From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0757EC433F5 for ; Thu, 14 Oct 2021 14:54:53 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id DA48C61163 for ; Thu, 14 Oct 2021 14:54:52 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231873AbhJNO44 (ORCPT ); Thu, 14 Oct 2021 10:56:56 -0400 Received: from mail.kernel.org ([198.145.29.99]:41604 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231316AbhJNO4z (ORCPT ); Thu, 14 Oct 2021 10:56:55 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 23D4660F36; Thu, 14 Oct 2021 14:54:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1634223290; bh=VKt586pubkui7TKrB9kABSeFe4GcV5U43zwLc1dxEQw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=wkJMYZTx1hzvrrmmv3C9ZGyVKWWPIbcUu7NpOeycbjeAk0YVR99AzKlBZ54AmN37N xwds52ve6rtA9hSR298hDJEVahHILaXeWsHC7b/UoE2RUmXoWNV1jr/LKlSy3cXvp/ W2Q5sJgYU2X4hYtw0PFWb0YtiVAZ2f/3EHIFyCdI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Oliver Neukum , Johan Hovold Subject: [PATCH 4.4 01/18] USB: cdc-acm: fix racy tty buffer accesses Date: Thu, 14 Oct 2021 16:53:33 +0200 Message-Id: <20211014145206.378574370@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211014145206.330102860@linuxfoundation.org> References: <20211014145206.330102860@linuxfoundation.org> User-Agent: quilt/0.66 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Johan Hovold commit 65a205e6113506e69a503b61d97efec43fc10fd7 upstream. A recent change that started reporting break events to the line discipline caused the tty-buffer insertions to no longer be serialised by inserting events also from the completion handler for the interrupt endpoint. Completion calls for distinct endpoints are not guaranteed to be serialised. For example, in case a host-controller driver uses bottom-half completion, the interrupt and bulk-in completion handlers can end up running in parallel on two CPUs (high-and low-prio tasklets, respectively) thereby breaking the tty layer's single producer assumption. Fix this by holding the read lock also when inserting characters from the bulk endpoint. Fixes: 08dff274edda ("cdc-acm: fix BREAK rx code path adding necessary calls") Cc: stable@vger.kernel.org Acked-by: Oliver Neukum Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/20210929090937.7410-2-johan@kernel.org Signed-off-by: Greg Kroah-Hartman --- drivers/usb/class/cdc-acm.c | 5 +++++ 1 file changed, 5 insertions(+) --- a/drivers/usb/class/cdc-acm.c +++ b/drivers/usb/class/cdc-acm.c @@ -407,11 +407,16 @@ static int acm_submit_read_urbs(struct a static void acm_process_read_urb(struct acm *acm, struct urb *urb) { + unsigned long flags; + if (!urb->actual_length) return; + spin_lock_irqsave(&acm->read_lock, flags); tty_insert_flip_string(&acm->port, urb->transfer_buffer, urb->actual_length); + spin_unlock_irqrestore(&acm->read_lock, flags); + tty_flip_buffer_push(&acm->port); }