If a user provides a buffer larger than a tty->write_buf chunk and
passes '\r' at the end of the buffer, we touch an out-of-bound memory.

Add a check there to prevent this.
Signed-off-by: NJiri Slaby <jslaby@suse.cz>
Cc: stable@vger.kernel.org (everything maintained past v2.6.37)
Cc: Samo Pogacnik <samo_pogacnik@t-2.net>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

When the tty_printk driver fails to create a node in sysfs, the system
crashes. It is because the driver registers a tty driver and frees it
without deregistering it first. The fix is easy: add a call to
tty_unregister_driver to the fail path.

This is very unlikely to happen in usual environment => no need for
stable.

The crash occurs at some place where we iterate over tty drivers
first. It may look like this:
BUG: unable to handle kernel paging request at ffffffffffffff84
IP: [<ffffffff81278d56>] tty_open+0xd6/0x650
PGD 1a0d067 PUD 1a0e067 PMD 0
Oops: 0000 [#1] PREEMPT SMP
Modules linked in:
CPU 0
Pid: 1183, comm: boot.localnet Tainted: G        W    3.5.0-rc7-next-20120716+ #369 Bochs Bochs
RIP: 0010:[<ffffffff81278d56>]  [<ffffffff81278d56>] tty_open+0xd6/0x650
RSP: 0018:ffff8800162b3b98  EFLAGS: 00010207
RAX: 0000000000000000 RBX: ffff880016ba6200 RCX: 0000000000002208
RDX: 0000000000000000 RSI: 00000000000000d0 RDI: ffffffff81a35080
RBP: ffff8800162b3c08 R08: ffffffff81276f42 R09: 0000000000400040
R10: ffff8800161dc005 R11: ffff8800188ee048 R12: 0000000000000000
R13: ffffffffffffff58 R14: 0000000000400040 R15: 0000000000008000
FS:  00007f3684abd700(0000) GS:ffff880018e00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffff84 CR3: 000000001503e000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process boot.localnet (pid: 1183, threadinfo ffff8800162b2000, task ffff8800188c5880)
Stack:
 ffff8800162b3c08 ffffffff81363d63 ffffffff81a62940 ffff8800189b4e88
 ffff8800188c5880 ffffffff81123180 0000000000000000 ffffffff18b20600
 0000000000000000 ffff8800189b4e88 ffff880016ba6200 ffff880018b20600
Call Trace:
 [<ffffffff81363d63>] ? kobj_lookup+0x103/0x160
 [<ffffffff81123180>] ? mount_fs+0x110/0x110
 [<ffffffff81123a9c>] chrdev_open+0x9c/0x1a0
 [<ffffffff81123a00>] ? cdev_put+0x30/0x30
 [<ffffffff8111de76>] do_dentry_open.isra.19+0x1e6/0x270
 [<ffffffff8111df65>] finish_open+0x65/0xa0
 [<ffffffff8112dc9e>] do_last.isra.52+0x26e/0xd80
 [<ffffffff8112b163>] ? inode_permission+0x13/0x50
 [<ffffffff8112b203>] ? link_path_walk+0x63/0x940
 [<ffffffff8112e85b>] path_openat+0xab/0x3d0
 [<ffffffff8112ef5d>] do_filp_open+0x3d/0xa0
 [<ffffffff8113ba72>] ? alloc_fd+0xd2/0x120
 [<ffffffff8111eee3>] do_sys_open+0xf3/0x1d0
 [<ffffffff8111efdc>] sys_open+0x1c/0x20
 [<ffffffff815b5fe2>] system_call_fastpath+0x16/0x1b
Signed-off-by: NJiri Slaby <jslaby@suse.cz>
Cc: Samo Pogacnik <samo_pogacnik@t-2.net>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

All num, magic and owner are set by alloc_tty_driver. No need to
re-set them on each allocation site.

pti driver sets something different to what it passes to
alloc_tty_driver. It is not a bug, since we don't use the lines
parameter in any way. Anyway this is fixed, and now we do the right
thing.
Signed-off-by: NJiri Slaby <jslaby@suse.cz>
Acked-by: NTilman Schmidt <tilman@imap.cc>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
Signed-off-by: NRichard Weinberger <richard@nod.at>

They will need it called out explicitly in the near future due
to a module.h usage cleanup that removes its implicit presence
everywhere.
Signed-off-by: NPaul Gortmaker <paul.gortmaker@windriver.com>

Only oddities here are a couple of drivers that bogusly called the ldisc
helpers instead of returning -ENOIOCTLCMD. Fix the bug and the rest goes
away.
Signed-off-by: NAlan Cox <alan@linux.intel.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

Ttyprintk is a pseudo TTY driver, which allows users to make printk
messages, via output to ttyprintk device. It is possible to store
"console" messages inline with kernel messages for better analyses of
the boot process, for example.
Signed-off-by: NSamo Pogacnik <samo_pogacnik@t-2.net>
Acked-by: NAlan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>