Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-12-27 21:33:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

n_tty: Fix stall at n_tty_receive_char_special().

Browse Source 
syzbot is reporting stalls at n_tty_receive_char_special() [1]. This is
because comparison is not working as expected since ldata->read_head can
change at any moment. Mitigate this by explicitly masking with buffer size
when checking condition for "while" loops.

[1] https://syzkaller.appspot.com/bug?id=3d7481a346958d9469bebbeb0537d5f056bdd6e8

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Reported-by: syzbot <syzbot+18df353d7540aa6b5467@syzkaller.appspotmail.com>
Fixes: bc5a5e3f45 ("n_tty: Don't wrap input buffer indices at buffer size")
Cc: stable <stable@vger.kernel.org>
Cc: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Tetsuo Handa 2018-05-26 09:53:13 +09:00 committed by Greg Kroah-Hartman
parent 7daf201d7f
commit 3d63b7e4ae
1 changed files with 8 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
drivers/tty/n_tty.c
View File

@ -124,6 +124,8 @@ struct n_tty_data {
struct mutex output_lock; struct mutex output_lock;
}; };
#define MASK(x) ((x) & (N_TTY_BUF_SIZE - 1))
static inline size_t read_cnt(struct n_tty_data *ldata) static inline size_t read_cnt(struct n_tty_data *ldata)
{ {
return ldata->read_head - ldata->read_tail; return ldata->read_head - ldata->read_tail;
@ -978,14 +980,15 @@ static void eraser(unsigned char c, struct tty_struct *tty)
} }
seen_alnums = 0; seen_alnums = 0;
while (ldata->read_head != ldata->canon_head) { while (MASK(ldata->read_head) != MASK(ldata->canon_head)) {
head = ldata->read_head; head = ldata->read_head;
/* erase a single possibly multibyte character */ /* erase a single possibly multibyte character */
do { do {
head--; head--;
c = read_buf(ldata, head); c = read_buf(ldata, head);
} while (is_continuation(c, tty) && head != ldata->canon_head); } while (is_continuation(c, tty) &&
MASK(head) != MASK(ldata->canon_head));
/* do not partially erase */ /* do not partially erase */
if (is_continuation(c, tty)) if (is_continuation(c, tty))
@ -1027,7 +1030,7 @@ static void eraser(unsigned char c, struct tty_struct *tty)
* This info is used to go back the correct * This info is used to go back the correct
* number of columns. * number of columns.
*/ */
while (tail != ldata->canon_head) { while (MASK(tail) != MASK(ldata->canon_head)) {
tail--; tail--;
c = read_buf(ldata, tail); c = read_buf(ldata, tail);
if (c == '\t') { if (c == '\t') {
@ -1302,7 +1305,7 @@ n_tty_receive_char_special(struct tty_struct *tty, unsigned char c)
finish_erasing(ldata); finish_erasing(ldata);
echo_char(c, tty); echo_char(c, tty);
echo_char_raw('\n', ldata); echo_char_raw('\n', ldata);
while (tail != ldata->read_head) { while (MASK(tail) != MASK(ldata->read_head)) {
echo_char(read_buf(ldata, tail), tty); echo_char(read_buf(ldata, tail), tty);
tail++; tail++;
} }
@ -2411,7 +2414,7 @@ static unsigned long inq_canon(struct n_tty_data *ldata)
tail = ldata->read_tail; tail = ldata->read_tail;
nr = head - tail; nr = head - tail;
/* Skip EOF-chars.. */ /* Skip EOF-chars.. */
while (head != tail) { while (MASK(head) != MASK(tail)) {
if (test_bit(tail & (N_TTY_BUF_SIZE - 1), ldata->read_flags) && if (test_bit(tail & (N_TTY_BUF_SIZE - 1), ldata->read_flags) &&
read_buf(ldata, tail) == __DISABLED_CHAR) read_buf(ldata, tail) == __DISABLED_CHAR)
nr--; nr--;