1. 14 1月, 2016 1 次提交
  2. 02 12月, 2015 1 次提交
    • P
      wan/x25: Fix use-after-free in x25_asy_open_tty() · ee9159dd
      Peter Hurley 提交于
      The N_X25 line discipline may access the previous line discipline's closed
      and already-freed private data on open [1].
      
      The tty->disc_data field _never_ refers to valid data on entry to the
      line discipline's open() method. Rather, the ldisc is expected to
      initialize that field for its own use for the lifetime of the instance
      (ie. from open() to close() only).
      
      [1]
          [  634.336761] ==================================================================
          [  634.338226] BUG: KASAN: use-after-free in x25_asy_open_tty+0x13d/0x490 at addr ffff8800a743efd0
          [  634.339558] Read of size 4 by task syzkaller_execu/8981
          [  634.340359] =============================================================================
          [  634.341598] BUG kmalloc-512 (Not tainted): kasan: bad access detected
          ...
          [  634.405018] Call Trace:
          [  634.405277] dump_stack (lib/dump_stack.c:52)
          [  634.405775] print_trailer (mm/slub.c:655)
          [  634.406361] object_err (mm/slub.c:662)
          [  634.406824] kasan_report_error (mm/kasan/report.c:138 mm/kasan/report.c:236)
          [  634.409581] __asan_report_load4_noabort (mm/kasan/report.c:279)
          [  634.411355] x25_asy_open_tty (drivers/net/wan/x25_asy.c:559 (discriminator 1))
          [  634.413997] tty_ldisc_open.isra.2 (drivers/tty/tty_ldisc.c:447)
          [  634.414549] tty_set_ldisc (drivers/tty/tty_ldisc.c:567)
          [  634.415057] tty_ioctl (drivers/tty/tty_io.c:2646 drivers/tty/tty_io.c:2879)
          [  634.423524] do_vfs_ioctl (fs/ioctl.c:43 fs/ioctl.c:607)
          [  634.427491] SyS_ioctl (fs/ioctl.c:622 fs/ioctl.c:613)
          [  634.427945] entry_SYSCALL_64_fastpath (arch/x86/entry/entry_64.S:188)
      Reported-and-tested-by: NSasha Levin <sasha.levin@oracle.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NPeter Hurley <peter@hurleysoftware.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ee9159dd
  3. 18 7月, 2014 1 次提交
  4. 16 7月, 2014 1 次提交
    • T
      net: set name_assign_type in alloc_netdev() · c835a677
      Tom Gundersen 提交于
      Extend alloc_netdev{,_mq{,s}}() to take name_assign_type as argument, and convert
      all users to pass NET_NAME_UNKNOWN.
      
      Coccinelle patch:
      
      @@
      expression sizeof_priv, name, setup, txqs, rxqs, count;
      @@
      
      (
      -alloc_netdev_mqs(sizeof_priv, name, setup, txqs, rxqs)
      +alloc_netdev_mqs(sizeof_priv, name, NET_NAME_UNKNOWN, setup, txqs, rxqs)
      |
      -alloc_netdev_mq(sizeof_priv, name, setup, count)
      +alloc_netdev_mq(sizeof_priv, name, NET_NAME_UNKNOWN, setup, count)
      |
      -alloc_netdev(sizeof_priv, name, setup)
      +alloc_netdev(sizeof_priv, name, NET_NAME_UNKNOWN, setup)
      )
      
      v9: move comments here from the wrong commit
      Signed-off-by: NTom Gundersen <teg@jklm.no>
      Reviewed-by: NDavid Herrmann <dh.herrmann@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c835a677
  5. 05 2月, 2013 1 次提交
  6. 07 6月, 2012 1 次提交
  7. 29 3月, 2012 1 次提交
  8. 01 2月, 2012 1 次提交
  9. 17 9月, 2011 1 次提交
  10. 27 6月, 2011 1 次提交
  11. 04 6月, 2011 1 次提交
    • L
      Revert "tty: make receive_buf() return the amout of bytes received" · 55db4c64
      Linus Torvalds 提交于
      This reverts commit b1c43f82.
      
      It was broken in so many ways, and results in random odd pty issues.
      
