1. 30 4月, 2008 2 次提交
  2. 29 4月, 2008 1 次提交
  3. 28 4月, 2008 1 次提交
    • M
      [patch 1/2] audit: let userspace fully control TTY input auditing · 41126226
      Miloslav Trmac 提交于
      Remove the code that automatically disables TTY input auditing in processes
      that open TTYs when they have no other TTY open; this heuristic was
      intended to automatically handle daemons, but it has false positives (e.g.
      with sshd) that make it impossible to control TTY input auditing from a PAM
      module.  With this patch, TTY input auditing is controlled from user-space
      only.
      
      On the other hand, not even for daemons does it make sense to audit "input"
      from PTY masters; this data was produced by a program writing to the PTY
      slave, and does not represent data entered by the user.
      Signed-off-by: NMiloslav Trmac <mitr@redhat.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: David Woodhouse <dwmw2@infradead.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      41126226
  4. 18 4月, 2008 1 次提交
  5. 09 2月, 2008 1 次提交
  6. 07 2月, 2008 3 次提交
  7. 20 10月, 2007 4 次提交
  8. 24 8月, 2007 1 次提交
  9. 12 8月, 2007 1 次提交
    • A
      fix serial buffer memory leak · 42fd552e
      Alan Cox 提交于
      Patch c5c34d48 (tty: flush flip buffer on
      ldisc input queue flush) introduces a race condition which can lead to memory
      leaks.
      
      The problem can be triggered when tcflush() is called when data are being
      pushed to the line discipline driver by flush_to_ldisc().
      
      flush_to_ldisc() releases tty->buf.lock when calling the line discipline
      receive_buf function. At that poing tty_buffer_flush() kicks in and sets both
      tty->buf.head and tty->buf.tail to NULL. When flush_to_ldisc() finishes, it
      restores tty->buf.head but doesn't touch tty->buf.tail. This corrups the
      buffer queue, and the next call to tty_buffer_request_room() will allocate a
      new buffer and overwrite tty->buf.head. The previous buffer is then lost
      forever without being released.
      
      (Thanks to Laurent for the above text, for finding, disgnosing and reporting
      the bug)
      
      - Use tty->flags bits for the flush status.
      
      - Wait for the flag to clear again before returning
      
      - Fix the doc error noted
      
      - Fix flush of empty queue leaving stale flushpending
      
      [akpm@linux-foundation.org: cleanup]
      Signed-off-by: NAlan Cox <alan@redhat.com>
      Acked-by: NPaul Fulghum <paulkf@microgate.com>
      Cc: Laurent Pinchart <laurentp@cse-semaphore.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      42fd552e
  10. 17 7月, 2007 3 次提交
  11. 17 6月, 2007 1 次提交
    • P
      tty: restore locked ioctl file op · 38ad2ed0
      Paul Fulghum 提交于
      Restore tty locked ioctl handler which was replaced with
      an unlocked ioctl handler in hung_up_tty_fops by the patch:
      
      commit e10cc1df
      Author: Paul Fulghum <paulkf@microgate.com>
      Date:   Thu May 10 22:22:50 2007 -0700
      
          tty: add compat_ioctl
      
      This was reported in:
      [Bug 8473] New: Oops: 0010 [1] SMP
      
      The bug is caused by switching to hung_up_tty_fops in do_tty_hangup.  An
      ioctl call can be waiting on BLK after testing for existence of the locked
      ioctl handler in the normal tty fops, but before calling the locked ioctl
      handler.  If a hangup occurs at that point, the locked ioctl fop is NULL
      and an oops occurs.
      
      (akpm: we can remove my debugging code from do_ioctl() now, but it'll be OK to
      do that for 2.6.23)
      Signed-off-by: NPaul Fulghum <paulkf@microgate.com>
      Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      38ad2ed0
  12. 01 6月, 2007 1 次提交
  13. 13 5月, 2007 1 次提交
  14. 12 5月, 2007 1 次提交
  15. 11 5月, 2007 1 次提交
  16. 10 5月, 2007 1 次提交
    • P
      tty_set_ldisc() receive_room fix · ae030e43
      Paul Fulghum 提交于
      Fix tty_set_ldisc in tty_io.c so that tty->receive_room is only cleared if
      actually changing line disciplines.
      
