lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <50AEB10D.3050909@ilyx.ru>
Date:	Fri, 23 Nov 2012 03:11:09 +0400
From:	Ilya Zykov <ilya@...x.ru>
To:	linux-kernel@...r.kernel.org
Subject: [PATCH v2] tty: Add driver unthrottle in ioctl(...,TCFLSH,..).

Regression 'tty: fix "IRQ45: nobody cared"'
Regression commit 7b292b4bf9a9d6098440d85616d6ca4c608b8304

  Function reset_buffer_flags() also invoked during the ioctl(...,TCFLSH,..). 
At the time of request we can have full buffers and throttled driver too. 
If we don't unthrottle driver, we can get forever throttled driver, because,
after request, we will have empty buffers and throttled driver and 
there is no place to unthrottle driver.
It simple reproduce with "pty" pair then one side sleep on tty->write_wait,
and other side do ioctl(...,TCFLSH,..). Then there is no place to do writers wake up.

About 'tty: fix "IRQ45: nobody cared"':
  We don't call tty_unthrottle() if release last filp - ('tty->count == 0')
In other case it must be safely. 

Unfortunately, many drivers indirectly invoke tty_unthrottle() before TTY LAYER
decremented (tty->count).
  This Patch help us catch bugs in tty's drivers and invoke tty_unthrottle()
in right moment only.

Signed-off-by: Ilya Zykov <ilya@...x.ru>
---

diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
index 26f0d0e..f20b44a 100644
--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -173,6 +173,13 @@ static void reset_buffer_flags(struct tty_struct *tty)
 {
 	unsigned long flags;
 
+	WARN_ON(tty->drvbug);
+	/*
+	 * We should not call this method from driver's close function.
+	 * It will be called by TTY layer later.
+	 */
+	if (tty->drvbug)
+		return;
 	spin_lock_irqsave(&tty->read_lock, flags);
 	tty->read_head = tty->read_tail = tty->read_cnt = 0;
 	spin_unlock_irqrestore(&tty->read_lock, flags);
@@ -184,6 +191,7 @@ static void reset_buffer_flags(struct tty_struct *tty)
 	tty->canon_head = tty->canon_data = tty->erasing = 0;
 	memset(&tty->read_flags, 0, sizeof tty->read_flags);
 	n_tty_set_room(tty);
+	check_unthrottle(tty);
 }
 
 /**
@@ -1585,7 +1593,6 @@ static int n_tty_open(struct tty_struct *tty)
 			return -ENOMEM;
 	}
 	reset_buffer_flags(tty);
-	tty_unthrottle(tty);
 	tty->column = 0;
 	n_tty_set_termios(tty, NULL);
 	tty->minimum_to_wake = 1;
diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
index b425c79..0cd2370 100644
--- a/drivers/tty/tty_io.c
+++ b/drivers/tty/tty_io.c
@@ -1649,8 +1649,10 @@ int tty_release(struct inode *inode, struct file *filp)
 			tty_name(tty, buf), tty->count);
 #endif
 
+	tty->drvbug = 1;
 	if (tty->ops->close)
 		tty->ops->close(tty, filp);
+	tty->drvbug = 0;
 
 	tty_unlock();
 	/*
diff --git a/include/linux/tty.h b/include/linux/tty.h
index ed1e82e..01455b6 100644
--- a/include/linux/tty.h
+++ b/include/linux/tty.h
@@ -281,7 +281,7 @@ struct tty_struct {
 	int count;
 	struct winsize winsize;		/* termios mutex */
 	unsigned char stopped:1, hw_stopped:1, flow_stopped:1, packet:1;
-	unsigned char low_latency:1, warned:1;
+	unsigned char low_latency:1, warned:1, drvbug:1;
 	unsigned char ctrl_status;	/* ctrl_lock */
 	unsigned int receive_room;	/* Bytes free for queue */



--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