From 8bcec4c911eab899858bf1b00e37bbbaceb1a88d Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 23 Nov 2020 09:16:06 +0100 Subject: [PATCH] 4.19-stable patches added patches: speakup-do-not-let-the-line-discipline-be-used-several-times.patch --- queue-4.19/series | 1 + ...ine-discipline-be-used-several-times.patch | 76 +++++++++++++++++++ 2 files changed, 77 insertions(+) create mode 100644 queue-4.19/speakup-do-not-let-the-line-discipline-be-used-several-times.patch diff --git a/queue-4.19/series b/queue-4.19/series index e5448e84e47..aa67eab201b 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -63,3 +63,4 @@ fail_function-remove-a-redundant-mutex-unlock.patch xfs-revert-xfs-fix-rmap-key-and-record-comparison-fu.patch efi-x86-free-efi_pgd-with-free_pages.patch libfs-fix-error-cast-of-negative-value-in-simple_att.patch +speakup-do-not-let-the-line-discipline-be-used-several-times.patch diff --git a/queue-4.19/speakup-do-not-let-the-line-discipline-be-used-several-times.patch b/queue-4.19/speakup-do-not-let-the-line-discipline-be-used-several-times.patch new file mode 100644 index 00000000000..86050ad6c69 --- /dev/null +++ b/queue-4.19/speakup-do-not-let-the-line-discipline-be-used-several-times.patch @@ -0,0 +1,76 @@ +From d4122754442799187d5d537a9c039a49a67e57f1 Mon Sep 17 00:00:00 2001 +From: Samuel Thibault +Date: Tue, 10 Nov 2020 19:35:41 +0100 +Subject: speakup: Do not let the line discipline be used several times +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Samuel Thibault + +commit d4122754442799187d5d537a9c039a49a67e57f1 upstream. + +Speakup has only one speakup_tty variable to store the tty it is managing. This +makes sense since its codebase currently assumes that there is only one user who +controls the screen reading. + +That however means that we have to forbid using the line discipline several +times, otherwise the second closure would try to free a NULL ldisc_data, leading to + +general protection fault: 0000 [#1] SMP KASAN PTI +RIP: 0010:spk_ttyio_ldisc_close+0x2c/0x60 +Call Trace: + tty_ldisc_release+0xa2/0x340 + tty_release_struct+0x17/0xd0 + tty_release+0x9d9/0xcc0 + __fput+0x231/0x740 + task_work_run+0x12c/0x1a0 + do_exit+0x9b5/0x2230 + ? release_task+0x1240/0x1240 + ? __do_page_fault+0x562/0xa30 + do_group_exit+0xd5/0x2a0 + __x64_sys_exit_group+0x35/0x40 + do_syscall_64+0x89/0x2b0 + ? page_fault+0x8/0x30 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Cc: stable@vger.kernel.org +Reported-by: 秦世松 +Signed-off-by: Samuel Thibault +Tested-by: Shisong Qin +Link: https://lore.kernel.org/r/20201110183541.fzgnlwhjpgqzjeth@function +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/speakup/spk_ttyio.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/drivers/staging/speakup/spk_ttyio.c ++++ b/drivers/staging/speakup/spk_ttyio.c +@@ -49,15 +49,25 @@ static int spk_ttyio_ldisc_open(struct t + + if (tty->ops->write == NULL) + return -EOPNOTSUPP; ++ ++ mutex_lock(&speakup_tty_mutex); ++ if (speakup_tty) { ++ mutex_unlock(&speakup_tty_mutex); ++ return -EBUSY; ++ } + speakup_tty = tty; + + ldisc_data = kmalloc(sizeof(struct spk_ldisc_data), GFP_KERNEL); +- if (!ldisc_data) ++ if (!ldisc_data) { ++ speakup_tty = NULL; ++ mutex_unlock(&speakup_tty_mutex); + return -ENOMEM; ++ } + + sema_init(&ldisc_data->sem, 0); + ldisc_data->buf_free = true; + speakup_tty->disc_data = ldisc_data; ++ mutex_unlock(&speakup_tty_mutex); + + return 0; + } -- 2.47.3