<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/tty, branch v4.14.95</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>tty: Don't hold ldisc lock in tty_reopen() if ldisc present</title>
<updated>2019-01-23T07:09:45+00:00</updated>
<author>
<name>Dmitry Safonov</name>
<email>dima@arista.com</email>
</author>
<published>2019-01-09T01:17:40+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=cb7f9a466349842d39c2ccb27bd939baf333b6a4'/>
<id>cb7f9a466349842d39c2ccb27bd939baf333b6a4</id>
<content type='text'>
commit d3736d82e8169768218ee0ef68718875918091a0 upstream.

Try to get reference for ldisc during tty_reopen().
If ldisc present, we don't need to do tty_ldisc_reinit() and lock the
write side for line discipline semaphore.
Effectively, it optimizes fast-path for tty_reopen(), but more
importantly it won't interrupt ongoing IO on the tty as no ldisc change
is needed.
Fixes user-visible issue when tty_reopen() interrupted login process for
user with a long password, observed and reported by Lukas.

Fixes: c96cf923a98d ("tty: Don't block on IO when ldisc change is pending")
Fixes: 83d817f41070 ("tty: Hold tty_ldisc_lock() during tty_reopen()")
Cc: Jiri Slaby &lt;jslaby@suse.com&gt;
Reported-by: Lukas F. Hartmann &lt;lukas@mntmn.com&gt;
Tested-by: Lukas F. Hartmann &lt;lukas@mntmn.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Dmitry Safonov &lt;dima@arista.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit d3736d82e8169768218ee0ef68718875918091a0 upstream.

Try to get reference for ldisc during tty_reopen().
If ldisc present, we don't need to do tty_ldisc_reinit() and lock the
write side for line discipline semaphore.
Effectively, it optimizes fast-path for tty_reopen(), but more
importantly it won't interrupt ongoing IO on the tty as no ldisc change
is needed.
Fixes user-visible issue when tty_reopen() interrupted login process for
user with a long password, observed and reported by Lukas.

Fixes: c96cf923a98d ("tty: Don't block on IO when ldisc change is pending")
Fixes: 83d817f41070 ("tty: Hold tty_ldisc_lock() during tty_reopen()")
Cc: Jiri Slaby &lt;jslaby@suse.com&gt;
Reported-by: Lukas F. Hartmann &lt;lukas@mntmn.com&gt;
Tested-by: Lukas F. Hartmann &lt;lukas@mntmn.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Dmitry Safonov &lt;dima@arista.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>tty: Simplify tty-&gt;count math in tty_reopen()</title>
<updated>2019-01-23T07:09:45+00:00</updated>
<author>
<name>Dmitry Safonov</name>
<email>dima@arista.com</email>
</author>
<published>2018-11-01T00:24:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=4086e2872f72fcc3539dcae9b6daebe29161dfc4'/>
<id>4086e2872f72fcc3539dcae9b6daebe29161dfc4</id>
<content type='text'>
commit cf62a1a13749db0d32b5cdd800ea91a4087319de upstream.

As notted by Jiri, tty_ldisc_reinit() shouldn't rely on tty counter.
Simplify math by increasing the counter after reinit success.

Cc: Jiri Slaby &lt;jslaby@suse.com&gt;
Link: lkml.kernel.org/r/&lt;20180829022353.23568-2-dima@arista.com&gt;
Suggested-by: Jiri Slaby &lt;jslaby@suse.com&gt;
Reviewed-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
Tested-by: Mark Rutland &lt;mark.rutland@arm.com&gt;
Signed-off-by: Dmitry Safonov &lt;dima@arista.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit cf62a1a13749db0d32b5cdd800ea91a4087319de upstream.

As notted by Jiri, tty_ldisc_reinit() shouldn't rely on tty counter.
Simplify math by increasing the counter after reinit success.

