lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 16 Mar 2012 13:14:45 -0700
From:	"gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>
To:	"Tu, Xiaobing" <xiaobing.tu@...el.com>, Jiri Slaby <jslaby@...e.cz>
Cc:	"alan@...rguk.ukuu.org.uk" <alan@...rguk.ukuu.org.uk>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	"Zhang, Yanmin" <yanmin.zhang@...el.com>,
	"Du, Alek" <alek.du@...el.com>, "Zuo, Jiao" <jiao.zuo@...el.com>
Subject: Re: [PATCH v2] tty: hold lock across tty buffer finding and buffer
 filling

Jiri,

Do you have any objections to me applying the patch below?

thanks,

greg k-h

On Fri, Mar 16, 2012 at 03:00:26AM +0000, Tu, Xiaobing wrote:
> From: Xiaobing Tu <xiaobing.tu@...el.com>
> 
> tty_buffer_request_room is well protected, but while after it returns,
>  it releases the port->lock. tty->buf.tail might be modified
> by either irq handler or other threads. The patch adds more protection
> by holding the lock across tty buffer finding and buffer filling.
> Signed-off-by: Alek Du <alek.du@...el.com>
> Signed-off-by: Xiaobing Tu <xiaobing.tu@...el.com>
> ---
>  drivers/tty/tty_buffer.c |   85 +++++++++++++++++++++++++++++++++++-----------
>  1 files changed, 65 insertions(+), 20 deletions(-)
> 
> diff --git a/drivers/tty/tty_buffer.c b/drivers/tty/tty_buffer.c
> index 6c9b7cd..91e326f 100644
> --- a/drivers/tty/tty_buffer.c
> +++ b/drivers/tty/tty_buffer.c
> @@ -185,25 +185,19 @@ static struct tty_buffer *tty_buffer_find(struct tty_struct *tty, size_t size)
>  	/* Should possibly check if this fails for the largest buffer we
>  	   have queued and recycle that ? */
>  }
> -
>  /**
> - *	tty_buffer_request_room		-	grow tty buffer if needed
> + *	__tty_buffer_request_room		-	grow tty buffer if needed
>   *	@tty: tty structure
>   *	@size: size desired
>   *
>   *	Make at least size bytes of linear space available for the tty
>   *	buffer. If we fail return the size we managed to find.
> - *
> - *	Locking: Takes tty->buf.lock
> + *      Locking: Caller must hold tty->buf.lock
>   */
> -int tty_buffer_request_room(struct tty_struct *tty, size_t size)
> +static int __tty_buffer_request_room(struct tty_struct *tty, size_t size)
>  {
>  	struct tty_buffer *b, *n;
>  	int left;
> -	unsigned long flags;
> -
> -	spin_lock_irqsave(&tty->buf.lock, flags);
> -
>  	/* OPTIMISATION: We could keep a per tty "zero" sized buffer to
>  	   remove this conditional if its worth it. This would be invisible
>  	   to the callers */
> @@ -225,9 +219,30 @@ int tty_buffer_request_room(struct tty_struct *tty, size_t size)
>  			size = left;
>  	}
>  
> -	spin_unlock_irqrestore(&tty->buf.lock, flags);
>  	return size;
>  }
> +
> +
> +/**
> + *	tty_buffer_request_room		-	grow tty buffer if needed
> + *	@tty: tty structure
> + *	@size: size desired
> + *
> + *	Make at least size bytes of linear space available for the tty
> + *	buffer. If we fail return the size we managed to find.
> + *
> + *	Locking: Takes tty->buf.lock
> + */
> +int tty_buffer_request_room(struct tty_struct *tty, size_t size)
> +{
> +	unsigned long flags;
> +	int length;
> +
> +	spin_lock_irqsave(&tty->buf.lock, flags);
> +	length = __tty_buffer_request_room(tty, size);
> +	spin_unlock_irqrestore(&tty->buf.lock, flags);
> +	return length;
> +}
>  EXPORT_SYMBOL_GPL(tty_buffer_request_room);
>  
>  /**
> @@ -249,14 +264,22 @@ int tty_insert_flip_string_fixed_flag(struct tty_struct *tty,
