From 6b2a3d628aa752f0ab825fc6d4d07b09e274d1c1 Mon Sep 17 00:00:00 2001 From: Peter Hurley Date: Sun, 8 Nov 2015 08:52:31 -0500 Subject: tty: audit: Fix audit source MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The data to audit/record is in the 'from' buffer (ie., the input read buffer). Fixes: 72586c6061ab ("n_tty: Fix auditing support for cannonical mode") Cc: stable # 4.1+ Cc: Miloslav Trmač Signed-off-by: Peter Hurley Acked-by: Laura Abbott Signed-off-by: Greg Kroah-Hartman --- drivers/tty/n_tty.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers/tty/n_tty.c') diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c index 13844261cd5f..ed776149261e 100644 --- a/drivers/tty/n_tty.c +++ b/drivers/tty/n_tty.c @@ -169,7 +169,7 @@ static inline int tty_copy_to_user(struct tty_struct *tty, { struct n_tty_data *ldata = tty->disc_data; - tty_audit_add_data(tty, to, n, ldata->icanon); + tty_audit_add_data(tty, from, n, ldata->icanon); return copy_to_user(to, from, n); } -- cgit v1.2.3 From ac8f3bf8832a405cc6e4dccb1d26d5cb2994d234 Mon Sep 17 00:00:00 2001 From: Peter Hurley Date: Fri, 27 Nov 2015 13:59:20 -0500 Subject: n_tty: Fix poll() after buffer-limited eof push read commit 40d5e0905a03 ("n_tty: Fix EOF push handling") fixed EOF push for reads. However, that approach still allows a condition mismatch between poll() and read(), where poll() returns POLLIN but read() blocks. This state can happen when a previous read() returned because the user buffer was full and the next character was an EOF not at the beginning of the line. While the next read() will properly identify the condition and advance the read buffer tail without improperly indicating an EOF file condition (ie., read() will not mistakenly return 0), poll() will mistakenly indicate POLLIN. Although a possible solution would be to peek at the input buffer in n_tty_poll(), the better solution in this patch is to eat the EOF during the previous read() (ie., fix the problem by eliminating the condition). The current canon line buffer copy limits the scan for next end-of-line to the smaller of either, a. the remaining user buffer size b. completed lines in the input buffer When the remaining user buffer size is exactly one less than the end-of-line marked by EOF push, the EOF is not scanned nor skipped but left for subsequent reads. In the example below, the scan index 'eol' has stopped at the EOF because it is past the scan limit of 5 (not because it has found the next set bit in read_flags) user buffer [*nr = 5] _ _ _ _ _ read_flags 0 0 0 0 0 1 input buffer h e l l o [EOF] ^ ^ / / tail eol result: found = 0, tail += 5, *nr += 5 Instead, allow the scan to peek ahead 1 byte (while still limiting the scan to completed lines in the input buffer). For the example above, result: found = 1, tail += 6, *nr += 5 Because the scan limit is now bumped +1 byte, when the scan is completed, the tail advance and the user buffer copy limit is re-clamped to *nr when EOF is _not_ found. Fixes: 40d5e0905a03 ("n_tty: Fix EOF push handling") Cc: # 3.12+ Signed-off-by: Peter Hurley Signed-off-by: Greg Kroah-Hartman --- drivers/tty/n_tty.c | 22 +++++++++------------- 1 file changed, 9 insertions(+), 13 deletions(-) (limited to 'drivers/tty/n_tty.c') diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c index ed776149261e..e49c2bce551d 100644 --- a/drivers/tty/n_tty.c +++ b/drivers/tty/n_tty.c @@ -2054,13 +2054,13 @@ static int canon_copy_from_read_buf(struct tty_struct *tty, size_t eol; size_t tail; int ret, found = 0; - bool eof_push = 0; /* N.B. avoid overrun if nr == 0 */ - n = min(*nr, smp_load_acquire(&ldata->canon_head) - ldata->read_tail); - if (!n) + if (!