linux/drivers/char/ttyprintk.c
Jiri Slaby f06fb543c1 TTY: ttyprintk, unregister tty driver on failure
When the tty_printk driver fails to create a node in sysfs, the system
crashes. It is because the driver registers a tty driver and frees it
without deregistering it first. The fix is easy: add a call to
tty_unregister_driver to the fail path.

This is very unlikely to happen in usual environment => no need for
stable.

The crash occurs at some place where we iterate over tty drivers
first. It may look like this:
BUG: unable to handle kernel paging request at ffffffffffffff84
IP: [<ffffffff81278d56>] tty_open+0xd6/0x650
PGD 1a0d067 PUD 1a0e067 PMD 0
Oops: 0000 [#1] PREEMPT SMP
Modules linked in:
CPU 0
Pid: 1183, comm: boot.localnet Tainted: G        W    3.5.0-rc7-next-20120716+ #369 Bochs Bochs
RIP: 0010:[<ffffffff81278d56>]  [<ffffffff81278d56>] tty_open+0xd6/0x650
RSP: 0018:ffff8800162b3b98  EFLAGS: 00010207
RAX: 0000000000000000 RBX: ffff880016ba6200 RCX: 0000000000002208
RDX: 0000000000000000 RSI: 00000000000000d0 RDI: ffffffff81a35080
RBP: ffff8800162b3c08 R08: ffffffff81276f42 R09: 0000000000400040
R10: ffff8800161dc005 R11: ffff8800188ee048 R12: 0000000000000000
R13: ffffffffffffff58 R14: 0000000000400040 R15: 0000000000008000
FS:  00007f3684abd700(0000) GS:ffff880018e00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffff84 CR3: 000000001503e000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process boot.localnet (pid: 1183, threadinfo ffff8800162b2000, task ffff8800188c5880)
Stack:
 ffff8800162b3c08 ffffffff81363d63 ffffffff81a62940 ffff8800189b4e88
 ffff8800188c5880 ffffffff81123180 0000000000000000 ffffffff18b20600
 0000000000000000 ffff8800189b4e88 ffff880016ba6200 ffff880018b20600
Call Trace:
 [<ffffffff81363d63>] ? kobj_lookup+0x103/0x160
 [<ffffffff81123180>] ? mount_fs+0x110/0x110
 [<ffffffff81123a9c>] chrdev_open+0x9c/0x1a0
 [<ffffffff81123a00>] ? cdev_put+0x30/0x30
 [<ffffffff8111de76>] do_dentry_open.isra.19+0x1e6/0x270
 [<ffffffff8111df65>] finish_open+0x65/0xa0
 [<ffffffff8112dc9e>] do_last.isra.52+0x26e/0xd80
 [<ffffffff8112b163>] ? inode_permission+0x13/0x50
 [<ffffffff8112b203>] ? link_path_walk+0x63/0x940
 [<ffffffff8112e85b>] path_openat+0xab/0x3d0
 [<ffffffff8112ef5d>] do_filp_open+0x3d/0xa0
 [<ffffffff8113ba72>] ? alloc_fd+0xd2/0x120
 [<ffffffff8111eee3>] do_sys_open+0xf3/0x1d0
 [<ffffffff8111efdc>] sys_open+0x1c/0x20
 [<ffffffff815b5fe2>] system_call_fastpath+0x16/0x1b

Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Samo Pogacnik <samo_pogacnik@t-2.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2012-08-10 13:29:57 -07:00

