Re: [PATCH] Bluetooth: hci_uart: Switch pty driver to slave side in tty_set_termios()

From: Marcel Holtmann <marcel@holtmann.org>
To: Myungho Jung <mhjungk@gmail.com>
Cc: Johan Hedberg <johan.hedberg@gmail.com>,
	linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] Bluetooth: hci_uart: Switch pty driver to slave side in tty_set_termios()
Date: Mon, 28 Jan 2019 13:20:30 +0100	[thread overview]
Message-ID: <1D2D84AB-CE67-435E-9F50-3A81A7A008C1@holtmann.org> (raw)
In-Reply-To: <20190128065259.GA2976@myunghoj-Precision-5530>

Hi Myungho,

> tty_set_termios() should be called with slave side of pty driver. So, If
> tty driver is pty master, it needs to be switched to ->link.
> 
> Reported-by: syzbot+a950165cbb86bdd023a4@syzkaller.appspotmail.com
> Signed-off-by: Myungho Jung <mhjungk@gmail.com>
> ---
> drivers/bluetooth/hci_ldisc.c | 20 +++++++++++++++-----
> 1 file changed, 15 insertions(+), 5 deletions(-)
> 
> diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
> index fbf7b4df23ab..90c5ea8c399b 100644
> --- a/drivers/bluetooth/hci_ldisc.c
> +++ b/drivers/bluetooth/hci_ldisc.c
> @@ -299,10 +299,18 @@ static int hci_uart_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
> 	return 0;
> }
> 
> +/* If driver is pty master, return slave side */
> +static struct tty_struct *hci_uart_get_real_tty(struct tty_struct *tty)
> +{
> +	return  (tty->driver->type == TTY_DRIVER_TYPE_PTY &&
> +		 tty->driver->subtype == PTY_TYPE_MASTER) ? tty->link : tty;
> +}
> +

	if (tty->driver->type == TTY_DRIVER_PTY && tty->driver->subtype = PTY_TYPE_MASTER)
		return tty->link;

	return tty;

We can spare the extra two lines to make this readable.

> /* Flow control or un-flow control the device */
> void hci_uart_set_flow_control(struct hci_uart *hu, bool enable)
> {
> 	struct tty_struct *tty = hu->tty;
> +	struct tty_struct *real_tty;
> 	struct ktermios ktermios;
> 	int status;
> 	unsigned int set = 0;
> @@ -314,11 +322,12 @@ void hci_uart_set_flow_control(struct hci_uart *hu, bool enable)
> 		return;
> 	}
> 
> +	real_tty = hci_uart_get_real_tty(tty);

I would add a comment above this call why this is done and then also add an empty line after it. The if clause is not related to that call at all.

> 	if (enable) {
> 		/* Disable hardware flow control */
> -		ktermios = tty->termios;
> +		ktermios = real_tty->termios;
> 		ktermios.c_cflag &= ~CRTSCTS;
> -		status = tty_set_termios(tty, &ktermios);
> +		status = tty_set_termios(real_tty, &ktermios);
> 		BT_DBG("Disabling hardware flow control: %s",
> 		       status ? "failed" : "success");
> 
> @@ -350,9 +359,9 @@ void hci_uart_set_flow_control(struct hci_uart *hu, bool enable)
> 		BT_DBG("Setting RTS: %s", status ? "failed" : "success");
> 
> 		/* Re-enable hardware flow control */
> -		ktermios = tty->termios;
> +		ktermios = real_tty->termios;
> 		ktermios.c_cflag |= CRTSCTS;
> -		status = tty_set_termios(tty, &ktermios);
> +		status = tty_set_termios(real_tty, &ktermios);
> 		BT_DBG("Enabling hardware flow control: %s",
> 		       status ? "failed" : "success");
> 	}
> @@ -367,9 +376,10 @@ void hci_uart_set_speeds(struct hci_uart *hu, unsigned int init_speed,
> 
> void hci_uart_set_baudrate(struct hci_uart *hu, unsigned int speed)
> {
> -	struct tty_struct *tty = hu->tty;
> +	struct tty_struct *tty;
> 	struct ktermios ktermios;
> 
> +	tty = hci_uart_get_real_tty(hu->tty);

Same here. Add comment above and the also an extra empty line.

> 	ktermios = tty->termios;
> 	ktermios.c_cflag &= ~CBAUD;
> 	tty_termios_encode_baud_rate(&ktermios, speed, speed);

Regards

Marcel