue_work(system_unbound_wq, &buf->work);
+ }
+ EXPORT_SYMBOL(tty_flip_buffer_push);
+
+--- a/include/linux/tty_flip.h
++++ b/include/linux/tty_flip.h
+@@ -11,7 +11,6 @@ extern int tty_insert_flip_string_fixed_
+ extern int tty_prepare_flip_string(struct tty_port *port,
+ unsigned char **chars, size_t size);
+ extern void tty_flip_buffer_push(struct tty_port *port);
+-void tty_schedule_flip(struct tty_port *port);
+ int __tty_insert_flip_char(struct tty_port *port, unsigned char ch, char flag);
+
+ static inline int tty_insert_flip_char(struct tty_port *port,
--- /dev/null
+From 716b10580283fda66f2b88140e3964f8a7f9da89 Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jslaby@suse.cz>
+Date: Thu, 7 Jul 2022 10:25:57 +0200
+Subject: tty: extract tty_flip_buffer_commit() from tty_flip_buffer_push()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jiri Slaby <jslaby@suse.cz>
+
+commit 716b10580283fda66f2b88140e3964f8a7f9da89 upstream.
+
+We will need this new helper in the next patch.
+
+Cc: Hillf Danton <hdanton@sina.com>
+Cc: 一只狗 <chennbnbnb@gmail.com>
+Cc: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Link: https://lore.kernel.org/r/20220707082558.9250-1-jslaby@suse.cz
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/tty_buffer.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+--- a/drivers/tty/tty_buffer.c
++++ b/drivers/tty/tty_buffer.c
+@@ -526,6 +526,15 @@ static void flush_to_ldisc(struct work_s
+ tty_ldisc_deref(disc);
+ }
+
++static inline void tty_flip_buffer_commit(struct tty_buffer *tail)
++{
++ /*
++ * Paired w/ acquire in flush_to_ldisc(); ensures flush_to_ldisc() sees
++ * buffer data.
++ */
++ smp_store_release(&tail->commit, tail->used);
++}
++
+ /**
+ * tty_flip_buffer_push - terminal
+ * @port: tty port to push
+@@ -541,11 +550,7 @@ void tty_flip_buffer_push(struct tty_por
+ {
+ struct tty_bufhead *buf = &port->buf;
+
+- /*
+- * Paired w/ acquire in flush_to_ldisc(); ensures flush_to_ldisc() sees
+- * buffer data.
+- */
+- smp_store_release(&buf->tail->commit, buf->tail->used);
++ tty_flip_buffer_commit(buf->tail);
+ queue_work(system_unbound_wq, &buf->work);
+ }
+ EXPORT_SYMBOL(tty_flip_buffer_push);
--- /dev/null
+From b68b914494df4f79b4e9b58953110574af1cb7a2 Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jslaby@suse.cz>
+Date: Mon, 22 Nov 2021 12:16:47 +0100
+Subject: tty: the rest, stop using tty_schedule_flip()
+
+From: Jiri Slaby <jslaby@suse.cz>
+
+commit b68b914494df4f79b4e9b58953110574af1cb7a2 upstream.
+
+Since commit a9c3f68f3cd8d (tty: Fix low_latency BUG) in 2014,
+tty_flip_buffer_push() is only a wrapper to tty_schedule_flip(). We are
+going to remove the latter (as it is used less), so call the former in
+the rest of the users.
+
+Cc: Richard Henderson <rth@twiddle.net>
+Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
+Cc: Matt Turner <mattst88@gmail.com>
+Cc: William Hubbs <w.d.hubbs@gmail.com>
+Cc: Chris Brannon <chris@the-brannons.com>
+Cc: Kirk Reiser <kirk@reisers.ca>
+Cc: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Cc: Heiko Carstens <hca@linux.ibm.com>
+Cc: Vasily Gorbik <gor@linux.ibm.com>
+Cc: Christian Borntraeger <borntraeger@de.ibm.com>
+Cc: Alexander Gordeev <agordeev@linux.ibm.com>
+Reviewed-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Link: https://lore.kernel.org/r/20211122111648.30379-3-jslaby@suse.cz
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/alpha/kernel/srmcons.c | 2 +-
+ drivers/s390/char/keyboard.h | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/alpha/kernel/srmcons.c
++++ b/arch/alpha/kernel/srmcons.c
+@@ -58,7 +58,7 @@ srmcons_do_receive_chars(struct tty_port
+ } while((result.bits.status & 1) && (++loops < 10));
+
+ if (count)
+- tty_schedule_flip(port);
++ tty_flip_buffer_push(port);
+
+ return count;
+ }
+--- a/drivers/s390/char/keyboard.h
++++ b/drivers/s390/char/keyboard.h
+@@ -44,7 +44,7 @@ static inline void
+ kbd_put_queue(struct tty_port *port, int ch)
+ {
+ tty_insert_flip_char(port, ch, 0);
+- tty_schedule_flip(port);
++ tty_flip_buffer_push(port);
+ }
+
+ static inline void
+@@ -52,5 +52,5 @@ kbd_puts_queue(struct tty_port *port, ch
+ {
+ while (*cp)
+ tty_insert_flip_char(port, *cp++, 0);
+- tty_schedule_flip(port);
++ tty_flip_buffer_push(port);
+ }
--- /dev/null
+From a501ab75e7624d133a5a3c7ec010687c8b961d23 Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jslaby@suse.cz>
+Date: Thu, 7 Jul 2022 10:25:58 +0200
+Subject: tty: use new tty_insert_flip_string_and_push_buffer() in pty_write()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jiri Slaby <jslaby@suse.cz>
+
+commit a501ab75e7624d133a5a3c7ec010687c8b961d23 upstream.