*nr) return 0; + n = min(*nr + 1, smp_load_acquire(&ldata->canon_head) - ldata->read_tail); + tail = ldata->read_tail & (N_TTY_BUF_SIZE - 1); size = min_t(size_t, tail + n, N_TTY_BUF_SIZE); @@ -2081,12 +2081,11 @@ static int canon_copy_from_read_buf(struct tty_struct *tty, n = eol - tail; if (n > N_TTY_BUF_SIZE) n += N_TTY_BUF_SIZE; - n += found; - c = n; + c = n + found; - if (found && !ldata->push && read_buf(ldata, eol) == __DISABLED_CHAR) { - n--; - eof_push = !n && ldata->read_tail != ldata->line_start; + if (!found || read_buf(ldata, eol) != __DISABLED_CHAR) { + c = min(*nr, c); + n = c; } n_tty_trace("%s: eol:%zu found:%d n:%zu c:%zu size:%zu more:%zu\n", @@ -2116,7 +2115,7 @@ static int canon_copy_from_read_buf(struct tty_struct *tty, ldata->push = 0; tty_audit_push(tty); } - return eof_push ? -EAGAIN : 0; + return 0; } extern ssize_t redirected_tty_write(struct file *, const char __user *, @@ -2273,10 +2272,7 @@ static ssize_t n_tty_read(struct tty_struct *tty, struct file *file, if (ldata->icanon && !L_EXTPROC(tty)) { retval = canon_copy_from_read_buf(tty, &b, &nr); - if (retval == -EAGAIN) { - retval = 0; - continue; - } else if (retval) + if (retval) break; } else { int uncopied; -- cgit v1.2.3 From 339f36ba14cf9f8fcf6e6b78385bd6811ec59fbe Mon Sep 17 00:00:00 2001 From: Peter Hurley Date: Sun, 8 Nov 2015 13:01:13 -0500 Subject: tty: Define tty_*() printk macros Since not all ttys are devices (eg., SysV ptys), dev_*() printk macros cannot be used. Define tty_*() printk macros that output in similar format to dev_*() macros (ie., : .....). Transform the most-trivial printk( LEVEL ...) usage to tty_*() usage. NB: The function name has been eliminated from messages with unique context, or prefixed to the format when given. Signed-off-by: Peter Hurley Signed-off-by: Greg Kroah-Hartman --- drivers/tty/n_tty.c | 7 ++----- drivers/tty/tty_io.c | 27 ++++++++++----------------- drivers/tty/tty_port.c | 9 ++++----- include/linux/tty.h | 12 +++++++++++- 4 files changed, 27 insertions(+), 28 deletions(-) (limited to 'drivers/tty/n_tty.c') diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c index ed776149261e..c37c15d2f782 100644 --- a/drivers/tty/n_tty.c +++ b/drivers/tty/n_tty.c @@ -1201,9 +1201,7 @@ static void n_tty_receive_overrun(struct tty_struct *tty) ldata->num_overrun++; if (time_after(jiffies, ldata->overrun_time + HZ) || time_after(ldata->overrun_time, jiffies)) { - printk(KERN_WARNING "%s: %d input overrun(s)\n", - tty_name(tty), - ldata->num_overrun); + tty_warn(tty, "%d input overrun(s)\n", ldata->num_overrun); ldata->overrun_time = jiffies; ldata->num_overrun = 0; } @@ -1486,8 +1484,7 @@ n_tty_receive_char_flagged(struct tty_struct *tty, unsigned char c, char flag) n_tty_receive_overrun(tty); break; default: - printk(KERN_ERR "%s: unknown flag %d\n", - tty_name(tty), flag); + tty_err(tty, "unknown flag %d\n", flag); break; } } diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c index ef8ee34670c3..c9d3989b1f14 100644 --- a/drivers/tty/tty_io.c +++ b/drivers/tty/tty_io.c @@ -300,9 +300,8 @@ static int check_tty_count(struct tty_struct *tty, const char *routine) tty->link && tty->link->count) count++; if (tty->count != count) { - printk(KERN_WARNING "Warning: dev (%s) tty->count(%d) " - "!= #fd's(%d) in %s\n", - tty->name, tty->count, count, routine); + tty_warn(tty, "%s: tty->count(%d) != #fd's(%d)\n", + routine, tty->count, count); return count; } #endif @@ -427,10 +426,8 @@ int __tty_check_change(struct tty_struct *tty, int sig) } rcu_read_unlock(); - if (!tty_pgrp) { - pr_warn("%s: tty_check_change: sig=%d, tty->pgrp == NULL!\n", - tty_name(tty), sig); - } + if (!tty_pgrp) + tty_warn(tty, "sig=%d, tty->pgrp == NULL!\n", sig); return ret; } @@ -1246,8 +1243,7 @@ static ssize_t tty_write(struct file *file, const char __user *buf, return -EIO; /* Short term debug to catch buggy drivers */ if (tty->ops->write_room == NULL) - printk(KERN_ERR "tty driver %s lacks a write_room method.