On Thu, May 11, 2023 at 03:32:43PM +0300, Ilpo Järvinen wrote:
> If userspace races tcsetattr() with a write, the drained condition
> might not be guaranteed by the kernel. There is a race window after
> checking Tx is empty before tty_set_termios() takes termios_rwsem for
> write. During that race window, more characters can be queued by a
> racing writer.
>
> Any ongoing transmission might produce garbage during HW's
> ->set_termios() call. The intent of TCSADRAIN/FLUSH seems to be
> preventing such a character corruption. If those flags are set, take
> tty's write lock to stop any writer before performing the lower layer
> Tx empty check and wait for the pending characters to be sent (if any).
>
> The initial wait for all-writers-done must be placed outside of tty's
> write lock to avoid deadlock which makes it impossible to use
> tty_wait_until_sent(). The write lock is retried if a racing write is
> detected.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@xxxxxxxxxxxxxxx>
> Link: https://lore.kernel.org/r/20230317113318.31327-2-ilpo.jarvinen@xxxxxxxxxxxxxxx
> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> (cherry picked from commit 094fb49a2d0d6827c86d2e0840873e6db0c491d2)
> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@xxxxxxxxxxxxxxx>
> ---
> drivers/tty/tty_io.c | 4 ++--
> drivers/tty/tty_ioctl.c | 45 ++++++++++++++++++++++++++++++-----------
> include/linux/tty.h | 2 ++
> 3 files changed, 37 insertions(+), 14 deletions(-)
Didn't apply to 4.14.y :(
But all others it did, so I've queued it up now there, thanks!
greg k-h
