From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
syzbot <syzbot+18df353d7540aa6b5467@syzkaller.appspotmail.com>,
Peter Hurley <peter@hurleysoftware.com>
Subject: [PATCH 4.17 10/46] n_tty: Fix stall at n_tty_receive_char_special().
Date: Fri, 6 Jul 2018 07:46:31 +0200 [thread overview]
Message-ID: <20180706054525.092860984@linuxfoundation.org> (raw)
In-Reply-To: <20180706054524.595521988@linuxfoundation.org>
4.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
commit 3d63b7e4ae0dc5e02d28ddd2fa1f945defc68d81 upstream.
syzbot is reporting stalls at n_tty_receive_char_special() [1]. This is
because comparison is not working as expected since ldata->read_head can
change at any moment. Mitigate this by explicitly masking with buffer size
when checking condition for "while" loops.
[1] https://syzkaller.appspot.com/bug?id=3d7481a346958d9469bebbeb0537d5f056bdd6e8
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Reported-by: syzbot <syzbot+18df353d7540aa6b5467@syzkaller.appspotmail.com>
Fixes: bc5a5e3f45d04784 ("n_tty: Don't wrap input buffer indices at buffer size")
Cc: stable <stable@vger.kernel.org>
Cc: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/n_tty.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -124,6 +124,8 @@ struct n_tty_data {
struct mutex output_lock;
};
+#define MASK(x) ((x) & (N_TTY_BUF_SIZE - 1))
+
static inline size_t read_cnt(struct n_tty_data *ldata)
{
return ldata->read_head - ldata->read_tail;
@@ -978,14 +980,15 @@ static void eraser(unsigned char c, stru
}
seen_alnums = 0;
- while (ldata->read_head != ldata->canon_head) {
+ while (MASK(ldata->read_head) != MASK(ldata->canon_head)) {
head = ldata->read_head;
/* erase a single possibly multibyte character */
do {
head--;
c = read_buf(ldata, head);
- } while (is_continuation(c, tty) && head != ldata->canon_head);
+ } while (is_continuation(c, tty) &&
+ MASK(head) != MASK(ldata->canon_head));
/* do not partially erase */
if (is_continuation(c, tty))
@@ -1027,7 +1030,7 @@ static void eraser(unsigned char c, stru
* This info is used to go back the correct
* number of columns.
*/
- while (tail != ldata->canon_head) {
+ while (MASK(tail) != MASK(ldata->canon_head)) {
tail--;
c = read_buf(ldata, tail);
if (c == '\t') {
@@ -1302,7 +1305,7 @@ n_tty_receive_char_special(struct tty_st
finish_erasing(ldata);
echo_char(c, tty);
echo_char_raw('\n', ldata);
- while (tail != ldata->read_head) {
+ while (MASK(tail) != MASK(ldata->read_head)) {
echo_char(read_buf(ldata, tail), tty);
tail++;
}
@@ -2411,7 +2414,7 @@ static unsigned long inq_canon(struct n_
tail = ldata->read_tail;
nr = head - tail;
/* Skip EOF-chars.. */
- while (head != tail) {
+ while (MASK(head) != MASK(tail)) {
if (test_bit(tail & (N_TTY_BUF_SIZE - 1), ldata->read_flags) &&
read_buf(ldata, tail) == __DISABLED_CHAR)
nr--;
next prev parent reply other threads:[~2018-07-06 5:47 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-06 5:46 [PATCH 4.17 00/46] 4.17.5-stable review Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.17 01/46] usb: cdc_acm: Add quirk for Uniden UBC125 scanner Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.17 02/46] USB: serial: cp210x: add CESINEL device ids Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.17 03/46] USB: serial: cp210x: add Silicon Labs IDs for Windows Update Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.17 04/46] usb: dwc2: fix the incorrect bitmaps for the ports of multi_tt hub Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.17 05/46] usb: typec: tcpm: fix logbuffer index is wrong if _tcpm_log is re-entered Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.17 06/46] acpi: Add helper for deactivating memory region Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.17 07/46] usb: typec: ucsi: acpi: Workaround for cache mode issue Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.17 08/46] usb: typec: ucsi: Fix for incorrect status data issue Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.17 09/46] xhci: Fix kernel oops in trace_xhci_free_virt_device Greg Kroah-Hartman
2018-07-06 5:46 ` Greg Kroah-Hartman [this message]
2018-07-06 5:46 ` [PATCH 4.17 11/46] n_tty: Access echo_* variables carefully Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.17 12/46] staging: android: ion: Return an ERR_PTR in ion_map_kernel Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.17 13/46] iio: mma8452: Fix ignoring MMA8452_INT_DRDY Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.17 14/46] serial: 8250_pci: Remove stalled entries in blacklist Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.17 15/46] serdev: fix memleak on module unload Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.17 16/46] vt: prevent leaking uninitialized data to userspace via /dev/vcs* Greg Kroah-Hartman
2018-07-06 5:49 ` syzbot
2018-07-06 5:46 ` [PATCH 4.17 22/46] drm/sti: Depend on OF rather than selecting it Greg Kroah-Hartman
2018-07-06 5:46 ` Greg Kroah-Hartman
2018-07-06 5:46 ` Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.17 23/46] drm/amd/display: Clear connectors edid pointer Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.17 25/46] drm/qxl: Call qxl_bo_unref outside atomic context Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.17 26/46] drm/atmel-hlcdc: check stride values in the first plane Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.17 27/46] Revert "drm/sun4i: Handle DRM_BUS_FLAG_PIXDATA_*EDGE" Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.17 28/46] drm/amdgpu: Dont default to DC support for Kaveri and older Greg Kroah-Hartman
2018-07-06 5:47 ` [PATCH 4.17 40/46] drm/i915: Enable provoking vertex fix on Gen9 systems Greg Kroah-Hartman
2018-07-06 5:47 ` [PATCH 4.17 41/46] netfilter: ip6t_rpfilter: provide input interface for route lookup Greg Kroah-Hartman
2018-07-06 5:47 ` [PATCH 4.17 42/46] netfilter: xt_connmark: fix list corruption on rmmod Greg Kroah-Hartman
2018-07-06 5:47 ` [PATCH 4.17 43/46] netfilter: nf_tables: use WARN_ON_ONCE instead of BUG_ON in nft_do_chain() Greg Kroah-Hartman
2018-07-06 5:47 ` [PATCH 4.17 44/46] ARM64: dts: meson-gxl-s905x-p212: Add phy-supply for usb0 Greg Kroah-Hartman
2018-07-06 5:47 ` [PATCH 4.17 45/46] x86/mm: Dont free P4D table when it is folded at runtime Greg Kroah-Hartman
2018-07-06 5:47 ` [PATCH 4.17 46/46] ARM: dts: imx6q: Use correct SDMA script for SPI5 core Greg Kroah-Hartman
2018-07-06 17:51 ` [PATCH 4.17 00/46] 4.17.5-stable review Dan Rue
2018-07-06 18:09 ` Dan Rue
2018-07-07 14:52 ` Greg Kroah-Hartman
2018-07-07 21:40 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180706054525.092860984@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=peter@hurleysoftware.com \
--cc=stable@vger.kernel.org \
--cc=syzbot+18df353d7540aa6b5467@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.