linux-stable/drivers/tty
Nguyen Dinh Phi 03c3e977ee tty: Fix data race between tiocsti() and flush_to_ldisc()
commit bb2853a6a4 upstream.

The ops->receive_buf() may be accessed concurrently from these two
functions.  If the driver flushes data to the line discipline
receive_buf() method while tiocsti() is waiting for the
ops->receive_buf() to finish its work, the data race will happen.

For example:
tty_ioctl			|tty_ldisc_receive_buf
 ->tioctsi			| ->tty_port_default_receive_buf
				|  ->tty_ldisc_receive_buf
   ->hci_uart_tty_receive	|   ->hci_uart_tty_receive
    ->h4_recv                   |    ->h4_recv

In this case, the h4 receive buffer will be overwritten by the
latecomer, and we will lost the data.

Hence, change tioctsi() function to use the exclusive lock interface
from tty_buffer to avoid the data race.

Reported-by: syzbot+97388eb9d31b997fe1d0@syzkaller.appspotmail.com
Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
Signed-off-by: Nguyen Dinh Phi <phind.uet@gmail.com>
Link: https://lore.kernel.org/r/20210823000641.2082292-1-phind.uet@gmail.com
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-09-15 09:47:39 +02:00
..
hvc tty: hvcs: Don't NULL tty->driver_data until hvcs_cleanup() 2020-10-29 09:57:38 +01:00
ipwireless tty: ipwireless: fix error handling 2020-10-29 09:58:08 +01:00
serdev
serial tty: serial: fsl_lpuart: fix the wrong mapbase value 2021-09-15 09:47:37 +02:00
vt vt_kdsetmode: extend console locking 2021-09-03 10:08:15 +02:00
amiserial.c tty: amiserial: fix TIOCSSERIAL permission check 2021-05-14 09:44:10 +02:00
cyclades.c
ehv_bytechan.c
goldfish.c
isicom.c
Kconfig
Makefile
mips_ejtag_fdc.c
moxa.c tty: moxa: fix TIOCSSERIAL permission check 2021-05-14 09:44:11 +02:00
moxa.h
mxser.c
mxser.h
n_gsm.c tty: n_gsm: check error while registering tty devices 2021-05-11 14:04:07 +02:00
n_hdlc.c
n_null.c
n_r3964.c
n_tracerouter.c
n_tracesink.c
n_tracesink.h
n_tty.c
nozomi.c tty: nozomi: Fix the error handling path of 'nozomi_card_init()' 2021-07-14 16:53:41 +02:00
pty.c pty: do tty_flip_buffer_push without port->lock in pty_write 2020-10-29 09:57:38 +01:00
rocket.c
rocket.h
rocket_int.h
synclink.c
synclink_gt.c
synclinkmp.c
sysrq.c
tty_audit.c
tty_baudrate.c
tty_buffer.c
tty_io.c tty: Fix data race between tiocsti() and flush_to_ldisc() 2021-09-15 09:47:39 +02:00
tty_ioctl.c
tty_jobctrl.c tty: Fix ->session locking 2020-12-11 13:23:28 +01:00
tty_ldisc.c
tty_ldsem.c
tty_mutex.c
tty_port.c
ttynull.c
vcc.c