      Without this fix a problem occurs when requesting the line discipline to
      change to the same line discipline.  In this case tty->receive_room is
      cleared but ldisc->open() is not called to set tty->receive_room back to a
      sane value.  The result is that tty->receive_room is stuck at 0 preventing
      the tty flip buffer from passing receive data to the line discipline.
      
      For example: a switch from N_TTY to N_TTY followed by a select() call for
      read input results in data never being received because tty->receive_room
      is stuck at zero.
      
      A switch from N_TTY to N_TTY followed by a read() call works because the
      read() call itself sets tty->receive_room correctly (but select does not).
      
      Previously (< 2.6.18) this was not a problem because the tty flip buffer
      pushed data to the line discipline without regard for tty->receive room.
      Signed-off-by: NPaul Fulghum <paulkf@microgate.com>
      Acked-by: NAlan Cox <alan@lxorguk.ukuu.org.uk>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      ae030e43
  17. 09 5月, 2007 6 次提交
    • R
      Fix misspellings collected by members of KJ list. · beb7dd86
      Robert P. J. Day 提交于
      Fix the misspellings of "propogate", "writting" and (oh, the shame
      :-) "kenrel" in the source tree.
      Signed-off-by: NRobert P. J. Day <rpjday@mindspring.com>
      Signed-off-by: NAdrian Bunk <bunk@stusta.de>
      beb7dd86
    • A
      Protect tty drivers list with tty_mutex · ca509f69
      Alexey Dobriyan 提交于
      Additions and removal from tty_drivers list were just done as well as
      iterating on it for /proc/tty/drivers generation.
      
      testing: modprobe/rmmod loop of simple module which does nothing but
      tty_register_driver() vs cat /proc/tty/drivers loop
      
      BUG: unable to handle kernel paging request at virtual address 6b6b6b6b
       printing eip:
      c01cefa7
      *pde = 00000000
      Oops: 0000 [#1]
      PREEMPT
      last sysfs file: devices/pci0000:00/0000:00:1d.7/usb5/5-0:1.0/bInterfaceProtocol
      Modules linked in: ohci_hcd af_packet e1000 ehci_hcd uhci_hcd usbcore xfs
      CPU:    0
      EIP:    0060:[<c01cefa7>]    Not tainted VLI
      EFLAGS: 00010297   (2.6.21-rc4-mm1 #4)
      EIP is at vsnprintf+0x3a4/0x5fc
      eax: 6b6b6b6b   ebx: f6cb50f2   ecx: 6b6b6b6b   edx: fffffffe
      esi: c0354700   edi: f6cb6000   ebp: 6b6b6b6b   esp: f31f5e68
      ds: 007b   es: 007b   fs: 00d8  gs: 0033  ss: 0068
      Process cat (pid: 31864, ti=f31f4000 task=c1998030 task.ti=f31f4000)
      Stack: 00000000 c0103f20 c013003a c0103f20 00000000 f6cb50da 0000000a 00000f0e
             f6cb50f2 00000010 00000014 ffffffff ffffffff 00000007 c0354753 f6cb50f2
             f73e39dc f73e39dc 00000001 c0175416 f31f5ed8 f31f5ed4 0ee00000 f32090bc
      Call Trace:
       [<c0103f20>] restore_nocheck+0x12/0x15
       [<c013003a>] mark_held_locks+0x6d/0x86
       [<c0103f20>] restore_nocheck+0x12/0x15
       [<c0175416>] seq_printf+0x2e/0x52
       [<c0192895>] show_tty_range+0x35/0x1f3
       [<c0175416>] seq_printf+0x2e/0x52
       [<c0192add>] show_tty_driver+0x8a/0x1d9
       [<c01758f6>] seq_read+0x70/0x2ba
       [<c0175886>] seq_read+0x0/0x2ba
       [<c018d8e6>] proc_reg_read+0x63/0x9f
       [<c015e764>] vfs_read+0x7d/0xb5
       [<c018d883>] proc_reg_read+0x0/0x9f
       [<c015eab1>] sys_read+0x41/0x6a
       [<c0103e4e>] sysenter_past_esp+0x5f/0x99
       =======================
      Code: 00 8b 4d 04 e9 44 ff ff ff 8d 4d 04 89 4c 24 50 8b 6d 00 81 fd ff 0f 00 00 b8 a4 c1 35 c0 0f 46 e8 8b 54 24 2c 89 e9 89 c8 eb 06 <80> 38 00 74 07 40 4a 83 fa ff 75 f4 29 c8 89 c6 8b 44 24 28 89
      EIP: [<c01cefa7>] vsnprintf+0x3a4/0x5fc SS:ESP 0068:f31f5e68
      Signed-off-by: NAlexey Dobriyan <adobriyan@sw.ru>
      Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      ca509f69
    • E
      tty: introduce no_tty and use it in selinux · 98a27ba4
      Eric W. Biederman 提交于
      While researching the tty layer pid leaks I found a weird case in selinux when
      we drop a controlling tty because of inadequate permissions we don't do the
      normal hangup processing.  Which is a problem if it happens the session leader
      has exec'd something that can no longer access the tty.
      
