Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3d63b7e4 authored by Tetsuo Handa's avatar Tetsuo Handa Committed by Greg Kroah-Hartman
Browse files

n_tty: Fix stall at n_tty_receive_char_special(). 

syzbot is reporting stalls at n_tty_receive_char_special() [1]. This is
because comparison is not working as expected since ldata->read_head can
change at any moment. Mitigate this by explicitly masking with buffer size
when checking condition for "while" loops.

[1] https://syzkaller.appspot.com/bug?id=3d7481a346958d9469bebbeb0537d5f056bdd6e8



Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Reported-by: default avatarsyzbot <syzbot+18df353d7540aa6b5467@syzkaller.appspotmail.com>
Fixes: bc5a5e3f ("n_tty: Don't wrap input buffer indices at buffer size")
Cc: stable <stable@vger.kernel.org>
Cc: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 7daf201d

drivers/tty/n_tty.c

+8 −5
Original line number Diff line number Diff line
@@ -124,6 +124,8 @@ struct n_tty_data { 
	struct mutex output_lock;

};



#define MASK(x) ((x) & (N_TTY_BUF_SIZE - 1))



static inline size_t read_cnt(struct n_tty_data *ldata)

{

	return ldata->read_head - ldata->read_tail;
@@ -978,14 +980,15 @@ static void eraser(unsigned char c, struct tty_struct *tty) 
	}



	seen_alnums = 0;

	while (ldata->read_head != ldata->canon_head) {

	while (MASK(ldata->read_head) != MASK(ldata->canon_head)) {

		head = ldata->read_head;



		/* erase a single possibly multibyte character */

		do {

			head--;

			c = read_buf(ldata, head);

		} while (is_continuation(c, tty) && head != ldata->canon_head);

		} while (is_continuation(c, tty) &&

			 MASK(head) != MASK(ldata->canon_head));



		/* do not partially erase */

		if (is_continuation(c, tty))
@@ -1027,7 +1030,7 @@ static void eraser(unsigned char c, struct tty_struct *tty) 
				 * This info is used to go back the correct

				 * number of columns.

				 */

				while (tail != ldata->canon_head) {

				while (MASK(tail) != MASK(ldata->canon_head)) {

					tail--;

					c = read_buf(ldata, tail);

					if (c == '\t') {
@@ -1302,7 +1305,7 @@ n_tty_receive_char_special(struct tty_struct *tty, unsigned char c) 
			finish_erasing(ldata);

			echo_char(c, tty);

			echo_char_raw('\n', ldata);

			while (tail != ldata->read_head) {

			while (MASK(tail) != MASK(ldata->read_head)) {

				echo_char(read_buf(ldata, tail), tty);

				tail++;

			}
@@ -2411,7 +2414,7 @@ static unsigned long inq_canon(struct n_tty_data *ldata) 
	tail = ldata->read_tail;

	nr = head - tail;

	/* Skip EOF-chars.. */

	while (head != tail) {

	while (MASK(head) != MASK(tail)) {

		if (test_bit(tail & (N_TTY_BUF_SIZE - 1), ldata->read_flags) &&

		    read_buf(ldata, tail) == __DISABLED_CHAR)

			nr--;