      It re-introduced the buggy schedule_work() in flush_to_ldisc() that can
      cause endless work-loops (see commit a5660b41: "tty: fix endless
      work loop when the buffer fills up").
      
      It also used an "unsigned int" return value fo the ->receive_buf()
      function, but then made multiple functions return a negative error code,
      and didn't actually check for the error in the caller.
      
      And it didn't actually work at all.  BenH bisected down odd tty behavior
      to it:
        "It looks like the patch is causing some major malfunctions of the X
         server for me, possibly related to PTYs.  For example, cat'ing a
         large file in a gnome terminal hangs the kernel for -minutes- in a
         loop of what looks like flush_to_ldisc/workqueue code, (some ftrace
         data in the quoted bits further down).
      
         ...
      
         Some more data: It -looks- like what happens is that the
         flush_to_ldisc work queue entry constantly re-queues itself (because
         the PTY is full ?) and the workqueue thread will basically loop
         forver calling it without ever scheduling, thus starving the consumer
         process that could have emptied the PTY."
      
      which is pretty much exactly the problem we fixed in a5660b41.
      
      Milton Miller pointed out the 'unsigned int' issue.
      Reported-by: NBenjamin Herrenschmidt <benh@kernel.crashing.org>
      Reported-by: NMilton Miller <miltonm@bga.com>
      Cc: Stefan Bigler <stefan.bigler@keymile.com>
      Cc: Toby Gray <toby.gray@realvnc.com>
      Cc: Felipe Balbi <balbi@ti.com>
      Cc: Greg Kroah-Hartman <gregkh@suse.de>
      Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      55db4c64
  12. 23 4月, 2011 1 次提交
  13. 30 11月, 2010 1 次提交
  14. 29 11月, 2010 1 次提交
  15. 27 9月, 2010 1 次提交
  16. 05 6月, 2010 1 次提交
  17. 23 4月, 2010 1 次提交
  18. 30 3月, 2010 1 次提交
    • T
      include cleanup: Update gfp.h and slab.h includes to prepare for breaking... · 5a0e3ad6
      Tejun Heo 提交于
      include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
      
      percpu.h is included by sched.h and module.h and thus ends up being
      included when building most .c files.  percpu.h includes slab.h which
      in turn includes gfp.h making everything defined by the two files
      universally available and complicating inclusion dependencies.
      
      percpu.h -> slab.h dependency is about to be removed.  Prepare for
      this change by updating users of gfp and slab facilities include those
      headers directly instead of assuming availability.  As this conversion
      needs to touch large number of source files, the following script is
      used as the basis of conversion.
      
        http://userweb.kernel.org/~tj/misc/slabh-sweep.py
      
      The script does the followings.
      
      * Scan files for gfp and slab usages and update includes such that
        only the necessary includes are there.  ie. if only gfp is used,
        gfp.h, if slab is used, slab.h.
      
      * When the script inserts a new include, it looks at the include
        blocks and try to put the new include such that its order conforms
        to its surrounding.  It's put in the include block which contains
        core kernel includes, in the same order that the rest are ordered -
        alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
        doesn't seem to be any matching order.
      
      * If the script can't find a place to put a new include (mostly
        because the file doesn't have fitting include block), it prints out
        an error message indicating which .h file needs to be added to the
        file.
      
      The conversion was done in the following steps.
      
      1. The initial automatic conversion of all .c files updated slightly
         over 4000 files, deleting around 700 includes and adding ~480 gfp.h
         and ~3000 slab.h inclusions.  The script emitted errors for ~400
         files.
      
      2. Each error was manually checked.  Some didn't need the inclusion,
         some needed manual addition while adding it to implementation .h or
         embedding .c file was more appropriate for others.  This step added
         inclusions to around 150 files.
      
      3. The script was run again and the output was compared to the edits
         from #2 to make sure no file was left behind.
      
      4. Several build tests were done and a couple of problems were fixed.
         e.g. lib/decompress_*.c used malloc/free() wrappers around slab
         APIs requiring slab.h to be added manually.
      
      5. The script was run on all .h files but without automatically
         editing them as sprinkling gfp.h and slab.h inclusions around .h
         files could easily lead to inclusion dependency hell.  Most gfp.h
         inclusion directives were ignored as stuff from gfp.h was usually
         wildly available and often used in preprocessor macros.  Each
         slab.h inclusion directive was examined and added manually as
         necessary.
      