Cc: Jiri Slaby &lt;jslaby@suse.com&gt;
Link: lkml.kernel.org/r/&lt;20180829022353.23568-2-dima@arista.com&gt;
Suggested-by: Jiri Slaby &lt;jslaby@suse.com&gt;
Reviewed-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
Tested-by: Mark Rutland &lt;mark.rutland@arm.com&gt;
Signed-off-by: Dmitry Safonov &lt;dima@arista.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>tty: Hold tty_ldisc_lock() during tty_reopen()</title>
<updated>2019-01-23T07:09:45+00:00</updated>
<author>
<name>Dmitry Safonov</name>
<email>dima@arista.com</email>
</author>
<published>2018-11-01T00:24:47+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=108bf6a21ee3ea982af8682517afb63f536edcc2'/>
<id>108bf6a21ee3ea982af8682517afb63f536edcc2</id>
<content type='text'>
commit 83d817f41070c48bc3eb7ec18e43000a548fca5c upstream.

tty_ldisc_reinit() doesn't race with neither tty_ldisc_hangup()
nor set_ldisc() nor tty_ldisc_release() as they use tty lock.
But it races with anyone who expects line discipline to be the same
after hoding read semaphore in tty_ldisc_ref().

We've seen the following crash on v4.9.108 stable:

BUG: unable to handle kernel paging request at 0000000000002260
IP: [..] n_tty_receive_buf_common+0x5f/0x86d
Workqueue: events_unbound flush_to_ldisc
Call Trace:
 [..] n_tty_receive_buf2
 [..] tty_ldisc_receive_buf
 [..] flush_to_ldisc
 [..] process_one_work
 [..] worker_thread
 [..] kthread
 [..] ret_from_fork

tty_ldisc_reinit() should be called with ldisc_sem hold for writing,
which will protect any reader against line discipline changes.

Cc: Jiri Slaby &lt;jslaby@suse.com&gt;
Cc: stable@vger.kernel.org # b027e2298bd5 ("tty: fix data race between tty_init_dev and flush of buf")
Reviewed-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
Reported-by: syzbot+3aa9784721dfb90e984d@syzkaller.appspotmail.com
Tested-by: Mark Rutland &lt;mark.rutland@arm.com&gt;
Tested-by: Tetsuo Handa &lt;penguin-kernel@i-love.sakura.ne.jp&gt;
Signed-off-by: Dmitry Safonov &lt;dima@arista.com&gt;
Tested-by: Tycho Andersen &lt;tycho@tycho.ws&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 83d817f41070c48bc3eb7ec18e43000a548fca5c upstream.

tty_ldisc_reinit() doesn't race with neither tty_ldisc_hangup()
nor set_ldisc() nor tty_ldisc_release() as they use tty lock.
But it races with anyone who expects line discipline to be the same
after hoding read semaphore in tty_ldisc_ref().

We've seen the following crash on v4.9.108 stable:

BUG: unable to handle kernel paging request at 0000000000002260
IP: [..] n_tty_receive_buf_common+0x5f/0x86d
Workqueue: events_unbound flush_to_ldisc
Call Trace:
 [..] n_tty_receive_buf2
 [..] tty_ldisc_receive_buf
 [..] flush_to_ldisc
 [..] process_one_work
 [..] worker_thread
 [..] kthread
 [..] ret_from_fork

tty_ldisc_reinit() should be called with ldisc_sem hold for writing,
which will protect any reader against line discipline changes.

Cc: Jiri Slaby &lt;jslaby@suse.com&gt;
Cc: stable@vger.kernel.org # b027e2298bd5 ("tty: fix data race between tty_init_dev and flush of buf")
Reviewed-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
Reported-by: syzbot+3aa9784721dfb90e984d@syzkaller.appspotmail.com
Tested-by: Mark Rutland &lt;mark.rutland@arm.com&gt;
Tested-by: Tetsuo Handa &lt;penguin-kernel@i-love.sakura.ne.jp&gt;
Signed-off-by: Dmitry Safonov &lt;dima@arista.com&gt;
Tested-by: Tycho Andersen &lt;tycho@tycho.ws&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>tty/ldsem: Wake up readers after timed out down_write()</title>
<updated>2019-01-23T07:09:45+00:00</updated>
<author>
<name>Dmitry Safonov</name>
<email>dima@arista.com</email>
</author>
<published>2018-11-01T00:24:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=fe13700236298671d23dc864eda6a3166092f502'/>
<id>fe13700236298671d23dc864eda6a3166092f502</id>
<content type='text'>
commit 231f8fd0cca078bd4396dd7e380db813ac5736e2 upstream.

ldsem_down_read() will sleep if there is pending writer in the queue.
If the writer times out, readers in the queue should be woken up,
otherwise they may miss a chance to acquire the semaphore until the last
active reader will do ldsem_up_read().

