qiurui
/
Ubuntu-focal-kernel
mirror of https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/focal
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Ubuntu-focal-kernel/drivers
History
Jiri Slaby d3416b7f6f tty: use new tty_insert_flip_string_and_push_buffer() in pty_write() 
BugLink: https://bugs.launchpad.net/bugs/1988225

commit a501ab75e7624d133a5a3c7ec010687c8b961d23 upstream.

There is a race in pty_write(). pty_write() can be called in parallel
with e.g. ioctl(TIOCSTI) or ioctl(TCXONC) which also inserts chars to
the buffer. Provided, tty_flip_buffer_push() in pty_write() is called
outside the lock, it can commit inconsistent tail. This can lead to out
of bounds writes and other issues. See the Link below.

To fix this, we have to introduce a new helper called
tty_insert_flip_string_and_push_buffer(). It does both
tty_insert_flip_string() and tty_flip_buffer_commit() under the port
lock. It also calls queue_work(), but outside the lock. See
71a174b39f (pty: do tty_flip_buffer_push without port->lock in
pty_write) for the reasons.

Keep the helper internal-only (in drivers' tty.h). It is not intended to
be used widely.

Link: https://seclists.org/oss-sec/2022/q2/155
Fixes: 71a174b39f (pty: do tty_flip_buffer_push without port->lock in pty_write)
Cc: 一只狗 <chennbnbnb@gmail.com>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Suggested-by: Hillf Danton <hdanton@sina.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Link: https://lore.kernel.org/r/20220707082558.9250-2-jslaby@suse.cz
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
 		2022-09-16 11:00:05 +02:00
..
accessibility
acpi ACPI: property: Release subnode properties with data nodes 2022-08-26 11:08:25 +02:00
amba
android binder: fix handling of error during copy 2022-03-07 16:36:00 +01:00
ata ata: libata-core: fix NULL pointer deref in ata_host_alloc_pinfo() 2022-08-26 11:10:41 +02:00
atm atm: eni: Add check for dma_map_single 2022-05-20 15:17:59 +02:00
auxdisplay auxdisplay: ht16k33: Fix frame buffer device blanking 2022-01-13 18:42:37 +01:00
base regmap-irq: Fix a bug in regmap_irq_enable() for type_in_mask chips 2022-08-26 11:11:13 +02:00
bcma
block xen/blkfront: force data bouncing when backend is untrusted 2022-09-16 10:58:52 +02:00
bluetooth Bluetooth: btusb: Add 0x0b05:0x190e Realtek 8761BU (ASUS BT500) device. 2022-06-22 14:59:53 +02:00
bus bus: ti-sysc: Fix warnings for unbind for serial 2022-08-26 11:08:58 +02:00
cdrom
char random: update comment from copy_to_user() -> copy_to_iter() 2022-08-26 11:11:23 +02:00
clk clk: at91: generated: consider range when calculating best rate 2022-08-26 11:06:45 +02:00
clocksource clocksource/drivers/ixp4xx: remove EXPORT_SYMBOL_GPL from ixp4xx_timer_setup() 2022-09-16 10:58:53 +02:00
connector
counter
cpufreq cpufreq: pmac32-cpufreq: Fix refcount leak bug 2022-09-16 10:59:25 +02:00
cpuidle
crypto tcp: Fix data-races around sysctl knobs related to SYN option. 2022-09-16 10:59:51 +02:00
dax dax: make sure inodes are flushed before destroy cache 2022-05-20 15:18:55 +02:00
dca
devfreq PM / devfreq: exynos-ppmu: Fix refcount leak in of_get_devfreq_events 2022-09-16 10:58:41 +02:00
dio
dma dmaengine: ti: Add missing put_device in ti_dra7_xbar_route_allocate 2022-09-16 10:59:06 +02:00
