Google Git
Sign in
android / kernel / msm.git / refs/tags/android-11.0.0_r0.116
tag4f456ee2536e72d63e7d8e0f0a9b43d2d5d02af6
taggerThe Android Open Source Project <initial-contribution@android.com>Tue Oct 05 02:20:59 2021 -0700
object4271c602a1ed343f6cd53a955b53fb6ebf499f55 
Android 11.0.0 Release 0.116 (RD2A.211001.001/RD2A.211001.002,barbet)
commit4271c602a1ed343f6cd53a955b53fb6ebf499f55[log] [tgz]
authorJann Horn <jannh@google.com>Thu Dec 03 02:25:04 2020 +0100
committerachigoliu <achigoliu@google.com>Mon Jun 21 12:11:00 2021 +0800
tree60854f62626727fc8b28c2104d9f428528186432
parent0cab3e271df5e795860bfd0247e4d91e4d375404 [diff]
tty: Fix ->pgrp locking in tiocspgrp()

tiocspgrp() takes two tty_struct pointers: One to the tty that userspace
passed to ioctl() (`tty`) and one to the TTY being changed (`real_tty`).
These pointers are different when ioctl() is called with a master fd.

To properly lock real_tty->pgrp, we must take real_tty->ctrl_lock.

This bug makes it possible for racing ioctl(TIOCSPGRP, ...) calls on
both sides of a PTY pair to corrupt the refcount of `struct pid`,
leading to use-after-free errors.

Bug: 187909232
Fixes: 47f86834bbd4 ("redo locking of tty->pgrp")
CC: stable@kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: Idd35c7aac1d4a58107ba6b3bbcd0ec8d6a2968ae
1 file changed
tree: 60854f62626727fc8b28c2104d9f428528186432
  1. android/
  2. arch/
  3. block/
  4. certs/
  5. crypto/
  6. Documentation/
  7. drivers/
  8. firmware/
  9. fs/
  10. include/
  11. init/
  12. ipc/
  13. kernel/
  14. lib/
  15. LICENSES/
  16. mm/
  17. net/
  18. samples/
  19. scripts/
  20. security/
  21. sound/
  22. techpack/
  23. tools/
  24. usr/
  25. virt/
  26. .clang-format
  27. .cocciconfig
  28. .get_maintainer.ignore
  29. .gitattributes
  30. .gitignore
  31. .mailmap
  32. Android.bp
  33. AndroidKernel.mk
  34. build.config.aarch64
  35. build.config.allmodconfig
  36. build.config.allmodconfig.aarch64
  37. build.config.allmodconfig.arm
  38. build.config.allmodconfig.x86_64
  39. build.config.arm
  40. build.config.common
  41. build.config.gki
  42. build.config.gki-debug.aarch64
  43. build.config.gki-debug.x86_64
  44. build.config.gki.aarch64
  45. build.config.gki.sm7250
  46. build.config.gki.sm8250
  47. build.config.gki.x86_64
  48. build.config.gki_kasan
  49. build.config.gki_kasan.aarch64
  50. build.config.gki_kasan.x86_64
  51. build.config.goldfish.arm
  52. build.config.goldfish.arm64
  53. build.config.goldfish.mips
  54. build.config.goldfish.mips64
  55. build.config.goldfish.x86
  56. build.config.goldfish.x86_64
  57. build.config.performance
  58. build.config.redbull
  59. build.config.redbull.common
  60. build.config.redbull.common.clang
  61. build.config.redbull.debug_api
  62. build.config.redbull.debug_locking
  63. build.config.redbull.debug_memory
  64. build.config.redbull.gcc
  65. build.config.redbull.kasan
  66. build.config.redbull.no-cfi
  67. build.config.redbull.performance
  68. build.config.redbull.vintf
  69. build.config.sm7250.common
  70. build.config.sm8250.common
  71. build.config.sm8250.common.clang
  72. build.config.sm8250.no-cfi
  73. build.config.x86_64
  74. build_redbull-gki.sh
  75. build_redbull.sh
  76. build_sm7250.sh
  77. build_sm8250.sh
  78. COPYING
  79. CREDITS
  80. gen_headers_arm.bp
  81. gen_headers_arm64.bp
  82. Kbuild
  83. Kconfig
  84. kernel_headers.py
  85. MAINTAINERS
  86. Makefile
  87. PREUPLOAD.cfg
  88. README
  89. verity_dev_keys.x509