      6. percpu.h was updated not to include slab.h.
      
      7. Build test were done on the following configurations and failures
         were fixed.  CONFIG_GCOV_KERNEL was turned off for all tests (as my
         distributed build env didn't work with gcov compiles) and a few
         more options had to be turned off depending on archs to make things
         build (like ipr on powerpc/64 which failed due to missing writeq).
      
         * x86 and x86_64 UP and SMP allmodconfig and a custom test config.
         * powerpc and powerpc64 SMP allmodconfig
         * sparc and sparc64 SMP allmodconfig
         * ia64 SMP allmodconfig
         * s390 SMP allmodconfig
         * alpha SMP allmodconfig
         * um on x86_64 SMP allmodconfig
      
      8. percpu.h modifications were reverted so that it could be applied as
         a separate patch and serve as bisection point.
      
      Given the fact that I had only a couple of failures from tests on step
      6, I'm fairly confident about the coverage of this conversion patch.
      If there is a breakage, it's likely to be something in one of the arch
      headers which should be easily discoverable easily on most builds of
      the specific arch.
      Signed-off-by: NTejun Heo <tj@kernel.org>
      Guess-its-ok-by: NChristoph Lameter <cl@linux-foundation.org>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
      5a0e3ad6
  19. 04 12月, 2009 1 次提交
  20. 07 11月, 2009 1 次提交
    • A
      net, compat_ioctl: handle socket ioctl abuses in tty drivers · 9646e7ce
      Arnd Bergmann 提交于
      Slip and a few other drivers use the same ioctl numbers on
      tty devices that are normally meant for sockets. This causes
      problems with our compat_ioctl handling that tries to convert
      the data structures in a different format.
      
      Fortunately, these five drivers all use 32 bit compatible
      data structures in the ioctl numbers, so we can just add
      a trivial compat_ioctl conversion function to each of them.
      
      SIOCSIFENCAP and SIOCGIFENCAP do not need to live in
      fs/compat_ioctl.c after this any more, and they are not
      used on any sockets.
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9646e7ce
  21. 01 9月, 2009 1 次提交
  22. 06 7月, 2009 1 次提交
  23. 22 3月, 2009 2 次提交
  24. 26 12月, 2008 1 次提交
  25. 06 12月, 2008 2 次提交
  26. 13 11月, 2008 1 次提交
    • W
      netdevice: safe convert to netdev_priv() #part-3 · 8f15ea42
      Wang Chen 提交于
      We have some reasons to kill netdev->priv:
      1. netdev->priv is equal to netdev_priv().
      2. netdev_priv() wraps the calculation of netdev->priv's offset, obviously
         netdev_priv() is more flexible than netdev->priv.
      But we cann't kill netdev->priv, because so many drivers reference to it
      directly.
      
      This patch is a safe convert for netdev->priv to netdev_priv(netdev).
      Since all of the netdev->priv is only for read.
      But it is too big to be sent in one mail.
      I split it to 4 parts and make every part smaller than 100,000 bytes,
      which is max size allowed by vger.
      Signed-off-by: NWang Chen <wangchen@cn.fujitsu.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8f15ea42
  27. 04 11月, 2008 1 次提交
  28. 21 7月, 2008 1 次提交
    • A
      tty: Ldisc revamp · a352def2
      Alan Cox 提交于
      Move the line disciplines towards a conventional ->ops arrangement.  For
      the moment the actual 'tty_ldisc' struct in the tty is kept as part of
      the tty struct but this can then be changed if it turns out that when it
      all settles down we want to refcount ldiscs separately to the tty.
      
