tty: fall back to N_NULL if switching to N_TTY fails during hangup
authorJohannes Weiner <hannes@cmpxchg.org>
Fri, 13 Oct 2017 22:58:08 +0000 (15:58 -0700)
committerLinus Torvalds <torvalds@linux-foundation.org>
Fri, 13 Oct 2017 23:18:33 +0000 (16:18 -0700)
We have seen NULL-pointer dereference crashes in tty->disc_data when the
N_TTY fallback driver failed to open during hangup.  The immediate cause
of this open to fail has been addressed in the preceding patch to
vmalloc(), but this code could be more robust.

As Alan pointed out in commit 8a8dabf2dd68 ("tty: handle the case where
we cannot restore a line discipline"), the N_TTY driver, historically
the safe fallback that could never fail, can indeed fail, but the
surrounding code is not prepared to handle this.  To avoid crashes he
added a new N_NULL driver to take N_TTY's place as the last resort.

Hook that fallback up to the hangup path.  Update tty_ldisc_reinit() to
reflect the reality that n_tty_open can indeed fail.

Link: http://lkml.kernel.org/r/20171004185959.GC2136@cmpxchg.org
Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
Cc: Alan Cox <alan@llwyncelyn.cymru>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Michal Hocko <mhocko@suse.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
drivers/tty/tty_ldisc.c

index 2fe216b276e29ee54d6dd804555f27668407875a..84a8ac2a779f6ba7d4faf9df4d132421ac440c0a 100644 (file)
@@ -694,10 +694,8 @@ int tty_ldisc_reinit(struct tty_struct *tty, int disc)
        tty_set_termios_ldisc(tty, disc);
        retval = tty_ldisc_open(tty, tty->ldisc);
        if (retval) {
-               if (!WARN_ON(disc == N_TTY)) {
-                       tty_ldisc_put(tty->ldisc);
-                       tty->ldisc = NULL;
-               }
+               tty_ldisc_put(tty->ldisc);
+               tty->ldisc = NULL;
        }
        return retval;
 }
@@ -752,8 +750,9 @@ void tty_ldisc_hangup(struct tty_struct *tty, bool reinit)
 
        if (tty->ldisc) {
                if (reinit) {
-                       if (tty_ldisc_reinit(tty, tty->termios.c_line) < 0)
-                               tty_ldisc_reinit(tty, N_TTY);
+                       if (tty_ldisc_reinit(tty, tty->termios.c_line) < 0 &&
+                           tty_ldisc_reinit(tty, N_TTY) < 0)
+                               WARN_ON(tty_ldisc_reinit(tty, N_NULL) < 0);
                } else
                        tty_ldisc_kill(tty);
        }