--- /dev/null
+From 27cfb3a53be46a54ec5e0bd04e51995b74c90343 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Sun, 20 Jan 2019 10:46:58 +0100
+Subject: tty: Handle problem if line discipline does not have receive_buf
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 27cfb3a53be46a54ec5e0bd04e51995b74c90343 upstream.
+
+Some tty line disciplines do not have a receive buf callback, so
+properly check for that before calling it. If they do not have this
+callback, just eat the character quietly, as we can't fail this call.
+
+Reported-by: Jann Horn <jannh@google.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/tty_io.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/tty/tty_io.c
++++ b/drivers/tty/tty_io.c
+@@ -2324,7 +2324,8 @@ static int tiocsti(struct tty_struct *tt
+ ld = tty_ldisc_ref_wait(tty);
+ if (!ld)
+ return -EIO;
+- ld->ops->receive_buf(tty, &ch, &mbz, 1);
++ if (ld->ops->receive_buf)
++ ld->ops->receive_buf(tty, &ch, &mbz, 1);
+ tty_ldisc_deref(ld);
+ return 0;
+ }
--- /dev/null
+From fc01d8c61ce02c034e67378cd3e645734bc18c8c Mon Sep 17 00:00:00 2001
+From: Paul Fulghum <paulkf@microgate.com>
+Date: Tue, 1 Jan 2019 12:28:53 -0800
+Subject: tty/n_hdlc: fix __might_sleep warning
+
+From: Paul Fulghum <paulkf@microgate.com>
+
+commit fc01d8c61ce02c034e67378cd3e645734bc18c8c upstream.
+
+Fix __might_sleep warning[1] in tty/n_hdlc.c read due to copy_to_user
+call while current is TASK_INTERRUPTIBLE. This is a false positive
+since the code path does not depend on current state remaining
+TASK_INTERRUPTIBLE. The loop breaks out and sets TASK_RUNNING after
+calling copy_to_user.
+
+This patch supresses the warning by setting TASK_RUNNING before calling
+copy_to_user.
+
+[1] https://syzkaller.appspot.com/bug?id=17d5de7f1fcab794cb8c40032f893f52de899324
+
+Signed-off-by: Paul Fulghum <paulkf@microgate.com>
+Reported-by: syzbot <syzbot+c244af085a0159d22879@syzkaller.appspotmail.com>
+Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
+Cc: stable <stable@vger.kernel.org>
+Acked-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/n_hdlc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/tty/n_hdlc.c
++++ b/drivers/tty/n_hdlc.c
+@@ -598,6 +598,7 @@ static ssize_t n_hdlc_tty_read(struct tt
+ /* too large for caller's buffer */
+ ret = -EOVERFLOW;
+ } else {
++ __set_current_state(TASK_RUNNING);
+ if (copy_to_user(buf, rbuf->buf, rbuf->count))
+ ret = -EFAULT;
+ else
--- /dev/null
+From aff9cf5955185d1f183227e46c5f8673fa483813 Mon Sep 17 00:00:00 2001
+From: Samir Virmani <samir@embedur.com>
+Date: Wed, 16 Jan 2019 10:28:07 -0800
+Subject: uart: Fix crash in uart_write and uart_put_char
+
+From: Samir Virmani <samir@embedur.com>
+
+commit aff9cf5955185d1f183227e46c5f8673fa483813 upstream.
+
+We were experiencing a crash similar to the one reported as part of
+commit:a5ba1d95e46e ("uart: fix race between uart_put_char() and
+uart_shutdown()") in our testbed as well. We continue to observe the same
+crash after integrating the commit a5ba1d95e46e ("uart: fix race between
+uart_put_char() and uart_shutdown()")
+
+On reviewing the change, the port lock should be taken prior to checking for
+if (!circ->buf) in fn. __uart_put_char and other fns. that update the buffer
+uart_state->xmit.
