From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
syzbot <syzbot+18df353d7540aa6b5467@syzkaller.appspotmail.com>,
Peter Hurley <peter@hurleysoftware.com>
Subject: [PATCH 4.17 10/46] n_tty: Fix stall at n_tty_receive_char_special().
Date: Fri, 6 Jul 2018 07:46:31 +0200 [thread overview]
Message-ID: <20180706054525.092860984@linuxfoundation.org> (raw)
In-Reply-To: <20180706054524.595521988@linuxfoundation.org>
4.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
commit 3d63b7e4ae0dc5e02d28ddd2fa1f945defc68d81 upstream.
syzbot is reporting stalls at n_tty_receive_char_special() [1]. This is
because comparison is not working as expected since ldata->read_head can
change at any moment. Mitigate this by explicitly masking with buffer size
when checking condition for "while" loops.
[1] https://syzkaller.appspot.com/bug?id=3d7481a346958d9469bebbeb0537d5f056bdd6e8
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Reported-by: syzbot <syzbot+18df353d7540aa6b5467@syzkaller.appspotmail.com>
Fixes: bc5a5e3f45d04784 ("n_tty: Don't wrap input buffer indices at buffer size")
Cc: stable <stable@vger.kernel.org>
Cc: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/n_tty.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -124,6 +124,8 @@ struct n_tty_data {
struct mutex output_lock;
};
+#define MASK(x) ((x) & (N_TTY_BUF_SIZE - 1))
+
static inline size_t read_cnt(struct n_tty_data *ldata)
{
return ldata->read_head - ldata->read_tail;
@@ -978,14 +980,15 @@ static void eraser(unsigned char c, stru
}
seen_alnums = 0;
- while (ldata->read_head != ldata->canon_head) {
+ while (MASK(ldata->read_head) != MASK(ldata->canon_head)) {
head = ldata->read_head;
/* erase a single possibly multibyte character */
do {
head--;
c = read_buf(ldata, head);
- } while (is_continuation(c, tty) && head != ldata->canon_head);
+ } while (is_continuation(c, tty) &&
+ MASK(head) != MASK(ldata->canon_head));
/* do not partially erase */
if (is_continuation(c, tty))
@@ -1027,7 +1030,7 @@ static void eraser(unsigned char c, stru
* This info is used to go back the correct
* number of columns.
*/
- while (tail != ldata->canon_head) {
+ while (MASK(tail) != MASK(ldata->canon_head)) {
tail--;
c = read_buf(ldata, tail);
if (c == '\t') {
@@ -1302,7 +1305,7 @@ n_tty_receive_char_special(struct tty_st
finish_erasing(ldata);
echo_char(c, tty);
echo_char_raw('\n', ldata);
- while (tail != ldata->read_head) {
+ while (MASK(tail) != MASK(ldata->read_head)) {
echo_char(read_buf(ldata, tail), tty);
tail++;
}
@@ -2411,7 +2414,7 @@ static unsigned long inq_canon(struct n_
tail = ldata->read_tail;
nr = head - tail;
/* Skip EOF-chars.. */
- while (head != tail) {
+ while (MASK(head) != MASK(tail)) {
if (test_bit(tail & (N_TTY_BUF_SIZE - 1), ldata->read_flags) &&
read_buf(ldata, tail) == __DISABLED_CHAR)
nr--;
next prev parent reply other threads:[~2018-07-06 5:47 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-06 5:46 [PATCH 4.17 00/46] 4.17.5-stable review Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.17 01/46] usb: cdc_acm: Add quirk for Uniden UBC125 scanner Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.17 02/46] USB: serial: cp210x: add CESINEL device ids Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.17 03/46] USB: serial: cp210x: add Silicon Labs IDs for Windows Update Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.17 04/46] usb: dwc2: fix the incorrect bitmaps for the ports of multi_tt hub Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.17 05/46] usb: typec: tcpm: fix logbuffer index is wrong if _tcpm_log is re-entered Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.17 06/46] acpi: Add helper for deactivating memory region Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.17 07/46] usb: typec: ucsi: acpi: Workaround for cache mode issue Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.17 08/46] usb: typec: ucsi: Fix for incorrect status data issue Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.17 09/46] xhci: Fix kernel oops in trace_xhci_free_virt_device Greg Kroah-Hartman
2018-07-06 5:46 ` Greg Kroah-Hartman [this message]
2018-07-06 5:46 ` [PATCH 4.17 11/46] n_tty: Access echo_* variables carefully Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.17 12/46] staging: android: ion: Return an ERR_PTR in ion_map_kernel Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.17 13/46] iio: mma8452: Fix ignoring MMA8452_INT_DRDY Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.17 14/46] serial: 8250_pci: Remove stalled entries in blacklist Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.17 15/46] serdev: fix memleak on module unload Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.17 16/46] vt: prevent leaking uninitialized data to userspace via /dev/vcs* Greg Kroah-Hartman
2018-07-06 5:49 ` syzbot
2018-07-06 5:46 ` [PATCH 4.17 22/46] drm/sti: Depend on OF rather than selecting it Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.17 23/46] drm/amd/display: Clear connectors edid pointer Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.17 25/46] drm/qxl: Call qxl_bo_unref outside atomic context Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.17 26/46] drm/atmel-hlcdc: check stride values in the first plane Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.17 27/46] Revert "drm/sun4i: Handle DRM_BUS_FLAG_PIXDATA_*EDGE" Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.17 28/46] drm/amdgpu: Dont default to DC support for Kaveri and older Greg Kroah-Hartman
2018-07-06 5:47 ` [PATCH 4.17 40/46] drm/i915: Enable provoking vertex fix on Gen9 systems Greg Kroah-Hartman
2018-07-06 5:47 ` [PATCH 4.17 41/46] netfilter: ip6t_rpfilter: provide input interface for route lookup Greg Kroah-Hartman
2018-07-06 5:47 ` [PATCH 4.17 42/46] netfilter: xt_connmark: fix list corruption on rmmod Greg Kroah-Hartman
2018-07-06 5:47 ` [PATCH 4.17 43/46] netfilter: nf_tables: use WARN_ON_ONCE instead of BUG_ON in nft_do_chain() Greg Kroah-Hartman
2018-07-06 5:47 ` [PATCH 4.17 44/46] ARM64: dts: meson-gxl-s905x-p212: Add phy-supply for usb0 Greg Kroah-Hartman
2018-07-06 5:47 ` [PATCH 4.17 45/46] x86/mm: Dont free P4D table when it is folded at runtime Greg Kroah-Hartman
2018-07-06 5:47 ` [PATCH 4.17 46/46] ARM: dts: imx6q: Use correct SDMA script for SPI5 core Greg Kroah-Hartman
2018-07-06 17:51 ` [PATCH 4.17 00/46] 4.17.5-stable review Dan Rue
2018-07-06 18:09 ` Dan Rue
2018-07-07 14:52 ` Greg Kroah-Hartman
2018-07-07 21:40 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180706054525.092860984@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=peter@hurleysoftware.com \
--cc=stable@vger.kernel.org \
--cc=syzbot+18df353d7540aa6b5467@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).