Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp1614679pxb; Mon, 11 Oct 2021 09:31:26 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwFSiaFaMeqmnAERXFtQYQyuaXGaBr42b1e+cBXKKyl342ympJVXqlHPZPoiKTvZwrU45YO X-Received: by 2002:a17:906:ad98:: with SMTP id la24mr27585493ejb.383.1633969886279; Mon, 11 Oct 2021 09:31:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1633969886; cv=none; d=google.com; s=arc-20160816; b=y8eAQzZ32HU95R2xnZe0Gvf+M1vrmlfHFY5cATc3breUNtnUktjgNiVV5GXu5Sq9WY tRG0ijGqY1YaoDDGoJqa5FhJ6aujsyWYlR4pPpCFoD7nAmAG4b+cZoXH0uzDIZbyN2n1 NxC9mZdJxt1HpU9guo188fdPqp7EYvn5IwWQ90Dz3rJ/HMLAbEeYgICQgme7M44QC0u2 aKuoocmFnIi8VqB0np4zRt7DC1cde5J0JT08uGSImvZOFcNZJfj7wzDJw0FUOfeHalrt bRWCbZxgcDnMKqpkFzG1Z0aDHFMpxAuu2LhubNJdrC/dsY4seuwRZ18G+LoNB429dLVV CIgw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=wXAnrUxLTcKeC+SxwFuaqRintPbj+005GG0JezjF8Eg=; b=by6G6+YmROPqMg+OwiqVv/HaVgdB5/cR4k9WCSgWJzC9qkMudcE4v3jfx3JFJKRAUU dBAXieLvVP7rZ2VAw/ihQ8MCu8rFfKAUejH6TQzVed3qtI2yRfPCQG7D3Exk+nKFDTva Bney1kqi5hZuWHCxk+bliVYmAbDhfFr9R85vWzMpHEm/lAIbYp+LvkD3E1zV32o5n0Dp y1aErDjw2tVI1eDYKjJwGc+0iifojhe31GdlyQXNr/WlBbUkOHFIQgh8JpQMUh0bj1qs kshvUjI3YuPJnVWzirtQuJTFPrjg8r/d56/oXIA7K9OGLft+GFwz0BExDTOj4KO1MKlf GJOw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="GSagb/k+"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i8si20346886edc.529.2021.10.11.09.31.03; Mon, 11 Oct 2021 09:31:26 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="GSagb/k+"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235281AbhJKN4K (ORCPT + 99 others); Mon, 11 Oct 2021 09:56:10 -0400 Received: from mail.kernel.org ([198.145.29.99]:39336 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235240AbhJKNyS (ORCPT ); Mon, 11 Oct 2021 09:54:18 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 4778860EB1; Mon, 11 Oct 2021 13:52:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1633960333; bh=2KTZU7TzMuJ0WGwHs7UbiBL/9066kgzZMrisOoGWRE8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=GSagb/k+9bkXpggtOpnM6RjR1fn3nwE0nfOAtriXnUQbS+rPgbEYOAwgQNg6+qD7p +4An4MpR4QatamSZ9SafMOtDuI2VszVmRGe/kLsizJEO0zLEYrFX7c+Q8F+t6hcXQy AyZyWbx+W87D9e/eCACUwcDALT2itL+CVZxqoGNo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Oliver Neukum , Johan Hovold Subject: [PATCH 5.10 03/83] USB: cdc-acm: fix racy tty buffer accesses Date: Mon, 11 Oct 2021 15:45:23 +0200 Message-Id: <20211011134508.482422799@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211011134508.362906295@linuxfoundation.org> References: <20211011134508.362906295@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Johan Hovold commit 65a205e6113506e69a503b61d97efec43fc10fd7 upstream. A recent change that started reporting break events to the line discipline caused the tty-buffer insertions to no longer be serialised by inserting events also from the completion handler for the interrupt endpoint. Completion calls for distinct endpoints are not guaranteed to be serialised. For example, in case a host-controller driver uses bottom-half completion, the interrupt and bulk-in completion handlers can end up running in parallel on two CPUs (high-and low-prio tasklets, respectively) thereby breaking the tty layer's single producer assumption. Fix this by holding the read lock also when inserting characters from the bulk endpoint. Fixes: 08dff274edda ("cdc-acm: fix BREAK rx code path adding necessary calls") Cc: stable@vger.kernel.org Acked-by: Oliver Neukum Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/20210929090937.7410-2-johan@kernel.org Signed-off-by: Greg Kroah-Hartman --- drivers/usb/class/cdc-acm.c | 5 +++++ 1 file changed, 5 insertions(+) --- a/drivers/usb/class/cdc-acm.c +++ b/drivers/usb/class/cdc-acm.c @@ -475,11 +475,16 @@ static int acm_submit_read_urbs(struct a static void acm_process_read_urb(struct acm *acm, struct urb *urb) { + unsigned long flags; + if (!urb->actual_length) return; + spin_lock_irqsave(&acm->read_lock, flags); tty_insert_flip_string(&acm->port, urb->transfer_buffer, urb->actual_length); + spin_unlock_irqrestore(&acm->read_lock, flags); + tty_flip_buffer_push(&acm->port); }