+
+Traceback:
+
+[11/27/2018 06:24:32.4870] Unable to handle kernel NULL pointer dereference
+ at virtual address 0000003b
+
+[11/27/2018 06:24:32.4950] PC is at memcpy+0x48/0x180
+[11/27/2018 06:24:32.4950] LR is at uart_write+0x74/0x120
+[11/27/2018 06:24:32.4950] pc : [<ffffffc0002e6808>]
+ lr : [<ffffffc0003747cc>] pstate: 000001c5
+[11/27/2018 06:24:32.4950] sp : ffffffc076433d30
+[11/27/2018 06:24:32.4950] x29: ffffffc076433d30 x28: 0000000000000140
+[11/27/2018 06:24:32.4950] x27: ffffffc0009b9d5e x26: ffffffc07ce36580
+[11/27/2018 06:24:32.4950] x25: 0000000000000000 x24: 0000000000000140
+[11/27/2018 06:24:32.4950] x23: ffffffc000891200 x22: ffffffc01fc34000
+[11/27/2018 06:24:32.4950] x21: 0000000000000fff x20: 0000000000000076
+[11/27/2018 06:24:32.4950] x19: 0000000000000076 x18: 0000000000000000
+[11/27/2018 06:24:32.4950] x17: 000000000047cf08 x16: ffffffc000099e68
+[11/27/2018 06:24:32.4950] x15: 0000000000000018 x14: 776d726966205948
+[11/27/2018 06:24:32.4950] x13: 50203a6c6974755f x12: 74647075205d3333
+[11/27/2018 06:24:32.4950] x11: 3a35323a36203831 x10: 30322f37322f3131
+[11/27/2018 06:24:32.4950] x9 : 5b205d303638342e x8 : 746164206f742070
+[11/27/2018 06:24:32.4950] x7 : 7520736920657261 x6 : 000000000000003b
+[11/27/2018 06:24:32.4950] x5 : 000000000000817a x4 : 0000000000000008
+[11/27/2018 06:24:32.4950] x3 : 2f37322f31312a5b x2 : 000000000000006e
+[11/27/2018 06:24:32.4950] x1 : ffffffc0009b9cf0 x0 : 000000000000003b
+
+[11/27/2018 06:24:32.4950] CPU2: stopping
+[11/27/2018 06:24:32.4950] CPU: 2 PID: 0 Comm: swapper/2 Tainted: P D O 4.1.51 #3
+[11/27/2018 06:24:32.4950] Hardware name: Broadcom-v8A (DT)
+[11/27/2018 06:24:32.4950] Call trace:
+[11/27/2018 06:24:32.4950] [<ffffffc0000883b8>] dump_backtrace+0x0/0x150
+[11/27/2018 06:24:32.4950] [<ffffffc00008851c>] show_stack+0x14/0x20
+[11/27/2018 06:24:32.4950] [<ffffffc0005ee810>] dump_stack+0x90/0xb0
+[11/27/2018 06:24:32.4950] [<ffffffc00008e844>] handle_IPI+0x18c/0x1a0
+[11/27/2018 06:24:32.4950] [<ffffffc000080c68>] gic_handle_irq+0x88/0x90
+
+Fixes: a5ba1d95e46e ("uart: fix race between uart_put_char() and uart_shutdown()")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Samir Virmani <samir@embedur.com>
+Acked-by: Tycho Andersen <tycho@tycho.ws>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/serial_core.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/drivers/tty/serial/serial_core.c
++++ b/drivers/tty/serial/serial_core.c
+@@ -540,10 +540,12 @@ static int uart_put_char(struct tty_stru
+ int ret = 0;
+
+ circ = &state->xmit;
+- if (!circ->buf)
++ port = uart_port_lock(state, flags);
++ if (!circ->buf) {
++ uart_port_unlock(port, flags);
+ return 0;
++ }
+
+- port = uart_port_lock(state, flags);
+ if (port && uart_circ_chars_free(circ) != 0) {
+ circ->buf[circ->head] = c;
+ circ->head = (circ->head + 1) & (UART_XMIT_SIZE - 1);
+@@ -576,11 +578,13 @@ static int uart_write(struct tty_struct
+ return -EL3HLT;
+ }
+
++ port = uart_port_lock(state, flags);
+ circ = &state->xmit;
+- if (!circ->buf)
++ if (!circ->buf) {
++ uart_port_unlock(port, flags);
+ return 0;
++ }
+
+- port = uart_port_lock(state, flags);
+ while (port) {
+ c = CIRC_SPACE_TO_END(circ->head, circ->tail, UART_XMIT_SIZE);
+ if (count < c)
projects / thirdparty / kernel / stable-queue.git / commitdiff
