From: Greg Kroah-Hartman Date: Tue, 6 May 2014 16:19:34 +0000 (-0700) Subject: 3.14-stable patches X-Git-Tag: v3.14.4~22 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=578c2caeba74bdf6dba19f4915ce5ec1fb5cc6a8;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: drivers-tty-hvc-don-t-free-hvc_console_setup-after-init.patch n_tty-fix-n_tty_write-crash-when-echoing-in-raw-mode.patch tty-fix-lockless-tty-buffer-race.patch tty-serial-8250_core.c-bug-fix-for-exar-chips.patch --- diff --git a/queue-3.14/drivers-tty-hvc-don-t-free-hvc_console_setup-after-init.patch b/queue-3.14/drivers-tty-hvc-don-t-free-hvc_console_setup-after-init.patch new file mode 100644 index 00000000000..26bbe4b84b2 --- /dev/null +++ b/queue-3.14/drivers-tty-hvc-don-t-free-hvc_console_setup-after-init.patch @@ -0,0 +1,33 @@ +From 501fed45b7e8836ee9373f4d31e2d85e3db6103a Mon Sep 17 00:00:00 2001 +From: Tomoki Sekiyama +Date: Fri, 2 May 2014 18:58:24 -0400 +Subject: drivers/tty/hvc: don't free hvc_console_setup after init + +From: Tomoki Sekiyama + +commit 501fed45b7e8836ee9373f4d31e2d85e3db6103a upstream. + +When 'console=hvc0' is specified to the kernel parameter in x86 KVM guest, +hvc console is setup within a kthread. However, that will cause SEGV +and the boot will fail when the driver is builtin to the kernel, +because currently hvc_console_setup() is annotated with '__init'. This +patch removes '__init' to boot the guest successfully with 'console=hvc0'. + +Signed-off-by: Tomoki Sekiyama +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/hvc/hvc_console.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/hvc/hvc_console.c ++++ b/drivers/tty/hvc/hvc_console.c +@@ -190,7 +190,7 @@ static struct tty_driver *hvc_console_de + return hvc_driver; + } + +-static int __init hvc_console_setup(struct console *co, char *options) ++static int hvc_console_setup(struct console *co, char *options) + { + if (co->index < 0 || co->index >= MAX_NR_HVC_CONSOLES) + return -ENODEV; diff --git a/queue-3.14/n_tty-fix-n_tty_write-crash-when-echoing-in-raw-mode.patch b/queue-3.14/n_tty-fix-n_tty_write-crash-when-echoing-in-raw-mode.patch new file mode 100644 index 00000000000..76ea5b40044 --- /dev/null +++ b/queue-3.14/n_tty-fix-n_tty_write-crash-when-echoing-in-raw-mode.patch @@ -0,0 +1,82 @@ +From 4291086b1f081b869c6d79e5b7441633dc3ace00 Mon Sep 17 00:00:00 2001 +From: Peter Hurley +Date: Sat, 3 May 2014 14:04:59 +0200 +Subject: n_tty: Fix n_tty_write crash when echoing in raw mode + +From: Peter Hurley + +commit 4291086b1f081b869c6d79e5b7441633dc3ace00 upstream. + +The tty atomic_write_lock does not provide an exclusion guarantee for +the tty driver if the termios settings are LECHO & !OPOST. And since +it is unexpected and not allowed to call TTY buffer helpers like +tty_insert_flip_string concurrently, this may lead to crashes when +concurrect writers call pty_write. In that case the following two +writers: +* the ECHOing from a workqueue and +* pty_write from the process +race and can overflow the corresponding TTY buffer like follows. + +If we look into tty_insert_flip_string_fixed_flag, there is: + int space = __tty_buffer_request_room(port, goal, flags); + struct tty_buffer *tb = port->buf.tail; + ... + memcpy(char_buf_ptr(tb, tb->used), chars, space); + ... + tb->used += space; + +so the race of the two can result in something like this: + A B +__tty_buffer_request_room + __tty_buffer_request_room +memcpy(buf(tb->used), ...) +tb->used += space; + memcpy(buf(tb->used), ...) ->BOOM + +B's memcpy is past the tty_buffer due to the previous A's tb->used +increment. + +Since the N_TTY line discipline input processing can output +concurrently with a tty write, obtain the N_TTY ldisc output_lock to +serialize echo output with normal tty writes. This ensures the tty +buffer helper tty_insert_flip_string is not called concurrently and +everything is fine. + +Note that this is nicely reproducible by an ordinary user using +forkpty and some setup around that (raw termios + ECHO). And it is +present in kernels at least after commit +d945cb9cce20ac7143c2de8d88b187f62db99bdc (pty: Rework the pty layer to +use the normal buffering logic) in 2.6.31-rc3. + +js: add more info to the commit log +js: switch to bool +js: lock unconditionally +js: lock only the tty->ops->write call + +References: CVE-2014-0196 +Reported-and-tested-by: Jiri Slaby +Signed-off-by: Peter Hurley +Signed-off-by: Jiri Slaby +Cc: Linus Torvalds +Cc: Alan Cox +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/n_tty.