There was a couple of reports where there was one active reader and
other readers soft locked up:
  Showing all locks held in the system:
  2 locks held by khungtaskd/17:
   #0:  (rcu_read_lock){......}, at: watchdog+0x124/0x6d1
   #1:  (tasklist_lock){.+.+..}, at: debug_show_all_locks+0x72/0x2d3
  2 locks held by askfirst/123:
   #0:  (&amp;tty-&gt;ldisc_sem){.+.+.+}, at: ldsem_down_read+0x46/0x58
   #1:  (&amp;ldata-&gt;atomic_read_lock){+.+...}, at: n_tty_read+0x115/0xbe4

Prevent readers wait for active readers to release ldisc semaphore.

Link: lkml.kernel.org/r/20171121132855.ajdv4k6swzhvktl6@wfg-t540p.sh.intel.com
Link: lkml.kernel.org/r/20180907045041.GF1110@shao2-debian
Cc: Jiri Slaby &lt;jslaby@suse.com&gt;
Cc: Peter Zijlstra &lt;peterz@infradead.org&gt;
Cc: stable@vger.kernel.org
Reported-by: kernel test robot &lt;rong.a.chen@intel.com&gt;
Signed-off-by: Dmitry Safonov &lt;dima@arista.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 231f8fd0cca078bd4396dd7e380db813ac5736e2 upstream.

ldsem_down_read() will sleep if there is pending writer in the queue.
If the writer times out, readers in the queue should be woken up,
otherwise they may miss a chance to acquire the semaphore until the last
active reader will do ldsem_up_read().

There was a couple of reports where there was one active reader and
other readers soft locked up:
  Showing all locks held in the system:
  2 locks held by khungtaskd/17:
   #0:  (rcu_read_lock){......}, at: watchdog+0x124/0x6d1
   #1:  (tasklist_lock){.+.+..}, at: debug_show_all_locks+0x72/0x2d3
  2 locks held by askfirst/123:
   #0:  (&amp;tty-&gt;ldisc_sem){.+.+.+}, at: ldsem_down_read+0x46/0x58
   #1:  (&amp;ldata-&gt;atomic_read_lock){+.+...}, at: n_tty_read+0x115/0xbe4

Prevent readers wait for active readers to release ldisc semaphore.

Link: lkml.kernel.org/r/20171121132855.ajdv4k6swzhvktl6@wfg-t540p.sh.intel.com
Link: lkml.kernel.org/r/20180907045041.GF1110@shao2-debian
Cc: Jiri Slaby &lt;jslaby@suse.com&gt;
Cc: Peter Zijlstra &lt;peterz@infradead.org&gt;
Cc: stable@vger.kernel.org
Reported-by: kernel test robot &lt;rong.a.chen@intel.com&gt;
Signed-off-by: Dmitry Safonov &lt;dima@arista.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>serial/sunsu: fix refcount leak</title>
<updated>2019-01-13T09:01:01+00:00</updated>
<author>
<name>Yangtao Li</name>
<email>tiny.windzz@gmail.com</email>
</author>
<published>2018-12-12T16:01:45+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=d87abc2ae5474bd4b42e892ee7369086d2d6af6b'/>
<id>d87abc2ae5474bd4b42e892ee7369086d2d6af6b</id>
<content type='text'>
[ Upstream commit d430aff8cd0c57502d873909c184e3b5753f8b88 ]

The function of_find_node_by_path() acquires a reference to the node
returned by it and that reference needs to be dropped by its caller.

su_get_type() doesn't do that. The match node are used as an identifier
to compare against the current node, so we can directly drop the refcount
after getting the node from the path as it is not used as pointer.

Fix this by use a single variable and drop the refcount right after
of_find_node_by_path().

Signed-off-by: Yangtao Li &lt;tiny.windzz@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit d430aff8cd0c57502d873909c184e3b5753f8b88 ]

The function of_find_node_by_path() acquires a reference to the node
returned by it and that reference needs to be dropped by its caller.

su_get_type() doesn't do that. The match node are used as an identifier
to compare against the current node, so we can directly drop the refcount
after getting the node from the path as it is not used as pointer.