\n", - tty->driver->name); + tty_err(tty, "missing write_room method\n"); ld = tty_ldisc_ref_wait(tty); if (!ld->ops->write) ret = -EIO; @@ -1568,8 +1564,8 @@ err_module_put: /* call the tty release_tty routine to clean out this slot */ err_release_tty: tty_unlock(tty); - printk_ratelimited(KERN_INFO "tty_init_dev: ldisc open failed, " - "clearing slot %d\n", idx); + tty_info_ratelimited(tty, "ldisc open failed (%d), clearing slot %d\n", + retval, idx); release_tty(tty, idx); return ERR_PTR(retval); } @@ -1842,8 +1838,7 @@ int tty_release(struct inode *inode, struct file *filp) if (once) { once = 0; - printk(KERN_WARNING "%s: %s: read/write wait queue active!\n", - __func__, tty_name(tty)); + tty_warn(tty, "read/write wait queue active!\n"); } schedule_timeout_killable(timeout); if (timeout < 120 * HZ) @@ -1854,14 +1849,12 @@ int tty_release(struct inode *inode, struct file *filp) if (o_tty) { if (--o_tty->count < 0) { - printk(KERN_WARNING "%s: bad pty slave count (%d) for %s\n", - __func__, o_tty->count, tty_name(o_tty)); + tty_warn(tty, "bad slave count (%d)\n", o_tty->count); o_tty->count = 0; } } if (--tty->count < 0) { - printk(KERN_WARNING "%s: bad tty->count (%d) for %s\n", - __func__, tty->count, tty_name(tty)); + tty_warn(tty, "bad tty->count (%d)\n", tty->count); tty->count = 0; } diff --git a/drivers/tty/tty_port.c b/drivers/tty/tty_port.c index 482f33f20043..846ed481c24f 100644 --- a/drivers/tty/tty_port.c +++ b/drivers/tty/tty_port.c @@ -462,14 +462,13 @@ int tty_port_close_start(struct tty_port *port, spin_lock_irqsave(&port->lock, flags); if (tty->count == 1 && port->count != 1) { - printk(KERN_WARNING - "tty_port_close_start: tty->count = 1 port count = %d.\n", - port->count); + tty_warn(tty, "%s: tty->count = 1 port count = %d\n", __func__, + port->count); port->count = 1; } if (--port->count < 0) { - printk(KERN_WARNING "tty_port_close_start: count = %d\n", - port->count); + tty_warn(tty, "%s: bad port count (%d)\n", __func__, + port->count); port->count = 0; } diff --git a/include/linux/tty.h b/include/linux/tty.h index a9c1af990da9..f578e8405ff0 100644 --- a/include/linux/tty.h +++ b/include/linux/tty.h @@ -666,7 +666,17 @@ static inline void proc_tty_register_driver(struct tty_driver *d) {} static inline void proc_tty_unregister_driver(struct tty_driver *d) {} #endif +#define tty_msg(fn, tty, f, ...) \ + fn("%s %s: " f, tty_driver_name(tty), tty_name(tty), ##__VA_ARGS__) + #define tty_debug(tty, f, ...) \ - pr_debug("%s: %s: " f, tty_name(tty), __func__, ##__VA_ARGS__) + tty_msg(pr_debug, tty, "%s:" f, __func__, ##__VA_ARGS__) +#define tty_info(tty, f, ...) tty_msg(pr_info, tty, f, ##__VA_ARGS__) +#define tty_notice(tty, f, ...) tty_msg(pr_notice, tty, f, ##__VA_ARGS__) +#define tty_warn(tty, f, ...) tty_msg(pr_warn, tty, f, ##__VA_ARGS__) +#define tty_err(tty, f, ...) tty_msg(pr_err, tty, f, ##__VA_ARGS__) + +#define tty_info_ratelimited(tty, f, ...) \ + tty_msg(pr_info_ratelimited, tty, f, ##__VA_ARGS__) #endif -- cgit v1.2.3 From 679e7c2999f963e542c6f4c3d3c9a0688b5d3587 Mon Sep 17 00:00:00 2001 From: Peter Hurley Date: Fri, 27 Nov 2015 14:11:02 -0500 Subject: n_tty: Uninline tty_copy_to_user() Merge the multiple tty_copy_to_user() calls into a single copy sequence within tty_copy_to_user(). Signed-off-by: Peter Hurley Signed-off-by: Greg Kroah-Hartman --- drivers/tty/n_tty.c | 33 ++++++++++++++++++--------------- 1 file changed, 18 insertions(+), 15 deletions(-) (limited to 'drivers/tty/n_tty.c') diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c index c37c15d2f782..b2b01d5439b7 100644 --- a/drivers/tty/n_tty.c +++ b/drivers/tty/n_tty.c @@ -162,12 +162,23 @@ static inline int tty_put_user(struct tty_struct *tty, unsigned char x, return put_user(x, ptr); } -static inline int tty_copy_to_user(struct