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/tty/n_tty.c ++++ b/drivers/tty/n_tty.c +@@ -2356,8 +2356,12 @@ static ssize_t n_tty_write(struct tty_st + if (tty->ops->flush_chars) + tty->ops->flush_chars(tty); + } else { ++ struct n_tty_data *ldata = tty->disc_data; ++ + while (nr > 0) { ++ mutex_lock(&ldata->output_lock); + c = tty->ops->write(tty, b, nr); ++ mutex_unlock(&ldata->output_lock); + if (c < 0) { + retval = c; + goto break_out; diff --git a/queue-3.14/tty-fix-lockless-tty-buffer-race.patch b/queue-3.14/tty-fix-lockless-tty-buffer-race.patch new file mode 100644 index 00000000000..3ef2b910e9d --- /dev/null +++ b/queue-3.14/tty-fix-lockless-tty-buffer-race.patch @@ -0,0 +1,85 @@ +From 62a0d8d7c2b29f92850e4ee3c38e5dfd936e92b2 Mon Sep 17 00:00:00 2001 +From: Peter Hurley +Date: Fri, 2 May 2014 10:56:12 -0400 +Subject: tty: Fix lockless tty buffer race + +From: Peter Hurley + +commit 62a0d8d7c2b29f92850e4ee3c38e5dfd936e92b2 upstream. + +Commit 6a20dbd6caa2358716136144bf524331d70b1e03, +"tty: Fix race condition between __tty_buffer_request_room and flush_to_ldisc" +correctly identifies an unsafe race condition between +__tty_buffer_request_room() and flush_to_ldisc(), where the consumer +flush_to_ldisc() prematurely advances the head before consuming the +last of the data committed. For example: + + CPU 0 | CPU 1 +__tty_buffer_request_room | flush_to_ldisc + ... | ... + | count = head->commit - head->read + n = tty_buffer_alloc() | + b->commit = b->used | + b->next = n | + | if (!count) /* T */ + | if (head->next == NULL) /* F */ + | buf->head = head->next + +In this case, buf->head has been advanced but head->commit may have +been updated with a new value. + +Instead of reintroducing an unnecessary lock, fix the race locklessly. +Read the commit-next pair in the reverse order of writing, which guarantees +the commit value read is the latest value written if the head is +advancing. + +Reported-by: Manfred Schlaegl +Signed-off-by: Peter Hurley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/tty_buffer.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +--- a/drivers/tty/tty_buffer.c ++++ b/drivers/tty/tty_buffer.c +@@ -258,7 +258,11 @@ static int __tty_buffer_request_room(str + n->flags = flags; + buf->tail = n; + b->commit = b->used; +- smp_mb(); ++ /* paired w/ barrier in flush_to_ldisc(); ensures the ++ * latest commit value can be read before the head is ++ * advanced to the next buffer ++ */ ++ smp_wmb(); + b->next = n; + } else if (change) + size = 0; +@@ -444,17 +448,24 @@ static void flush_to_ldisc(struct work_s + + while (1) { + struct tty_buffer *head = buf->head; ++ struct tty_buffer *next; + int count; + + /* Ldisc or user is trying to gain exclusive access */ + if (atomic_read(&buf->priority)) + break; + ++ next = head->next; ++ /* paired w/ barrier in __tty_buffer_request_room(); ++ * ensures commit value read is not stale if the head ++ * is advancing to the next buffer ++ */ ++ smp_rmb(); + count = head->commit - head->read; + if (!count) { +- if (head->next == NULL) ++ if (next == NULL) + break; +- buf->head = head->next; ++ buf->head = next; + tty_buffer_free(port, head); + continue; + } diff --git a/queue-3.14/tty-serial-8250_core.c-bug-fix-for-exar-chips.patch b/queue-3.14/tty-serial-8250_core.c-bug-fix-for-exar-chips.patch new file mode 100644 index 00000000000..19538368b09 --- /dev/null +++ b/queue-3.14/tty-serial-8250_core.c-bug-fix-for-exar-chips.patch @@ -0,0 +1,35 @@ +From b790f210fe8423eff881b2a8a93ba5dbc45534d0 Mon Sep 17 00:00:00 2001 +From: Michael Welling +Date: Fri, 25 Apr 2014 19:27:48 -0500 +Subject: tty: serial: 8250_core.c Bug fix for Exar chips. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michael Welling + +commit b790f210fe8423eff881b2a8a93ba5dbc45534d0 upstream. + +The sleep function was updated to put the serial port to sleep only when necessary. +This appears to resolve the errant behavior of the driver as described in +Kernel Bug 61961 – "My Exar Corp. XR17C/D152 Dual PCI UART modem does not +work with 3.8.0". + +Signed-off-by: Michael Welling +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/8250/8250_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/serial/8250/8250_core.c ++++ b/drivers/tty/serial/8250/8250_core.c +@@ -555,7 +555,7 @@ static void serial8250_set_sleep(struct + */ + if ((p->port.type == PORT_XR17V35X) || + (p->port.type == PORT_XR17D15X)) { +- serial_out(p, UART_EXAR_SLEEP, 0xff); ++ serial_out(p, UART_EXAR_SLEEP, sleep ? 0xff : 0); + return; + } +