      Pull the ldisc code out of /proc and put it with our ldisc code.
      Signed-off-by: NAlan Cox <alan@redhat.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      a352def2
  29. 27 6月, 2008 1 次提交
  30. 30 4月, 2008 1 次提交
    • A
      tty: The big operations rework · f34d7a5b
      Alan Cox 提交于
      - Operations are now a shared const function block as with most other Linux
        objects
      
      - Introduce wrappers for some optional functions to get consistent behaviour
      
      - Wrap put_char which used to be patched by the tty layer
      
      - Document which functions are needed/optional
      
      - Make put_char report success/fail
      
      - Cache the driver->ops pointer in the tty as tty->ops
      
      - Remove various surplus lock calls we no longer need
      
      - Remove proc_write method as noted by Alexey Dobriyan
      
      - Introduce some missing sanity checks where certain driver/ldisc
        combinations would oops as they didn't check needed methods were present
      
      [akpm@linux-foundation.org: fix fs/compat_ioctl.c build]
      [akpm@linux-foundation.org: fix isicom]
      [akpm@linux-foundation.org: fix arch/ia64/hp/sim/simserial.c build]
      [akpm@linux-foundation.org: fix kgdb]
      Signed-off-by: NAlan Cox <alan@redhat.com>
      Acked-by: NGreg Kroah-Hartman <gregkh@suse.de>
      Cc: Jason Wessel <jason.wessel@windriver.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      f34d7a5b
  31. 10 2月, 2008 1 次提交
  32. 09 2月, 2008 1 次提交
  33. 07 11月, 2007 1 次提交
  34. 20 7月, 2007 1 次提交
  35. 14 12月, 2006 1 次提交
    • R
      [PATCH] getting rid of all casts of k[cmz]alloc() calls · 5cbded58
      Robert P. J. Day 提交于
      Run this:
      
      	#!/bin/sh
      	for f in $(grep -Erl "\([^\)]*\) *k[cmz]alloc" *) ; do
      	  echo "De-casting $f..."
      	  perl -pi -e "s/ ?= ?\([^\)]*\) *(k[cmz]alloc) *\(/ = \1\(/" $f
      	done
      
      And then go through and reinstate those cases where code is casting pointers
      to non-pointers.
      
      And then drop a few hunks which conflicted with outstanding work.
      
      Cc: Russell King <rmk@arm.linux.org.uk>, Ian Molton <spyro@f2s.com>
      Cc: Mikael Starvik <starvik@axis.com>
      Cc: Yoshinori Sato <ysato@users.sourceforge.jp>
      Cc: Roman Zippel <zippel@linux-m68k.org>
      Cc: Geert Uytterhoeven <geert@linux-m68k.org>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: Paul Mackerras <paulus@samba.org>
      Cc: Kyle McMartin <kyle@mcmartin.ca>
      Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
      Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: Jeff Dike <jdike@addtoit.com>
      Cc: Greg KH <greg@kroah.com>
      Cc: Jens Axboe <jens.axboe@oracle.com>
      Cc: Paul Fulghum <paulkf@microgate.com>
      Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
      Cc: Karsten Keil <kkeil@suse.de>
      Cc: Mauro Carvalho Chehab <mchehab@infradead.org>
      Cc: Jeff Garzik <jeff@garzik.org>
      Cc: James Bottomley <James.Bottomley@steeleye.com>
      Cc: Ian Kent <raven@themaw.net>
      Cc: Steven French <sfrench@us.ibm.com>
      Cc: David Woodhouse <dwmw2@infradead.org>
      Cc: Neil Brown <neilb@cse.unsw.edu.au>
      Cc: Jaroslav Kysela <perex@suse.cz>
      Cc: Takashi Iwai <tiwai@suse.de>
      Signed-off-by: NAndrew Morton <akpm@osdl.org>
      Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
      5cbded58
  36. 11 1月, 2006 1 次提交
    • A
      [PATCH] TTY layer buffering revamp · 33f0f88f
      Alan Cox 提交于
      The API and code have been through various bits of initial review by
      serial driver people but they definitely need to live somewhere for a
      while so the unconverted drivers can get knocked into shape, existing
      drivers that have been updated can be better tuned and bugs whacked out.
      
      This replaces the tty flip buffers with kmalloc objects in rings. In the
      normal situation for an IRQ driven serial port at typical speeds the
      behaviour is pretty much the same, two buffers end up allocated and the
      kernel cycles between them as before.
      
      When there are delays or at high speed we now behave far better as the
      buffer pool can grow a bit rather than lose characters. This also means
      that we can operate at higher speeds reliably.
      