dma-buf udmabuf: add back sanity check 2022-08-26 11:11:11 +02:00
edac EDAC/synopsys: Read the error count from the correct register 2022-06-22 14:50:51 +02:00
eisa
extcon extcon: Modify extcon device to be created after driver data is set 2022-08-26 11:09:21 +02:00
firewire firewire: core: extend card->lock in fw_core_handle_bus_reset 2022-07-11 16:39:31 +02:00
firmware firmware: dmi-sysfs: Fix memory leak in dmi_sysfs_register_handle 2022-08-26 11:08:58 +02:00
fpga
fsi
gnss
gpio gpio: pca953x: only use single read/write for No AI mode 2022-09-16 10:59:50 +02:00
gpu locking/refcount: Consolidate implementations of refcount_t 2022-09-16 10:59:59 +02:00
greybus greybus: svc: fix an error handling bug in gb_svc_hello() 2022-05-20 15:18:15 +02:00
hid HID: elan: Fix potential double free in elan_input_configured 2022-08-26 11:07:41 +02:00
hsi HSI: core: Fix return freed object in hsi_new_client 2022-03-07 16:36:11 +01:00
hv random: remove unused irq_flags argument from add_interrupt_randomness() 2022-08-26 11:09:48 +02:00
hwmon hwmon: (ibmaem) don't call platform_device_del() if platform_device_add() fails 2022-09-16 10:58:44 +02:00
hwspinlock
hwtracing coresight: cpu-debug: Replace mutex with mutex_trylock on panic notifier 2022-08-26 11:08:53 +02:00
i2c i2c: cadence: Change large transfer count reset logic to be unconditional 2022-09-16 10:59:44 +02:00
i3c
ide
idle
iio iio: adc: axp288: Override TS pin bias current for some models 2022-08-26 11:11:19 +02:00
infiniband RDMA/qedr: Fix reporting QP timeout attribute 2022-09-16 10:58:39 +02:00
input Input: bcm5974 - set missing URB_NO_TRANSFER_DMA_MAP urb flag 2022-08-26 11:09:30 +02:00
interconnect
iommu iommu/vt-d: Fix PCI bus rescan device hot add 2022-09-16 10:58:57 +02:00
ipack
irqchip irqchip: or1k-pic: Undefine mask_ack for level triggered hardware 2022-09-16 10:59:28 +02:00
isdn mISDN: change function names to avoid conflicts 2022-03-07 16:35:01 +01:00
leds
lightnvm lightnvm: disable the subsystem 2022-06-22 14:50:59 +02:00
macintosh macintosh: via-pmu and via-cuda need RTC_LIB 2022-08-26 11:08:13 +02:00
mailbox mailbox: forward the hrtimer if not queued and under a lock 2022-08-26 11:08:14 +02:00
mcb
md dm raid: fix KASAN warning in raid5_add_disks 2022-09-16 10:58:36 +02:00
media media: coda: Add more H264 levels for CODA960 2022-08-26 11:08:32 +02:00
memory memory: atmel-ebi: Fix missing of_node_put in atmel_ebi_probe 2022-06-22 14:50:29 +02:00
memstick
message
mfd mfd: davinci_voicecodec: Fix possible null-ptr-deref davinci_vc_probe() 2022-08-26 11:08:14 +02:00
misc locking/refcount: Define constants for saturation and max refcount values 2022-09-16 10:59:56 +02:00
mmc mmc: sdhci-pci-o2micro: Fix card detect by dealing with debouncing 2022-08-26 11:11:06 +02:00
mtd mtd: cfi_cmdset_0002: Use chip_ready() for write on S29GL064N 2022-08-26 11:09:31 +02:00
mux
net be2net: Fix buffer overflow in be_get_module_eeprom 2022-09-16 10:59:50 +02:00
nfc NFC: nxp-nci: don't print header length mismatch on i2c error 2022-09-16 10:59:26 +02:00
ntb
nubus
nvdimm nvdimm: Fix badblocks clear off-by-one error 2022-09-16 10:58:35 +02:00
nvme nvme: fix regression when disconnect a recovering ctrl 2022-09-16 10:59:26 +02:00