+
+There is a race in pty_write(). pty_write() can be called in parallel
+with e.g. ioctl(TIOCSTI) or ioctl(TCXONC) which also inserts chars to
+the buffer. Provided, tty_flip_buffer_push() in pty_write() is called
+outside the lock, it can commit inconsistent tail. This can lead to out
+of bounds writes and other issues. See the Link below.
+
+To fix this, we have to introduce a new helper called
+tty_insert_flip_string_and_push_buffer(). It does both
+tty_insert_flip_string() and tty_flip_buffer_commit() under the port
+lock. It also calls queue_work(), but outside the lock. See
+71a174b39f10 (pty: do tty_flip_buffer_push without port->lock in
+pty_write) for the reasons.
+
+Keep the helper internal-only (in drivers' tty.h). It is not intended to
+be used widely.
+
+Link: https://seclists.org/oss-sec/2022/q2/155
+Fixes: 71a174b39f10 (pty: do tty_flip_buffer_push without port->lock in pty_write)
+Cc: 一只狗 <chennbnbnb@gmail.com>
+Cc: Dan Carpenter <dan.carpenter@oracle.com>
+Suggested-by: Hillf Danton <hdanton@sina.com>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Link: https://lore.kernel.org/r/20220707082558.9250-2-jslaby@suse.cz
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/pty.c | 14 ++------------
+ drivers/tty/tty_buffer.c | 31 +++++++++++++++++++++++++++++++
+ include/linux/tty_flip.h | 3 +++
+ 3 files changed, 36 insertions(+), 12 deletions(-)
+
+--- a/drivers/tty/pty.c
++++ b/drivers/tty/pty.c
+@@ -106,21 +106,11 @@ static void pty_unthrottle(struct tty_st
+ static int pty_write(struct tty_struct *tty, const unsigned char *buf, int c)
+ {
+ struct tty_struct *to = tty->link;
+- unsigned long flags;
+
+- if (tty->stopped)
++ if (tty->stopped || !c)
+ return 0;
+
+- if (c > 0) {
+- spin_lock_irqsave(&to->port->lock, flags);
+- /* Stuff the data into the input queue of the other end */
+- c = tty_insert_flip_string(to->port, buf, c);
+- spin_unlock_irqrestore(&to->port->lock, flags);
+- /* And shovel */
+- if (c)
+- tty_flip_buffer_push(to->port);
+- }
+- return c;
++ return tty_insert_flip_string_and_push_buffer(to->port, buf, c);
+ }
+
+ /**
+--- a/drivers/tty/tty_buffer.c
++++ b/drivers/tty/tty_buffer.c
+@@ -556,6 +556,37 @@ void tty_flip_buffer_push(struct tty_por
+ EXPORT_SYMBOL(tty_flip_buffer_push);
+
+ /**
++ * tty_insert_flip_string_and_push_buffer - add characters to the tty buffer and
++ * push
++ * @port: tty port
++ * @chars: characters
++ * @size: size
++ *
++ * The function combines tty_insert_flip_string() and tty_flip_buffer_push()
++ * with the exception of properly holding the @port->lock.
++ *
++ * To be used only internally (by pty currently).
++ *
++ * Returns: the number added.
++ */
++int tty_insert_flip_string_and_push_buffer(struct tty_port *port,
++ const unsigned char *chars, size_t size)
++{
++ struct tty_bufhead *buf = &port->buf;
++ unsigned long flags;
++
++ spin_lock_irqsave(&port->lock, flags);
++ size = tty_insert_flip_string(port, chars, size);
++ if (size)
++ tty_flip_buffer_commit(buf->tail);
++ spin_unlock_irqrestore(&port->lock, flags);
++
++ queue_work(system_unbound_wq, &buf->work);
++
++ return size;
++}
++
++/**
+ * tty_buffer_init - prepare a tty buffer structure
+ * @tty: tty to initialise
+ *
+--- a/include/linux/tty_flip.h
++++ b/include/linux/tty_flip.h
+@@ -38,4 +38,7 @@ static inline int tty_insert_flip_string
+ extern void tty_buffer_lock_exclusive(struct tty_port *port);
+ extern void tty_buffer_unlock_exclusive(struct tty_port *port);
+
++int tty_insert_flip_string_and_push_buffer(struct tty_port *port,
++ const unsigned char *chars, size_t cnt);
++
+ #endif /* _LINUX_TTY_FLIP_H */
projects / thirdparty / kernel / stable-queue.git / commitdiff