>  	int copied = 0;
>  	do {
>  		int goal = min_t(size_t, size - copied, TTY_BUFFER_PAGE);
> -		int space = tty_buffer_request_room(tty, goal);
> -		struct tty_buffer *tb = tty->buf.tail;
> +		int space;
> +		unsigned long flags;
> +		struct tty_buffer *tb;
> +
> +		spin_lock_irqsave(&tty->buf.lock, flags);
> +		space = __tty_buffer_request_room(tty, goal);
> +		tb = tty->buf.tail;
>  		/* If there is no space then tb may be NULL */
> -		if (unlikely(space == 0))
> +		if (unlikely(space == 0)) {
> +			spin_unlock_irqrestore(&tty->buf.lock, flags);
>  			break;
> +		}
>  		memcpy(tb->char_buf_ptr + tb->used, chars, space);
>  		memset(tb->flag_buf_ptr + tb->used, flag, space);
>  		tb->used += space;
> +		spin_unlock_irqrestore(&tty->buf.lock, flags);
>  		copied += space;
>  		chars += space;
>  		/* There is a small chance that we need to split the data over
> @@ -286,14 +309,22 @@ int tty_insert_flip_string_flags(struct tty_struct *tty,
>  	int copied = 0;
>  	do {
>  		int goal = min_t(size_t, size - copied, TTY_BUFFER_PAGE);
> -		int space = tty_buffer_request_room(tty, goal);
> -		struct tty_buffer *tb = tty->buf.tail;
> +		int space;
> +		unsigned long __flags;
> +		struct tty_buffer *tb;
> +
> +		spin_lock_irqsave(&tty->buf.lock, __flags);
> +		space = __tty_buffer_request_room(tty, goal);
> +		tb = tty->buf.tail;
>  		/* If there is no space then tb may be NULL */
> -		if (unlikely(space == 0))
> +		if (unlikely(space == 0)) {
> +			spin_unlock_irqrestore(&tty->buf.lock, __flags);
>  			break;
> +		}
>  		memcpy(tb->char_buf_ptr + tb->used, chars, space);
>  		memcpy(tb->flag_buf_ptr + tb->used, flags, space);
>  		tb->used += space;
> +		spin_unlock_irqrestore(&tty->buf.lock, __flags);
>  		copied += space;
>  		chars += space;
>  		flags += space;
> @@ -344,13 +375,20 @@ EXPORT_SYMBOL(tty_schedule_flip);
>  int tty_prepare_flip_string(struct tty_struct *tty, unsigned char **chars,
>  								size_t size)
>  {
> -	int space = tty_buffer_request_room(tty, size);
> +	int space;
> +	unsigned long flags;
> +	struct tty_buffer *tb;
> +
> +	spin_lock_irqsave(&tty->buf.lock, flags);
> +	space = __tty_buffer_request_room(tty, size);
> +
> +	tb = tty->buf.tail;
>  	if (likely(space)) {
> -		struct tty_buffer *tb = tty->buf.tail;
>  		*chars = tb->char_buf_ptr + tb->used;
>  		memset(tb->flag_buf_ptr + tb->used, TTY_NORMAL, space);
>  		tb->used += space;
>  	}
> +	spin_unlock_irqrestore(&tty->buf.lock, flags);
>  	return space;
>  }
>  EXPORT_SYMBOL_GPL(tty_prepare_flip_string);
> @@ -374,13 +412,20 @@ EXPORT_SYMBOL_GPL(tty_prepare_flip_string);
>  int tty_prepare_flip_string_flags(struct tty_struct *tty,
>  			unsigned char **chars, char **flags, size_t size)
>  {
> -	int space = tty_buffer_request_room(tty, size);
> +	int space;
> +	unsigned long __flags;
> +	struct tty_buffer *tb;
> +
> +	spin_lock_irqsave(&tty->buf.lock, __flags);
> +	space = __tty_buffer_request_room(tty, size);
> +
> +	tb = tty->buf.tail;
>  	if (likely(space)) {
> -		struct tty_buffer *tb = tty->buf.tail;
>  		*chars = tb->char_buf_ptr + tb->used;
>  		*flags = tb->flag_buf_ptr + tb->used;
>  		tb->used += space;
>  	}
> +	spin_unlock_irqrestore(&tty->buf.lock, __flags);
>  	return space;
>  }
>  EXPORT_SYMBOL_GPL(tty_prepare_flip_string_flags);
> -- 
> 1.7.4.1
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