      For drivers that receive characters in blocks (DMA based, USB and
      especially virtualisation) the layer allows a lot of driver specific
      code that works around the tty layer with private secondary queues to be
      removed. The IBM folks need this sort of layer, the smart serial port
      people do, the virtualisers do (because a virtualised tty typically
      operates at infinite speed rather than emulating 9600 baud).
      
      Finally many drivers had invalid and unsafe attempts to avoid buffer
      overflows by directly invoking tty methods extracted out of the innards
      of work queue structs. These are no longer needed and all go away. That
      fixes various random hangs with serial ports on overflow.
      
      The other change in here is to optimise the receive_room path that is
      used by some callers. It turns out that only one ldisc uses receive room
      except asa constant and it updates it far far less than the value is
      read. We thus make it a variable not a function call.
      
      I expect the code to contain bugs due to the size alone but I'll be
      watching and squashing them and feeding out new patches as it goes.
      
      Because the buffers now dynamically expand you should only run out of
      buffering when the kernel runs out of memory for real.  That means a lot of
      the horrible hacks high performance drivers used to do just aren't needed any
      more.
      
      Description:
      
      tty_insert_flip_char is an old API and continues to work as before, as does
      tty_flip_buffer_push() [this is why many drivers dont need modification].  It
      does now also return the number of chars inserted
      
      There are also
      
      tty_buffer_request_room(tty, len)
      
      which asks for a buffer block of the length requested and returns the space
      found.  This improves efficiency with hardware that knows how much to
      transfer.
      
      and tty_insert_flip_string_flags(tty, str, flags, len)
      
      to insert a string of characters and flags
      
      For a smart interface the usual code is
      
          len = tty_request_buffer_room(tty, amount_hardware_says);
          tty_insert_flip_string(tty, buffer_from_card, len);
      
      More description!
      
      At the moment tty buffers are attached directly to the tty.  This is causing a
      lot of the problems related to tty layer locking, also problems at high speed
      and also with bursty data (such as occurs in virtualised environments)
      
      I'm working on ripping out the flip buffers and replacing them with a pool of
      dynamically allocated buffers.  This allows both for old style "byte I/O"
      devices and also helps virtualisation and smart devices where large blocks of
      data suddenely materialise and need storing.
      
      So far so good.  Lots of drivers reference tty->flip.*.  Several of them also
      call directly and unsafely into function pointers it provides.  This will all
      break.  Most drivers can use tty_insert_flip_char which can be kept as an API
      but others need more.
      
      At the moment I've added the following interfaces, if people think more will
      be needed now is a good time to say
      
       int tty_buffer_request_room(tty, size)
      
      Try and ensure at least size bytes are available, returns actual room (may be
      zero).  At the moment it just uses the flipbuf space but that will change.
      Repeated calls without characters being added are not cumulative.  (ie if you
      call it with 1, 1, 1, and then 4 you'll have four characters of space.  The
      other functions will also try and grow buffers in future but this will be a
      more efficient way when you know block sizes.
      
       int tty_insert_flip_char(tty, ch, flag)
      
      As before insert a character if there is room.  Now returns 1 for success, 0
      for failure.
      
       int tty_insert_flip_string(tty, str, len)
      
      Insert a block of non error characters.  Returns the number inserted.
      
       int tty_prepare_flip_string(tty, strptr, len)
      
      Adjust the buffer to allow len characters to be added.  Returns a buffer
      pointer in strptr and the length available.  This allows for hardware that
      needs to use functions like insl or mencpy_fromio.
      Signed-off-by: NAlan Cox <alan@redhat.com>
      Cc: Paul Fulghum <paulkf@microgate.com>
      Signed-off-by: NHirokazu Takata <takata@linux-m32r.org>
      Signed-off-by: NSerge Hallyn <serue@us.ibm.com>
      Signed-off-by: NJeff Dike <jdike@addtoit.com>
      Signed-off-by: NJohn Hawkes <hawkes@sgi.com>
      Signed-off-by: NMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: NAdrian Bunk <bunk@stusta.de>
      Signed-off-by: NAndrew Morton <akpm@osdl.org>
      Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
      33f0f88f
  37. 24 6月, 2005 1 次提交
  38. 04 5月, 2005 1 次提交