diff options
author | Alan Cox <alan@lxorguk.ukuu.org.uk> | 2006-08-27 04:24:02 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@g5.osdl.org> | 2006-08-27 14:01:34 -0400 |
commit | 01da5fd83d6b2c5e36b77539f6cbdd8f49849225 (patch) | |
tree | 70c1f1cb8325fe4801b952346bd2ef79d08882b5 | |
parent | af9b897ee639d96b2bd29b65b50cd0a1f2b6d6c9 (diff) |
[PATCH] Fix tty layer DoS and comment relevant code
Unlike the other tty comment patch this one has code changes. Specifically
it limits the queue size for a tty to 64K characters (128Kbytes) worst case
even if the tty is ignoring tty->throttle. This is because certain drivers
don't honour the throttle value correctly, although it is a useful
safeguard anyway.
Signed-off-by: Alan Cox <alan@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-rw-r--r-- | drivers/char/tty_io.c | 89 | ||||
-rw-r--r-- | include/linux/tty.h | 1 |
2 files changed, 80 insertions, 10 deletions
diff --git a/drivers/char/tty_io.c b/drivers/char/tty_io.c index 2cef982585f0..bb0d9199e994 100644 --- a/drivers/char/tty_io.c +++ b/drivers/char/tty_io.c | |||
@@ -275,6 +275,17 @@ static int check_tty_count(struct tty_struct *tty, const char *routine) | |||
275 | * Locking: none | 275 | * Locking: none |
276 | */ | 276 | */ |
277 | 277 | ||
278 | |||
279 | /** | ||
280 | * tty_buffer_free_all - free buffers used by a tty | ||
281 | * @tty: tty to free from | ||
282 | * | ||
283 | * Remove all the buffers pending on a tty whether queued with data | ||
284 | * or in the free ring. Must be called when the tty is no longer in use | ||
285 | * | ||
286 | * Locking: none | ||
287 | */ | ||
288 | |||
278 | static void tty_buffer_free_all(struct tty_struct *tty) | 289 | static void tty_buffer_free_all(struct tty_struct *tty) |
279 | { | 290 | { |
280 | struct tty_buffer *thead; | 291 | struct tty_buffer *thead; |
@@ -287,19 +298,47 @@ static void tty_buffer_free_all(struct tty_struct *tty) | |||
287 | kfree(thead); | 298 | kfree(thead); |
288 | } | 299 | } |
289 | tty->buf.tail = NULL; | 300 | tty->buf.tail = NULL; |
301 | tty->buf.memory_used = 0; | ||
290 | } | 302 | } |
291 | 303 | ||
304 | /** | ||
305 | * tty_buffer_init - prepare a tty buffer structure | ||
306 | * @tty: tty to initialise | ||
307 | * | ||
308 | * Set up the initial state of the buffer management for a tty device. | ||
309 | * Must be called before the other tty buffer functions are used. | ||
310 | * | ||
311 | * Locking: none | ||
312 | */ | ||
313 | |||
292 | static void tty_buffer_init(struct tty_struct *tty) | 314 | static void tty_buffer_init(struct tty_struct *tty) |
293 | { | 315 | { |
294 | spin_lock_init(&tty->buf.lock); | 316 | spin_lock_init(&tty->buf.lock); |
295 | tty->buf.head = NULL; | 317 | tty->buf.head = NULL; |
296 | tty->buf.tail = NULL; | 318 | tty->buf.tail = NULL; |
297 | tty->buf.free = NULL; | 319 | tty->buf.free = NULL; |
320 | tty->buf.memory_used = 0; | ||
298 | } | 321 | } |
299 | 322 | ||
300 | static struct tty_buffer *tty_buffer_alloc(size_t size) | 323 | /** |
324 | * tty_buffer_alloc - allocate a tty buffer | ||
325 | * @tty: tty device | ||
326 | * @size: desired size (characters) | ||
327 | * | ||
328 | * Allocate a new tty buffer to hold the desired number of characters. | ||
329 | * Return NULL if out of memory or the allocation would exceed the | ||
330 | * per device queue | ||
331 | * | ||
332 | * Locking: Caller must hold tty->buf.lock | ||
333 | */ | ||
334 | |||
335 | static struct tty_buffer *tty_buffer_alloc(struct tty_struct *tty, size_t size) | ||
301 | { | 336 | { |
302 | struct tty_buffer *p = kmalloc(sizeof(struct tty_buffer) + 2 * size, GFP_ATOMIC); | 337 | struct tty_buffer *p; |
338 | |||
339 | if (tty->buf.memory_used + size > 65536) | ||
340 | return NULL; | ||