Fix this by use a single variable and drop the refcount right after
of_find_node_by_path().

Signed-off-by: Yangtao Li &lt;tiny.windzz@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>serial: uartps: Fix interrupt mask issue to handle the RX interrupts properly</title>
<updated>2019-01-09T16:14:51+00:00</updated>
<author>
<name>Nava kishore Manne</name>
<email>nava.manne@xilinx.com</email>
</author>
<published>2018-12-18T12:18:42+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5110d0b4c2319e9cc300271525b197af201df2bf'/>
<id>5110d0b4c2319e9cc300271525b197af201df2bf</id>
<content type='text'>
commit 260683137ab5276113fc322fdbbc578024185fee upstream.

This patch Correct the RX interrupt mask value to handle the
RX interrupts properly.

Fixes: c8dbdc842d30 ("serial: xuartps: Rewrite the interrupt handling logic")
Signed-off-by: Nava kishore Manne &lt;nava.manne@xilinx.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Michal Simek &lt;michal.simek@xilinx.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 260683137ab5276113fc322fdbbc578024185fee upstream.

This patch Correct the RX interrupt mask value to handle the
RX interrupts properly.

Fixes: c8dbdc842d30 ("serial: xuartps: Rewrite the interrupt handling logic")
Signed-off-by: Nava kishore Manne &lt;nava.manne@xilinx.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Michal Simek &lt;michal.simek@xilinx.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>drivers/tty: add missing of_node_put()</title>
<updated>2018-12-21T13:13:13+00:00</updated>
<author>
<name>Yangtao Li</name>
<email>tiny.windzz@gmail.com</email>
</author>
<published>2018-11-21T15:22:54+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=a19e57563ce7416727c7b318162972d780334020'/>
<id>a19e57563ce7416727c7b318162972d780334020</id>
<content type='text'>
[ Upstream commit dac097c4546e4c5b16dd303a1e97c1d319c8ab3e ]

of_find_node_by_path() acquires a reference to the node
returned by it and that reference needs to be dropped by its caller.
This place is not doing this, so fix it.

Signed-off-by: Yangtao Li &lt;tiny.windzz@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit dac097c4546e4c5b16dd303a1e97c1d319c8ab3e ]

of_find_node_by_path() acquires a reference to the node
returned by it and that reference needs to be dropped by its caller.
This place is not doing this, so fix it.

Signed-off-by: Yangtao Li &lt;tiny.windzz@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>kgdboc: fix KASAN global-out-of-bounds bug in param_set_kgdboc_var()</title>
<updated>2018-12-13T08:18:54+00:00</updated>
<author>
<name>Macpaul Lin</name>
<email>macpaul@gmail.com</email>
</author>
<published>2018-10-17T15:08:38+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b919b4842b42a148ad12754019c58cfc939ae955'/>
<id>b919b4842b42a148ad12754019c58cfc939ae955</id>
<content type='text'>
commit dada6a43b0402eba438a17ac86fdc64ac56a4607 upstream.

This patch is trying to fix KE issue due to
"BUG: KASAN: global-out-of-bounds in param_set_kgdboc_var+0x194/0x198"
reported by Syzkaller scan."