nvmem
of of: overlay: do not break notify on NOTIFY_{OK|STOP} 2022-08-26 11:07:43 +02:00
opp opp: Fix return in _opp_add_static_v2() 2022-01-13 18:42:36 +01:00
oprofile
parisc parisc: Fix CPU affinity for Lasi, WAX and Dino chips 2022-05-20 15:19:53 +02:00
parport
pci PCI: hv: Fix interrupt mapping for multi-MSI 2022-09-16 10:59:36 +02:00
pcmcia pcmcia: db1xxx_ss: restrict to MIPS_DB1XXX boards 2022-08-26 11:08:46 +02:00
perf arm_pmu: Validate single/group leader events 2022-06-22 14:50:55 +02:00
phy phy: qcom-qmp: fix pipe-clock imbalance on power-on failure 2022-08-26 11:08:53 +02:00
pinctrl pinctrl: stm32: fix optional IRQ support to gpios 2022-09-16 10:59:34 +02:00
platform platform/x86: hp-wmi: Ignore Sanitization Mode event 2022-09-16 10:59:25 +02:00
pnp
power power/reset: arm-versatile: Fix refcount leak in versatile_reboot_probe 2022-09-16 10:59:37 +02:00
powercap
pps
ps3
ptp ptp: replace snprintf with sysfs_emit 2022-05-20 15:19:42 +02:00
pwm pwm: lp3943: Fix duty calculation in case period was clamped 2022-08-26 11:08:50 +02:00
rapidio
ras
regulator regulator: pfuze100: Fix refcount leak in pfuze_parse_regulators_dt 2022-08-26 11:07:52 +02:00
remoteproc remoteproc: qcom_wcnss: Add missing of_node_put() in wcnss_alloc_memory_region 2022-05-20 15:19:10 +02:00
reset reset: tegra-bpmp: Restore Handle errors in BPMP response 2022-06-22 14:50:49 +02:00
rpmsg rpmsg: qcom_smd: Fix returning 0 if irq_of_parse_and_map() fails 2022-08-26 11:08:52 +02:00
rtc rtc: mt6397: check return value after calling platform_get_resource() 2022-08-26 11:08:54 +02:00
s390 tty: the rest, stop using tty_schedule_flip() 2022-09-16 11:00:04 +02:00
sbus
scsi scsi: fnic: Validate io_req before others 2022-08-26 11:11:32 +02:00
sfi
sh maple: fix wrong return value of maple_bus_init(). 2022-01-13 18:42:55 +01:00
siox
slimbus slimbus: qcom: Fix IRQ check in qcom_slim_probe 2022-07-11 16:40:11 +02:00
soc soc: ixp4xx/npe: Fix unused match warning 2022-09-16 10:59:29 +02:00
soundwire
spi spi: bcm2835: bcm2835_spi_handle_err(): fix NULL pointer deref for non DMA transfers 2022-09-16 10:59:54 +02:00
spmi
ssb
staging tty: the rest, stop using tty_schedule_flip() 2022-09-16 11:00:04 +02:00
target scsi: target: tcmu: Fix possible page UAF 2022-06-22 14:50:34 +02:00
tc
tee optee: use driver internal tee_context for some rpc 2022-05-20 15:17:10 +02:00
thermal thermal/drivers/broadcom: Fix potential NULL dereference in sr_thermal_probe 2022-08-26 11:07:57 +02:00
thunderbolt
tty tty: use new tty_insert_flip_string_and_push_buffer() in pty_write() 2022-09-16 11:00:05 +02:00
uio
usb usb: dwc3: gadget: Fix event pending check 2022-09-16 10:59:31 +02:00
vfio
vhost vringh: Fix loop descriptors check in the indirect cases 2022-08-26 11:09:27 +02:00
video fbdev: fbmem: Fix logo center image dx issue 2022-09-16 10:58:57 +02:00
virt
virtio virtio_mmio: Restore guest page size on resume 2022-09-16 10:59:24 +02:00
visorbus
vlynq
vme
w1 w1: w1_therm: fixes w1_seq for ds28ea00 sensors 2022-05-20 15:19:50 +02:00
watchdog watchdog: wdat_wdt: Stop watchdog when rebooting the system 2022-08-26 11:09:23 +02:00
xen xen/gntdev: Ignore failure to unmap INVALID_GRANT_HANDLE 2022-09-16 10:59:35 +02:00
zorro
Kconfig
Makefile