From: Richard Palethorpe <rpalethorpe@xxxxxxxx>
Date: Tue, 21 Jan 2020 14:42:58 +0100
> write_wakeup can happen in parallel with close/hangup where tty->disc_data
> is set to NULL and the netdevice is freed thus also freeing
> disc_data. write_wakeup accesses disc_data so we must prevent close from
> freeing the netdev while write_wakeup has a non-NULL view of
> tty->disc_data.
>
> We also need to make sure that accesses to disc_data are atomic. Which can
> all be done with RCU.
>
> This problem was found by Syzkaller on SLCAN, but the same issue is
> reproducible with the SLIP line discipline using an LTP test based on the
> Syzkaller reproducer.
>
> A fix which didn't use RCU was posted by Hillf Danton.
>
> Fixes: 661f7fda21b1 ("slip: Fix deadlock in write_wakeup")
> Fixes: a8e83b17536a ("slcan: Port write_wakeup deadlock fix from slip")
> Reported-by: syzbot+017e491ae13c0068598a@xxxxxxxxxxxxxxxxxxxxxxxxx
> Signed-off-by: Richard Palethorpe <rpalethorpe@xxxxxxxx>
Applied and queued up for -stable, thanks.