[26364:syz-executor0][name:report8t]BUG: KASAN: global-out-of-bounds in param_set_kgdboc_var+0x194/0x198
[26364:syz-executor0][name:report&amp;]Read of size 1 at addr ffffff900e44f95f by task syz-executor0/26364
[26364:syz-executor0][name:report&amp;]
[26364:syz-executor0]CPU: 7 PID: 26364 Comm: syz-executor0 Tainted: G W 0
[26364:syz-executor0]Call trace:
[26364:syz-executor0][&lt;ffffff9008095cf8&gt;] dump_bacIctrace+Ox0/0x470
[26364:syz-executor0][&lt;ffffff9008096de0&gt;] show_stack+0x20/0x30
[26364:syz-executor0][&lt;ffffff90089cc9c8&gt;] dump_stack+Oxd8/0x128
[26364:syz-executor0][&lt;ffffff90084edb38&gt;] print_address_description +0x80/0x4a8
[26364:syz-executor0][&lt;ffffff90084ee270&gt;] kasan_report+Ox178/0x390
[26364:syz-executor0][&lt;ffffff90084ee4a0&gt;] _asan_report_loadi_noabort+Ox18/0x20
[26364:syz-executor0][&lt;ffffff9008b092ac&gt;] param_set_kgdboc_var+Ox194/0x198
[26364:syz-executor0][&lt;ffffff900813af64&gt;] param_attr_store+Ox14c/0x270
[26364:syz-executor0][&lt;ffffff90081394c8&gt;] module_attr_store+0x60/0x90
[26364:syz-executor0][&lt;ffffff90086690c0&gt;] sysfs_kl_write+Ox100/0x158
[26364:syz-executor0][&lt;ffffff9008666d84&gt;] kernfs_fop_write+0x27c/0x3a8
[26364:syz-executor0][&lt;ffffff9008508264&gt;] do_loop_readv_writev+0x114/0x1b0
[26364:syz-executor0][&lt;ffffff9008509ac8&gt;] do_readv_writev+0x4f8/0x5e0
[26364:syz-executor0][&lt;ffffff9008509ce4&gt;] vfs_writev+0x7c/Oxb8
[26364:syz-executor0][&lt;ffffff900850ba64&gt;] SyS_writev+Oxcc/0x208
[26364:syz-executor0][&lt;ffffff90080883f0&gt;] elO_svc_naked +0x24/0x28
[26364:syz-executor0][name:report&amp;]
[26364:syz-executor0][name:report&amp;]The buggy address belongs to the variable:
[26364:syz-executor0][name:report&amp;] kgdb_tty_line+Ox3f/0x40
[26364:syz-executor0][name:report&amp;]
[26364:syz-executor0][name:report&amp;]Memory state around the buggy address:
[26364:syz-executor0] ffffff900e44f800: 00 00 00 00 00 04 fa fa fa fa fa fa 00 fa fa fa
[26364:syz-executor0] ffffff900e44f880: fa fa fa fa 00 fa fa fa fa fa fa fa 00 fa fa fa
[26364:syz-executor0]&gt; ffffff900e44f900: fa fa fa fa 04 fa fa fa fa fa fa fa 00 00 00 00
[26364:syz-executor0][name:report&amp;]                                       ^
[26364:syz-executor0] ffffff900e44f980: 00 fa fa fa fa fa fa fa 04 fa fa fa fa fa fa fa
[26364:syz-executor0] ffffff900e44fa00: 04 fa fa fa fa fa fa fa 00 fa fa fa fa fa fa fa
[26364:syz-executor0][name:report&amp;]
[26364:syz-executor0][name:panic&amp;]Disabling lock debugging due to kernel taint
[26364:syz-executor0]------------[cut here]------------

After checking the source code, we've found there might be an out-of-bounds
access to "config[len - 1]" array when the variable "len" is zero.

Signed-off-by: Macpaul Lin &lt;macpaul@gmail.com&gt;
Acked-by: Daniel Thompson &lt;daniel.thompson@linaro.org&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit dada6a43b0402eba438a17ac86fdc64ac56a4607 upstream.

This patch is trying to fix KE issue due to
"BUG: KASAN: global-out-of-bounds in param_set_kgdboc_var+0x194/0x198"
reported by Syzkaller scan."