226 lines
5.2 KiB
C

/*
* linux/drivers/char/ttyprintk.c
*
* Copyright (C) 2010 Samo Pogacnik
*
* This program is free software; you can redistribute it and/or modify
* it under the smems of the GNU General Public License as published by
* the Free Software Foundation; version 2 of the License.
*/
/*
* This pseudo device allows user to make printk messages. It is possible
* to store "console" messages inline with kernel messages for better analyses
* of the boot process, for example.
*/
#include <linux/device.h>
#include <linux/serial.h>
#include <linux/tty.h>
#include <linux/export.h>
struct ttyprintk_port {
struct tty_port port;
struct mutex port_write_mutex;
};
static struct ttyprintk_port tpk_port;
/*
* Our simple preformatting supports transparent output of (time-stamped)
* printk messages (also suitable for logging service):
* - any cr is replaced by nl
* - adds a ttyprintk source tag in front of each line
* - too long message is fragmeted, with '\'nl between fragments
* - TPK_STR_SIZE isn't really the write_room limiting factor, bcause
* it is emptied on the fly during preformatting.
*/
#define TPK_STR_SIZE 508 /* should be bigger then max expected line length */
#define TPK_MAX_ROOM 4096 /* we could assume 4K for instance */
static const char *tpk_tag = "[U] "; /* U for User */
static int tpk_curr;
static int tpk_printk(const unsigned char *buf, int count)
{
static char tmp[TPK_STR_SIZE + 4];
int i = tpk_curr;
if (buf == NULL) {
/* flush tmp[] */
if (tpk_curr > 0) {
/* non nl or cr terminated message - add nl */
tmp[tpk_curr + 0] = '\n';
tmp[tpk_curr + 1] = '\0';
printk(KERN_INFO "%s%s", tpk_tag, tmp);
tpk_curr = 0;
}
return i;
}
for (i = 0; i < count; i++) {
tmp[tpk_curr] = buf[i];
if (tpk_curr < TPK_STR_SIZE) {
switch (buf[i]) {
case '\r':
/* replace cr with nl */
tmp[tpk_curr + 0] = '\n';
tmp[tpk_curr + 1] = '\0';
printk(KERN_INFO "%s%s", tpk_tag, tmp);
tpk_curr = 0;
if (buf[i + 1] == '\n')
i++;
break;
case '\n':
tmp[tpk_curr + 1] = '\0';
printk(KERN_INFO "%s%s", tpk_tag, tmp);
tpk_curr = 0;
break;
default:
tpk_curr++;
}
} else {
/* end of tmp buffer reached: cut the message in two */
tmp[tpk_curr + 1] = '\\';
tmp[tpk_curr + 2] = '\n';
tmp[tpk_curr + 3] = '\0';
printk(KERN_INFO "%s%s", tpk_tag, tmp);
tpk_curr = 0;
}
}
return count;
}
/*
* TTY operations open function.
*/
static int tpk_open(struct tty_struct *tty, struct file *filp)
{
tty->driver_data = &tpk_port;
return tty_port_open(&tpk_port.port, tty, filp);
}
/*
* TTY operations close function.
*/
static void tpk_close(struct tty_struct *tty, struct file *filp)
{
struct ttyprintk_port *tpkp = tty->driver_data;
mutex_lock(&tpkp->port_write_mutex);
/* flush tpk_printk buffer */
tpk_printk(NULL, 0);
mutex_unlock(&tpkp->port_write_mutex);
tty_port_close(&tpkp->port, tty, filp);
}
/*
* TTY operations write function.
*/
static int tpk_write(struct tty_struct *tty,
const unsigned char *buf, int count)
{
struct ttyprintk_port *tpkp = tty->driver_data;
int ret;
/* exclusive use of tpk_printk within this tty */
mutex_lock(&tpkp->port_write_mutex);
ret = tpk_printk(buf, count);
mutex_unlock(&tpkp->port_write_mutex);
return ret;
}
/*
* TTY operations write_room function.
*/
static int tpk_write_room(struct tty_struct *tty)
{
return TPK_MAX_ROOM;
}
/*
* TTY operations ioctl function.
*/
static int tpk_ioctl(struct tty_struct *tty,
unsigned int cmd, unsigned long arg)
{
struct ttyprintk_port *tpkp = tty->driver_data;
if (!tpkp)
return -EINVAL;
switch (cmd) {
/* Stop TIOCCONS */
case TIOCCONS:
return -EOPNOTSUPP;
default:
return -ENOIOCTLCMD;
}
return 0;
}
static const struct tty_operations ttyprintk_ops = {
.open = tpk_open,
.close = tpk_close,
.write = tpk_write,
.write_room = tpk_write_room,
.ioctl = tpk_ioctl,
};
static struct tty_port_operations null_ops = { };
static struct tty_driver *ttyprintk_driver;
static int __init ttyprintk_init(void)
{
int ret = -ENOMEM;
void *rp;
ttyprintk_driver = alloc_tty_driver(1);
if (!ttyprintk_driver)
return ret;
ttyprintk_driver->driver_name = "ttyprintk";
ttyprintk_driver->name = "ttyprintk";
ttyprintk_driver->major = TTYAUX_MAJOR;
ttyprintk_driver->minor_start = 3;
ttyprintk_driver->type = TTY_DRIVER_TYPE_CONSOLE;
ttyprintk_driver->init_termios = tty_std_termios;
ttyprintk_driver->init_termios.c_oflag = OPOST | OCRNL | ONOCR | ONLRET;
ttyprintk_driver->flags = TTY_DRIVER_RESET_TERMIOS |
TTY_DRIVER_REAL_RAW | TTY_DRIVER_DYNAMIC_DEV;
tty_set_operations(ttyprintk_driver, &ttyprintk_ops);
ret = tty_register_driver(ttyprintk_driver);
if (ret < 0) {
printk(KERN_ERR "Couldn't register ttyprintk driver\n");
goto error;
}
/* create our unnumbered device */
rp = device_create(tty_class, NULL, MKDEV(TTYAUX_MAJOR, 3), NULL,
ttyprintk_driver->name);
if (IS_ERR(rp)) {
printk(KERN_ERR "Couldn't create ttyprintk device\n");
ret = PTR_ERR(rp);
goto error;
}
tty_port_init(&tpk_port.port);
tpk_port.port.ops = &null_ops;
mutex_init(&tpk_port.port_write_mutex);
return 0;
error:
tty_unregister_driver(ttyprintk_driver);
put_tty_driver(ttyprintk_driver);
ttyprintk_driver = NULL;
return ret;
}
module_init(ttyprintk_init);