tty_struct *tty, - void __user *to, - const void *from, - unsigned long n) +static int tty_copy_to_user(struct tty_struct *tty, void __user *to, + size_t tail, size_t n) { struct n_tty_data *ldata = tty->disc_data; + size_t size = N_TTY_BUF_SIZE - tail; + const void *from = read_buf_addr(ldata, tail); + int uncopied; + + if (n > size) { + tty_audit_add_data(tty, from, size, ldata->icanon); + uncopied = copy_to_user(to, from, size); + if (uncopied) + return uncopied; + to += size; + n -= size; + from = ldata->read_buf; + } tty_audit_add_data(tty, from, n, ldata->icanon); return copy_to_user(to, from, n); @@ -2074,7 +2085,6 @@ static int canon_copy_from_read_buf(struct tty_struct *tty, } else if (eol != size) found = 1; - size = N_TTY_BUF_SIZE - tail; n = eol - tail; if (n > N_TTY_BUF_SIZE) n += N_TTY_BUF_SIZE; @@ -2086,17 +2096,10 @@ static int canon_copy_from_read_buf(struct tty_struct *tty, eof_push = !n && ldata->read_tail != ldata->line_start; } - n_tty_trace("%s: eol:%zu found:%d n:%zu c:%zu size:%zu more:%zu\n", - __func__, eol, found, n, c, size, more); - - if (n > size) { - ret = tty_copy_to_user(tty, *b, read_buf_addr(ldata, tail), size); - if (ret) - return -EFAULT; - ret = tty_copy_to_user(tty, *b + size, ldata->read_buf, n - size); - } else - ret = tty_copy_to_user(tty, *b, read_buf_addr(ldata, tail), n); + n_tty_trace("%s: eol:%zu found:%d n:%zu c:%zu tail:%zu more:%zu\n", + __func__, eol, found, n, c, tail, more); + ret = tty_copy_to_user(tty, *b, tail, n); if (ret) return -EFAULT; *b += n; -- cgit v1.2.3 From e661cf702003030daf2001cb88eb586300a18ee4 Mon Sep 17 00:00:00 2001 From: Peter Hurley Date: Fri, 27 Nov 2015 14:11:03 -0500 Subject: n_tty: Clarify copy_from_read_buf() Add a temporary for the computed source address and substitute where appropriate. No functional change. Signed-off-by: Peter Hurley Signed-off-by: Greg Kroah-Hartman --- drivers/tty/n_tty.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'drivers/tty/n_tty.c') diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c index b2b01d5439b7..bc613b868e71 100644 --- a/drivers/tty/n_tty.c +++ b/drivers/tty/n_tty.c @@ -2014,11 +2014,11 @@ static int copy_from_read_buf(struct tty_struct *tty, n = min(head - ldata->read_tail, N_TTY_BUF_SIZE - tail); n = min(*nr, n); if (n) { - retval = copy_to_user(*b, read_buf_addr(ldata, tail), n); + const unsigned char *from = read_buf_addr(ldata, tail); + retval = copy_to_user(*b, from, n); n -= retval; - is_eof = n == 1 && read_buf(ldata, tail) == EOF_CHAR(tty); - tty_audit_add_data(tty, read_buf_addr(ldata, tail), n, - ldata->icanon); + is_eof = n == 1 && *from == EOF_CHAR(tty); + tty_audit_add_data(tty, from, n, ldata->icanon); smp_store_release(&ldata->read_tail, ldata->read_tail + n); /* Turn single EOF into zero-length read */ if (L_EXTPROC(tty) && ldata->icanon && is_eof && -- cgit v1.2.3 From b985e9e368f0db4fee940ad86197f413779d4b63 Mon Sep 17 00:00:00 2001 From: Peter Hurley Date: Fri, 27 Nov 2015 14:11:04 -0500 Subject: n_tty: Reduce branching in canon_copy_from_read_buf() Instead of compare-and-set, just compute 'found'. Signed-off-by: Peter Hurley Signed-off-by: Greg Kroah-Hartman --- drivers/tty/n_tty.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'drivers/tty/n_tty.c') diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c index bc613b868e71..f2f64252814f 100644 --- a/drivers/tty/n_tty.c +++ b/drivers/tty/n_tty.c @@ -2080,10 +2080,9 @@ static int canon_copy_from_read_buf(struct tty_struct *tty, if (eol == N_TTY_BUF_SIZE && more) { /* scan wrapped without finding set bit */ eol = find_next_bit(ldata->read_flags, more, 0); - if (eol != more) - found = 1; - } else if (eol != size) - found = 1; + found = eol != more; + } else + found = eol != size; n = eol - tail; if (n > N_TTY_BUF_SIZE) -- cgit v1.2.3