Received: by 2002:a05:6a10:6d25:0:0:0:0 with SMTP id gq37csp1875239pxb; Mon, 13 Sep 2021 07:21:16 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxwPmz69Gn3Ikw2r9O11UHTvjX6BkWfwelqoG6N1Zb7+x7Bi1fnWdyZAmcdhzwmNAgeWphS X-Received: by 2002:a6b:e604:: with SMTP id g4mr9076903ioh.148.1631542876506; Mon, 13 Sep 2021 07:21:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1631542876; cv=none; d=google.com; s=arc-20160816; b=Ixrft0ssYRvvI0xk+4GGLEsuQAgVFNaA5W2jIvfE1LZ2Pr4CUdabG9+h0hn7M7Nflx s76A3qaPd7vW50GmoZHXjYiGVPHZAKwLwCFQHCfR67uCm94e2x1WCVycGXfeYbrH1/Zf mzwKi0t1F9UxNWn+Bk9WCu7tCLG3TpzMuY9L6NBQF8YkFbPx/YKvwU3+Lz1cjVzeu8cS V3HoTnBW1313XutN/fmTmGs08b7LRvyMN2jVAsCqllTi1dSYAIgVmi2SHV0jCTujP3H8 uXBr/gdNEQ656UBcTYSivCLkFBDtAH8IG/ujOcJlza9M0SZw3ykHbJXLqEzX4CDj3UsG jKRw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=yB61HxFbdvz74zswyChBNx4CzQnNxY+/wTqa00ZDTCA=; b=r7ArCCI5btJ8OgCJRYdi7Ng3zNcQ4XFwjHByXAV3TNz2bZ36EDKnCMN04mqmAVH1vf N0V92tkXg+Wmsz3tmw+ZIsH3ORSz0ryAt02+8EHdFVGw2Oh/U3mNIB7nt398F9MnGY2X 7qLSR6MbHEOkgCWf2BtHEIAfJ4rOYbOeuH0LQH3BVh4JXrqzUijtWKP86xp0k/FNbHNX Kr5yAjcPyCR1q1UougSBzgWnuArMzczCZjCqm2vaLJBmAneoTXZ9fT/iRXXh4BNVJJvw Fjhs5/Swn9K1OJmEmjnhTJ82sKM8OXWl2oAgu4kmYWewjyIJW1fatVXsLudSU4RPbQ1b 7cHg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=YQey4ott; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l5si6623843ioa.54.2021.09.13.07.21.02; Mon, 13 Sep 2021 07:21:16 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=YQey4ott; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345486AbhIMOTr (ORCPT + 99 others); Mon, 13 Sep 2021 10:19:47 -0400 Received: from mail.kernel.org ([198.145.29.99]:37524 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345292AbhIMOPE (ORCPT ); Mon, 13 Sep 2021 10:15:04 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 8509961AEE; Mon, 13 Sep 2021 13:43:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1631540640; bh=iiF34TJGPy6Y5bvuDXIlak6BK7vm9Lv+XVhGqeWdi1A=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=YQey4ottAYTVRE0JXwmOHo5BIwgJorla6k2SjLw65ifxhHpxekInUvIj65kjQ8PJn 23jh9S9rAc8l1NxlFdAeiHhJEtAgmJGH+rQ/NwE71O2xcgsbhPZ5or8/mayURM0Eg3 G+VpfjCAdpXyvyA2OBAQ81+kQJWPMSRNKKTinsg4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+97388eb9d31b997fe1d0@syzkaller.appspotmail.com, Jiri Slaby , Nguyen Dinh Phi Subject: [PATCH 5.13 276/300] tty: Fix data race between tiocsti() and flush_to_ldisc() Date: Mon, 13 Sep 2021 15:15:37 +0200 Message-Id: <20210913131118.663376135@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20210913131109.253835823@linuxfoundation.org> References: <20210913131109.253835823@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Nguyen Dinh Phi commit bb2853a6a421a052268eee00fd5d3f6b3504b2b1 upstream. The ops->receive_buf() may be accessed concurrently from these two functions. If the driver flushes data to the line discipline receive_buf() method while tiocsti() is waiting for the ops->receive_buf() to finish its work, the data race will happen. For example: tty_ioctl |tty_ldisc_receive_buf ->tioctsi | ->tty_port_default_receive_buf | ->tty_ldisc_receive_buf ->hci_uart_tty_receive | ->hci_uart_tty_receive ->h4_recv | ->h4_recv In this case, the h4 receive buffer will be overwritten by the latecomer, and we will lost the data. Hence, change tioctsi() function to use the exclusive lock interface from tty_buffer to avoid the data race. Reported-by: syzbot+97388eb9d31b997fe1d0@syzkaller.appspotmail.com Reviewed-by: Jiri Slaby Signed-off-by: Nguyen Dinh Phi Link: https://lore.kernel.org/r/20210823000641.2082292-1-phind.uet@gmail.com Cc: stable Signed-off-by: Greg Kroah-Hartman --- drivers/tty/tty_io.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/drivers/tty/tty_io.c +++ b/drivers/tty/tty_io.c @@ -2294,8 +2294,6 @@ static int tty_fasync(int fd, struct fil * Locking: * Called functions take tty_ldiscs_lock * current->signal->tty check is safe without locks - * - * FIXME: may race normal receive processing */ static int tiocsti(struct tty_struct *tty, char __user *p) @@ -2311,8 +2309,10 @@ static int tiocsti(struct tty_struct *tt ld = tty_ldisc_ref_wait(tty); if (!ld) return -EIO; + tty_buffer_lock_exclusive(tty->port); if (ld->ops->receive_buf) ld->ops->receive_buf(tty, &ch, &mbz, 1); + tty_buffer_unlock_exclusive(tty->port); tty_ldisc_deref(ld); return 0; }