From 8ebd8aa7f954c7784a58587a071378b5c9331d70 Mon Sep 17 00:00:00 2001 From: Linus Torvalds Date: Thu, 15 Aug 2024 13:41:34 +0000 Subject: [PATCH 1/2] tty: add the option to have a tty reject a new ldisc stable inclusion from stable-v6.6.36 commit 287b569a5b914903ba7c438a3c0dbc3410ebb409 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IACT4T CVE: CVE-2024-40966 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=287b569a5b914903ba7c438a3c0dbc3410ebb409 -------------------------------- [ Upstream commit 6bd23e0c2bb6c65d4f5754d1456bc9a4427fc59b ] ... and use it to limit the virtual terminals to just N_TTY. They are kind of special, and in particular, the "con_write()" routine violates the "writes cannot sleep" rule that some ldiscs rely on. This avoids the BUG: sleeping function called from invalid context at kernel/printk/printk.c:2659 when N_GSM has been attached to a virtual console, and gsmld_write() calls con_write() while holding a spinlock, and con_write() then tries to get the console lock. Tested-by: Tetsuo Handa Cc: Jiri Slaby Cc: Andrew Morton Cc: Daniel Starke Reported-by: syzbot Closes: https://syzkaller.appspot.com/bug?extid=dbac96d8e73b61aa559c Signed-off-by: Linus Torvalds Link: https://lore.kernel.org/r/20240423163339.59780-1-torvalds@linux-foundation.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin Signed-off-by: Yi Yang --- drivers/tty/tty_ldisc.c | 6 ++++++ drivers/tty/vt/vt.c | 10 ++++++++++ include/linux/tty_driver.h | 8 ++++++++ 3 files changed, 24 insertions(+) diff --git a/drivers/tty/tty_ldisc.c b/drivers/tty/tty_ldisc.c index 3f68e213df1f..d80e9d4c974b 100644 --- a/drivers/tty/tty_ldisc.c +++ b/drivers/tty/tty_ldisc.c @@ -545,6 +545,12 @@ int tty_set_ldisc(struct tty_struct *tty, int disc) goto out; } + if (tty->ops->ldisc_ok) { + retval = tty->ops->ldisc_ok(tty, disc); + if (retval) + goto out; + } + old_ldisc = tty->ldisc; /* Shutdown the old discipline. */ diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c index e66ff9c11dad..a22da757ca6d 100644 --- a/drivers/tty/vt/vt.c +++ b/drivers/tty/vt/vt.c @@ -3390,6 +3390,15 @@ static void con_cleanup(struct tty_struct *tty) tty_port_put(&vc->port); } +/* + * We can't deal with anything but the N_TTY ldisc, + * because we can sleep in our write() routine. + */ +static int con_ldisc_ok(struct tty_struct *tty, int ldisc) +{ + return ldisc == N_TTY ? 0 : -EINVAL; +} + static int default_color = 7; /* white */ static int default_italic_color = 2; // green (ASCII) static int default_underline_color = 3; // cyan (ASCII) @@ -3509,6 +3518,7 @@ static const struct tty_operations con_ops = { .resize = vt_resize, .shutdown = con_shutdown, .cleanup = con_cleanup, + .ldisc_ok = con_ldisc_ok, }; static struct cdev vc0_cdev; diff --git a/include/linux/tty_driver.h b/include/linux/tty_driver.h index e4883dcf1656..9ab7516472e7 100644 --- a/include/linux/tty_driver.h +++ b/include/linux/tty_driver.h @@ -156,6 +156,13 @@ struct serial_struct; * * Optional. Called under the @tty->termios_rwsem. May sleep. * + * @ldisc_ok: ``int ()(struct tty_struct *tty, int ldisc)`` + * + * This routine allows the @tty driver to decide if it can deal + * with a particular @ldisc. + * + * Optional. Called under the @tty->ldisc_sem and @tty->termios_rwsem. + * * @set_ldisc: ``void ()(struct tty_struct *tty)`` * * This routine allows the @tty driver to be notified when the device's @@ -374,6 +381,7 @@ struct tty_operations { void (*hangup)(struct tty_struct *tty); int (*break_ctl)(struct tty_struct *tty, int state); void (*flush_buffer)(struct tty_struct *tty); + int (*ldisc_ok)(struct tty_struct *tty, int ldisc); void (*set_ldisc)(struct tty_struct *tty); void (*wait_until_sent)(struct tty_struct *tty, int timeout); void (*send_xchar)(struct tty_struct *tty, char ch); -- Gitee From 36a5b39889fc6c22ef47e499f72a95db2e6b99b3 Mon Sep 17 00:00:00 2001 From: Yi Yang Date: Thu, 15 Aug 2024 13:41:35 +0000 Subject: [PATCH 2/2] tty: fix kabi breakage in struct tty_operations hulk inclusion category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IACT4T CVE: CVE-2024-40966 -------------------------------- Fix kabi breakage in struct tty_operations. Fixes: 287b569a5b91 ("tty: add the option to have a tty reject a new ldisc") Signed-off-by: Yi Yang --- include/linux/tty_driver.h | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/include/linux/tty_driver.h b/include/linux/tty_driver.h index 9ab7516472e7..aaaab5095d7c 100644 --- a/include/linux/tty_driver.h +++ b/include/linux/tty_driver.h @@ -381,7 +381,6 @@ struct tty_operations { void (*hangup)(struct tty_struct *tty); int (*break_ctl)(struct tty_struct *tty, int state); void (*flush_buffer)(struct tty_struct *tty); - int (*ldisc_ok)(struct tty_struct *tty, int ldisc); void (*set_ldisc)(struct tty_struct *tty); void (*wait_until_sent)(struct tty_struct *tty, int timeout); void (*send_xchar)(struct tty_struct *tty, char ch); @@ -400,7 +399,7 @@ struct tty_operations { void (*poll_put_char)(struct tty_driver *driver, int line, char ch); #endif int (*proc_show)(struct seq_file *m, void *driver); - KABI_RESERVE(0) + KABI_USE(0, int (*ldisc_ok)(struct tty_struct *tty, int ldisc)) KABI_RESERVE(1) } __randomize_layout; -- Gitee