[26364:syz-executor0][name:report8t]BUG: KASAN: global-out-of-bounds in param_set_kgdboc_var+0x194/0x198
[26364:syz-executor0][name:report&amp;]Read of size 1 at addr ffffff900e44f95f by task syz-executor0/26364
[26364:syz-executor0][name:report&amp;]
[26364:syz-executor0]CPU: 7 PID: 26364 Comm: syz-executor0 Tainted: G W 0
[26364:syz-executor0]Call trace:
[26364:syz-executor0][&lt;ffffff9008095cf8&gt;] dump_bacIctrace+Ox0/0x470
[26364:syz-executor0][&lt;ffffff9008096de0&gt;] show_stack+0x20/0x30
[26364:syz-executor0][&lt;ffffff90089cc9c8&gt;] dump_stack+Oxd8/0x128
[26364:syz-executor0][&lt;ffffff90084edb38&gt;] print_address_description +0x80/0x4a8
[26364:syz-executor0][&lt;ffffff90084ee270&gt;] kasan_report+Ox178/0x390
[26364:syz-executor0][&lt;ffffff90084ee4a0&gt;] _asan_report_loadi_noabort+Ox18/0x20
[26364:syz-executor0][&lt;ffffff9008b092ac&gt;] param_set_kgdboc_var+Ox194/0x198
[26364:syz-executor0][&lt;ffffff900813af64&gt;] param_attr_store+Ox14c/0x270
[26364:syz-executor0][&lt;ffffff90081394c8&gt;] module_attr_store+0x60/0x90
[26364:syz-executor0][&lt;ffffff90086690c0&gt;] sysfs_kl_write+Ox100/0x158
[26364:syz-executor0][&lt;ffffff9008666d84&gt;] kernfs_fop_write+0x27c/0x3a8
[26364:syz-executor0][&lt;ffffff9008508264&gt;] do_loop_readv_writev+0x114/0x1b0
[26364:syz-executor0][&lt;ffffff9008509ac8&gt;] do_readv_writev+0x4f8/0x5e0
[26364:syz-executor0][&lt;ffffff9008509ce4&gt;] vfs_writev+0x7c/Oxb8
[26364:syz-executor0][&lt;ffffff900850ba64&gt;] SyS_writev+Oxcc/0x208
[26364:syz-executor0][&lt;ffffff90080883f0&gt;] elO_svc_naked +0x24/0x28
[26364:syz-executor0][name:report&amp;]
[26364:syz-executor0][name:report&amp;]The buggy address belongs to the variable:
[26364:syz-executor0][name:report&amp;] kgdb_tty_line+Ox3f/0x40
[26364:syz-executor0][name:report&amp;]
[26364:syz-executor0][name:report&amp;]Memory state around the buggy address:
[26364:syz-executor0] ffffff900e44f800: 00 00 00 00 00 04 fa fa fa fa fa fa 00 fa fa fa
[26364:syz-executor0] ffffff900e44f880: fa fa fa fa 00 fa fa fa fa fa fa fa 00 fa fa fa
[26364:syz-executor0]&gt; ffffff900e44f900: fa fa fa fa 04 fa fa fa fa fa fa fa 00 00 00 00
[26364:syz-executor0][name:report&amp;]                                       ^
[26364:syz-executor0] ffffff900e44f980: 00 fa fa fa fa fa fa fa 04 fa fa fa fa fa fa fa
[26364:syz-executor0] ffffff900e44fa00: 04 fa fa fa fa fa fa fa 00 fa fa fa fa fa fa fa
[26364:syz-executor0][name:report&amp;]
[26364:syz-executor0][name:panic&amp;]Disabling lock debugging due to kernel taint
[26364:syz-executor0]------------[cut here]------------

After checking the source code, we've found there might be an out-of-bounds
access to "config[len - 1]" array when the variable "len" is zero.

Signed-off-by: Macpaul Lin &lt;macpaul@gmail.com&gt;
Acked-by: Daniel Thompson &lt;daniel.thompson@linaro.org&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>tty: do not set TTY_IO_ERROR flag if console port</title>
<updated>2018-12-13T08:18:53+00:00</updated>
<author>
<name>Chanho Park</name>
<email>parkch98@gmail.com</email>
</author>
<published>2018-11-22T09:23:47+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=e4c3cc6b08087550e7f000bd7510ccb9a887c543'/>
<id>e4c3cc6b08087550e7f000bd7510ccb9a887c543</id>
<content type='text'>
commit 2a48602615e0a2f563549c7d5c8d507f904cf96e upstream.

Since Commit 761ed4a94582 ('tty: serial_core: convert uart_close to use
tty_port_close') and Commit 4dda864d7307 ('tty: serial_core: Fix serial
console crash on port shutdown), a serial port which is used as
console can be stuck when logging out if there is a remained process.
After logged out, agetty will try to grab the serial port but it will
be failed because the previous process did not release the port
correctly. To fix this, TTY_IO_ERROR bit should not be enabled of
tty_port_close if the port is console port.