      We already have code in the kernel to handle this case in the form of the
      TIOCNOTTY ioctl.  So this patch factors out a helper function that is the
      essence of that ioctl and calls it from the selinux code.
      
      This removes the inconsistency in handling dropping of a controlling tty and
      who knows it might even make some part of user space happy because it received
      a SIGHUP it was expecting.
      
      In addition since this removes the last user of proc_set_tty outside of
      tty_io.c proc_set_tty is made static and removed from tty.h
      Signed-off-by: NEric W. Biederman <ebiederm@xmission.com>
      Acked-by: NAlan Cox <alan@lxorguk.ukuu.org.uk>
      Cc: James Morris <jmorris@namei.org>
      Cc: Stephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      98a27ba4
    • E
      tty: simplify calling of put_pid. · 2a65f1d9
      Eric W. Biederman 提交于
      This patch should contain no functional changes.
      
      At some point I got confused and thought put_pid could not be called while a
      spin lock was held.  While it may be nice to avoid that to reduce lock hold
      times put_pid can be safely called while we hold a spin lock.
      
      This patch removes all of the complications from the code introduced by my
      misunderstanding, making the code a little more readable.
      Signed-off-by: NEric W. Biederman <ebiederm@xmission.com>
      Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      2a65f1d9
    • E
      tty: remove unnecessary export of proc_clear_tty · f67c3627
      Eric W. Biederman 提交于
      All of the users of proc_clear_tty are compiled into the kernel so exporting
      this symbol appears gratuitous.
      Signed-off-by: NEric W. Biederman <ebiederm@xmission.com>
      Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      f67c3627
    • G
      Fixes and cleanups for earlyprintk aka boot console · 69331af7
      Gerd Hoffmann 提交于
      The console subsystem already has an idea of a boot console, using the
      CON_BOOT flag.  The implementation has some flaws though.  The major
      problem is that presence of a boot console makes register_console() ignore
      any other console devices (unless explicitly specified on the kernel
      command line).
      
      This patch fixes the console selection code to *not* consider a boot
      console a full-featured one, so the first non-boot console registering will
      become the default console instead.  This way the unregister call for the
      boot console in the register_console() function actually triggers and the
      handover from the boot console to the real console device works smoothly.
      Added a printk for the handover, so you know which console device the
      output goes to when the boot console stops printing messages.
      
      The disable_early_printk() call is obsolete with that patch, explicitly
      disabling the early console isn't needed any more as it works automagically
      with that patch.
      
