tty: protect tty_write from odd low-level tty disciplines

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Al root-caused a new warning from syzbot to the ttyprintk tty driver
returning a write count larger than the data the tty layer actually gave
it. Which confused the tty write code mightily, and with the new
iov_iter based code, caused a WARNING in iov_iter_revert().

syzbot correctly bisected the source of the new warning to commit
9bb48c82aced ("tty: implement write_iter"), but the oddity goes back
much further, it just didn't get caught by anything before.

Reported-by: syzbot+3d2c27c2b7dc2a94814d@syzkaller.appspotmail.com
Fixes: 9bb48c82aced ("tty: implement write_iter")
Debugged-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Linus Torvalds 5 years ago 3342ff26 2c405d1a

+4 -1

1 changed file

expand all

drivers

tty

tty_io.c

+4 -1

drivers/tty/tty_io.c

··· 962 962 if (ret <= 0) 963 963 break; 964 964 965 + written += ret; 966 + if (ret > size) 967 + break; 968 + 965 969 /* FIXME! Have Al check this! */ 966 970 if (ret != size) 967 971 iov_iter_revert(from, size-ret); 968 972 969 - written += ret; 970 973 count -= ret; 971 974 if (!count) 972 975 break;