Reproduce step:
- Run background processes from serial console
$ while true; do sleep 10; done &amp;

- Log out
$ logout
-&gt; Stuck

- Read journal log by journalctl | tail
Jan 28 16:07:01 ubuntu systemd[1]: Stopped Serial Getty on ttyAMA0.
Jan 28 16:07:01 ubuntu systemd[1]: Started Serial Getty on ttyAMA0.
Jan 28 16:07:02 ubuntu agetty[1643]: /dev/ttyAMA0: not a tty

Fixes: 761ed4a94582 ("tty: serial_core: convert uart_close to use tty_port_close")
Cc: Geert Uytterhoeven &lt;geert+renesas@glider.be&gt;
Cc: Rob Herring &lt;robh@kernel.org&gt;
Cc: Jiri Slaby &lt;jslaby@suse.com&gt;
Signed-off-by: Chanho Park &lt;parkch98@gmail.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 2a48602615e0a2f563549c7d5c8d507f904cf96e upstream.

Since Commit 761ed4a94582 ('tty: serial_core: convert uart_close to use
tty_port_close') and Commit 4dda864d7307 ('tty: serial_core: Fix serial
console crash on port shutdown), a serial port which is used as
console can be stuck when logging out if there is a remained process.
After logged out, agetty will try to grab the serial port but it will
be failed because the previous process did not release the port
correctly. To fix this, TTY_IO_ERROR bit should not be enabled of
tty_port_close if the port is console port.

Reproduce step:
- Run background processes from serial console
$ while true; do sleep 10; done &amp;

- Log out
$ logout
-&gt; Stuck

- Read journal log by journalctl | tail
Jan 28 16:07:01 ubuntu systemd[1]: Stopped Serial Getty on ttyAMA0.
Jan 28 16:07:01 ubuntu systemd[1]: Started Serial Getty on ttyAMA0.
Jan 28 16:07:02 ubuntu agetty[1643]: /dev/ttyAMA0: not a tty

Fixes: 761ed4a94582 ("tty: serial_core: convert uart_close to use tty_port_close")
Cc: Geert Uytterhoeven &lt;geert+renesas@glider.be&gt;
Cc: Rob Herring &lt;robh@kernel.org&gt;
Cc: Jiri Slaby &lt;jslaby@suse.com&gt;
Signed-off-by: Chanho Park &lt;parkch98@gmail.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>tty: serial: 8250_mtk: always resume the device in probe.</title>
<updated>2018-12-13T08:18:53+00:00</updated>
<author>
<name>Peter Shih</name>
<email>pihsun@chromium.org</email>
</author>
<published>2018-11-27T04:49:50+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=4f50d3a08df40a3ad261b8527345df92c9f1a731'/>
<id>4f50d3a08df40a3ad261b8527345df92c9f1a731</id>
<content type='text'>
commit 100bc3e2bebf95506da57cbdf5f26b25f6da4c81 upstream.

serial8250_register_8250_port calls uart_config_port, which calls
config_port on the port before it tries to power on the port. So we need
the port to be on before calling serial8250_register_8250_port. Change
the code to always do a runtime resume in probe before registering port,
and always do a runtime suspend in remove.

This basically reverts the change in commit 68e5fc4a255a ("tty: serial:
8250_mtk: use pm_runtime callbacks for enabling"), but still use
pm_runtime callbacks.

Fixes: 68e5fc4a255a ("tty: serial: 8250_mtk: use pm_runtime callbacks for enabling")
Signed-off-by: Peter Shih &lt;pihsun@chromium.org&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 100bc3e2bebf95506da57cbdf5f26b25f6da4c81 upstream.

serial8250_register_8250_port calls uart_config_port, which calls
config_port on the port before it tries to power on the port. So we need
the port to be on before calling serial8250_register_8250_port. Change
the code to always do a runtime resume in probe before registering port,
and always do a runtime suspend in remove.

This basically reverts the change in commit 68e5fc4a255a ("tty: serial:
8250_mtk: use pm_runtime callbacks for enabling"), but still use
pm_runtime callbacks.

Fixes: 68e5fc4a255a ("tty: serial: 8250_mtk: use pm_runtime callbacks for enabling")
Signed-off-by: Peter Shih &lt;pihsun@chromium.org&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
</feed>