      I've walked through the tree, dropped all disable_early_printk() instances
      found below arch/ and tagged the consoles with CON_BOOT if needed.  The
      code is tested on x86, sh (thanks to Paul) and mips (thanks to Ralf).
      
      Changes to last version: Rediffed against -rc3, adapted to mips cleanups by
      Ralf, fixed "udbg-immortal" cmd line arg on powerpc.
      Signed-off-by: NGerd Hoffmann <kraxel@exsuse.de>
      Acked-by: NPaul Mundt <lethal@linux-sh.org>
      Acked-by: NRalf Baechle <ralf@linux-mips.org>
      Cc: Andi Kleen <ak@suse.de>
      Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
      Cc: Richard Henderson <rth@twiddle.net>
      Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
      Cc: Paul Mackerras <paulus@samba.org>
      Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
      Cc: Jeremy Fitzhardinge <jeremy@goop.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      69331af7
  18. 08 5月, 2007 1 次提交
  19. 19 3月, 2007 1 次提交
    • E
      [PATCH] tty: Fix two reported pid leaks · d9c1e9a8
      Eric W. Biederman 提交于
      These leaks were reported by: Catalin Marinas <catalin.marians@gmail.com>
      and I have been able to very by inspection they are possible.
      
      When converting tty_io.c to store pids as struct pid pointers instead
      of pid_t values it appears I overlooked two places where we stop using
      the pid value.  The very obvious one is in do_tty_hangup, and the one
      the less obvious one in __proc_set_tty.
      
      When looking into the code __proc_set_tty only has pids that need to
      be put because of failures of other parts of the code to properly
      perform hangup processing.   Fixing the leak here in __proc_set_tty
      is easy and obviously correct so I am doing that first.
      
      Fixing the places that should be performing hangup processing is much
      less obviously correct.  So those I'm aiming those patches at -mm.
      for now, so the can age a while before they are merged.
      Signed-off-by: NEric W. Biederman <ebiederm@xmission.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      d9c1e9a8
  20. 02 3月, 2007 1 次提交
    • A
      [PATCH] tty_io: fix race in master pty close/slave pty close path · 5a39e8c6
      Aristeu Sergio Rozanski Filho 提交于
      This patch fixes a possible race that leads to double freeing an idr index.
       When the master begin to close, release_dev() is called and then
      pty_close() is called:
      
              if (tty->driver->close)
                      tty->driver->close(tty, filp);
      
      This is done without helding any locks other than BKL.  Inside pty_close(),
      being a master close, the devpts entry will be removed:
      
      #ifdef CONFIG_UNIX98_PTYS
                      if (tty->driver == ptm_driver)
                              devpts_pty_kill(tty->index);
      #endif
      
      But devpts_pty_kill() will call get_node() that may sleep while waiting for
      &devpts_root->d_inode->i_sem.  When this happens and the slave is being
      opened, tty_open() just found the driver and index:
      
              driver = get_tty_driver(device, &index);
              if (!driver) {
                      mutex_unlock(&tty_mutex);
                      return -ENODEV;
              }
      
      This part of the code is already protected under tty_mute.  The problem is
      that the slave close already got an index.  Then init_dev() is called and
      blocks waiting for the same &devpts_root->d_inode->i_sem.
      
      When the master close resumes, it removes the devpts entry, and the
      relation between idr index and the tty is gone.  The master then sleeps
      waiting for the tty_mutex on release_dev().
      
      Slave open resumes and found no tty for that index.  As result, a NULL tty
      is returned and init_dev() doesn't flow to fast_track:
      
              /* check whether we're reopening an existing tty */
              if (driver->flags & TTY_DRIVER_DEVPTS_MEM) {
                      tty = devpts_get_tty(idx);
                      if (tty && driver->subtype == PTY_TYPE_MASTER)
                              tty = tty->link;
              } else {
                      tty = driver->ttys[idx];
              }
              if (tty) goto fast_track;
      
      The result of this, is that a new tty will be created and init_dev() returns
      sucessfull. After returning, tty_mutex is dropped and master close may resume.
      
