android/android_kernel_asus_sm8350
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

n_tty: Fix unsafe driver-side signals

Browse Source 
An ldisc reference is insufficient guarantee the foreground process
group is not in the process of being signalled from a hangup.

1) Reads of tty->pgrp must be locked with ctrl_lock
2) The group pid must be referenced for the duration of signalling.
   Because the driver-side is not process-context, a pid reference
   must be acquired.

Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Peter Hurley 2013-03-06 08:38:19 -05:00 committed by Greg Kroah-Hartman
parent e91e52e428
commit 8c985d18b1
1 changed files with 14 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
drivers/tty/n_tty.c
View File

@ -1017,23 +1017,19 @@ static void eraser(unsigned char c, struct tty_struct *tty)
* isig - handle the ISIG optio * isig - handle the ISIG optio
* @sig: signal * @sig: signal
* @tty: terminal * @tty: terminal
* @flush: force flush
* *
* Called when a signal is being sent due to terminal input. This * Called when a signal is being sent due to terminal input.
* may caus terminal flushing to take place according to the termios * Called from the driver receive_buf path so serialized.
* settings and character used. Called from the driver receive_buf
* path so serialized.
* *
* Locking: ctrl_lock, read_lock (both via flush buffer) * Locking: ctrl_lock
*/ */
static inline void isig(int sig, struct tty_struct *tty, int flush) static inline void isig(int sig, struct tty_struct *tty)
{ {
if (tty->pgrp) struct pid *tty_pgrp = tty_get_pgrp(tty);
kill_pgrp(tty->pgrp, sig, 1); if (tty_pgrp) {
if (flush || !L_NOFLSH(tty)) { kill_pgrp(tty_pgrp, sig, 1);
n_tty_flush_buffer(tty); put_pid(tty_pgrp);
tty_driver_flush_buffer(tty);
} }
} }
@ -1054,7 +1050,11 @@ static inline void n_tty_receive_break(struct tty_struct *tty)
if (I_IGNBRK(tty)) if (I_IGNBRK(tty))
return; return;
if (I_BRKINT(tty)) { if (I_BRKINT(tty)) {
isig(SIGINT, tty, 1); isig(SIGINT, tty);
if (!L_NOFLSH(tty)) {
n_tty_flush_buffer(tty);
tty_driver_flush_buffer(tty);
}
return; return;
} }
if (I_PARMRK(tty)) { if (I_PARMRK(tty)) {
@ -1221,11 +1221,6 @@ static inline void n_tty_receive_char(struct tty_struct *tty, unsigned char c)
signal = SIGTSTP; signal = SIGTSTP;
if (c == SUSP_CHAR(tty)) { if (c == SUSP_CHAR(tty)) {
send_signal: send_signal:
/*
* Note that we do not use isig() here because we want
* the order to be:
* 1) flush, 2) echo, 3) signal
*/
if (!L_NOFLSH(tty)) { if (!L_NOFLSH(tty)) {
n_tty_flush_buffer(tty); n_tty_flush_buffer(tty);
tty_driver_flush_buffer(tty); tty_driver_flush_buffer(tty);
@ -1236,8 +1231,7 @@ static inline void n_tty_receive_char(struct tty_struct *tty, unsigned char c)
echo_char(c, tty); echo_char(c, tty);
process_echoes(tty); process_echoes(tty);
} }
if (tty->pgrp) isig(signal, tty);
kill_pgrp(tty->pgrp, signal, 1);
return; return;
} }
} }