      Master close finds it's the only use and both sides are closing, then releases
      the tty and the index. At this point, the idr index is free, but slave still
      has it.
      
      Slave open then calls pty_open() and finds that tty->link->count is 0,
      because there's no master and returns error.  Then tty_open() calls
      release_dev() which executes without any warning, as it was a case of last
      slave close when the master is already closed (master->count == 0,
      slave->count == 1).  The tty is then released with the already released idr
      index.
      
      This normally would only issue a warning on idr_remove() but in case of a
      customer's critical application, it's never too simple:
      
      thread1: opens master, gets index X
      thread1: begin closing master
      thread2: begin opening slave with index X
      thread1: finishes closing master, index X released
      thread3: opens master, gets index X, just released
      thread2: fails opening slave, releases index X         <----
      thread4: opens master, gets index X, init_dev() then find an already in use
      	 and healthy tty and fails
      
      If no more indexes are released, ptmx_open() will keep failing, as the
      first free index available is X, and it will make init_dev() fail because
      you're trying to "reopen a master" which isn't valid.
      
      The patch notices when this race happens and make init_dev() fail
      imediately.  The init_dev() function is called with tty_mutex held, so it's
      safe to continue with tty till the end of function because release_dev()
      won't make any further changes without grabbing the tty_mutex.
      
      Without the patch, on some machines it's possible get easily idr warnings
      like this one:
      
      idr_remove called for id=15 which is not allocated.
       [<c02555b9>] idr_remove+0x139/0x170
       [<c02a1b62>] release_mem+0x182/0x230
       [<c02a28e7>] release_dev+0x4b7/0x700
       [<c02a0ea7>] tty_ldisc_enable+0x27/0x30
       [<c02a1e64>] init_dev+0x254/0x580
       [<c02a0d64>] check_tty_count+0x14/0xb0
       [<c02a4f05>] tty_open+0x1c5/0x340
       [<c02a4d40>] tty_open+0x0/0x340
       [<c017388f>] chrdev_open+0xaf/0x180
       [<c017c2ac>] open_namei+0x8c/0x760
       [<c01737e0>] chrdev_open+0x0/0x180
       [<c0167bc9>] __dentry_open+0xc9/0x210
       [<c0167e2c>] do_filp_open+0x5c/0x70
       [<c0167a91>] get_unused_fd+0x61/0xd0
       [<c0167e93>] do_sys_open+0x53/0x100
       [<c0167f97>] sys_open+0x27/0x30
       [<c010303b>] syscall_call+0x7/0xb
      
      using this test application available on:
       http://www.ruivo.org/~aris/pty_sodomizer.cSigned-off-by: NAristeu Sergio Rozanski Filho <aris@ruivo.org>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Chuck Ebbert <cebbert@redhat.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      5a39e8c6
  21. 21 2月, 2007 2 次提交
  22. 14 2月, 2007 1 次提交
    • E
      [PATCH] Fix SAK_work workqueue initialization. · 7f1f86a0
      Eric W. Biederman 提交于
      Somewhere in the rewrite of the work queues my cleanup of SAK handling
      got broken.  Maybe I didn't retest it properly or possibly the API
      was changing so fast I missed something.  Regardless currently
      triggering a SAK now generates an ugly BUG_ON and kills the kernel.
      
      Thanks to Alexey Dobriyan <adobriyan@openvz.org> for spotting this.
      
      This modifies the use of SAK_work to initialize it when the data
      structure it resides in is initialized, and to simply call
      schedule_work when we need to generate a SAK.  I update both
      data structures that have a SAK_work member for consistency.
      
      All of the old PREPARE_WORK calls that are now gone.
      
      If we call schedule_work again before it has processed it
      has generated the first SAK it will simply ignore the duplicate
      schedule_work request.
      Signed-off-by: NEric W. Biederman <ebiederm@xmission.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      7f1f86a0
  23. 13 2月, 2007 4 次提交