341 | p = kmalloc(sizeof(struct tty_buffer) + 2 * size, GFP_ATOMIC); | ||
303 | if(p == NULL) | 342 | if(p == NULL) |
304 | return NULL; | 343 | return NULL; |
305 | p->used = 0; | 344 | p->used = 0; |
@@ -309,17 +348,27 @@ static struct tty_buffer *tty_buffer_alloc(size_t size) | |||
309 | p->read = 0; | 348 | p->read = 0; |
310 | p->char_buf_ptr = (char *)(p->data); | 349 | p->char_buf_ptr = (char *)(p->data); |
311 | p->flag_buf_ptr = (unsigned char *)p->char_buf_ptr + size; | 350 | p->flag_buf_ptr = (unsigned char *)p->char_buf_ptr + size; |
312 | /* printk("Flip create %p\n", p); */ | 351 | tty->buf.memory_used += size; |
313 | return p; | 352 | return p; |
314 | } | 353 | } |
315 | 354 | ||
316 | /* Must be called with the tty_read lock held. This needs to acquire strategy | 355 | /** |
317 | code to decide if we should kfree or relink a given expired buffer */ | 356 | * tty_buffer_free - free a tty buffer |
357 | * @tty: tty owning the buffer | ||
358 | * @b: the buffer to free | ||
359 | * | ||
360 | * Free a tty buffer, or add it to the free list according to our | ||
361 | * internal strategy | ||
362 | * | ||
363 | * Locking: Caller must hold tty->buf.lock | ||
364 | */ | ||
318 | 365 | ||
319 | static void tty_buffer_free(struct tty_struct *tty, struct tty_buffer *b) | 366 | static void tty_buffer_free(struct tty_struct *tty, struct tty_buffer *b) |
320 | { | 367 | { |
321 | /* Dumb strategy for now - should keep some stats */ | 368 | /* Dumb strategy for now - should keep some stats */ |
322 | /* printk("Flip dispose %p\n", b); */ | 369 | tty->buf.memory_used -= b->size; |
370 | WARN_ON(tty->buf.memory_used < 0); | ||
371 | |||
323 | if(b->size >= 512) | 372 | if(b->size >= 512) |
324 | kfree(b); | 373 | kfree(b); |
325 | else { | 374 | else { |
@@ -328,6 +377,18 @@ static void tty_buffer_free(struct tty_struct *tty, struct tty_buffer *b) | |||
328 | } | 377 | } |
329 | } | 378 | } |
330 | 379 | ||
380 | /** | ||
381 | * tty_buffer_find - find a free tty buffer | ||
382 | * @tty: tty owning the buffer | ||
383 | * @size: characters wanted | ||
384 | * | ||
385 | * Locate an existing suitable tty buffer or if we are lacking one then | ||
386 | * allocate a new one. We round our buffers off in 256 character chunks | ||
387 | * to get better allocation behaviour. | ||
388 | * | ||
389 | * Locking: Caller must hold tty->buf.lock | ||
390 | */ | ||
391 | |||
331 | static struct tty_buffer *tty_buffer_find(struct tty_struct *tty, size_t size) | 392 | static struct tty_buffer *tty_buffer_find(struct tty_struct *tty, size_t size) |
332 | { | 393 | { |
333 | struct tty_buffer **tbh = &tty->buf.free; | 394 | struct tty_buffer **tbh = &tty->buf.free; |
@@ -339,20 +400,28 @@ static struct tty_buffer *tty_buffer_find(struct tty_struct *tty, size_t size) | |||
339 | t->used = 0; | 400 | t->used = 0; |
340 | t->commit = 0; | 401 | t->commit = 0; |
341 | t->read = 0; | 402 | t->read = 0; |
342 | /* DEBUG ONLY */ | 403 | tty->buf.memory_used += t->size; |
343 | /* memset(t->data, '*', size); */ | ||
344 | /* printk("Flip recycle %p\n", t); */ | ||
345 | return t; | 404 | return t; |
346 | } | 405 | } |
347 | tbh = &((*tbh)->next); | 406 | tbh = &((*tbh)->next); |
348 | } | 407 | } |
349 | /* Round the buffer size out */ | 408 | /* Round the buffer size out */ |
350 | size = (size + 0xFF) & ~ 0xFF; | 409 | size = (size + 0xFF) & ~ 0xFF; |
351 | return tty_buffer_alloc(size); | 410 | return tty_buffer_alloc(tty, size); |
352 | /* Should possibly check if this fails for the largest buffer we | 411 | /* Should possibly check if this fails for the largest buffer we |
353 | have queued and recycle that ? */ | 412 | have queued and recycle that ? */ |
354 | } | 413 | } |
355 | 414 | ||
415 | /** | ||
416 | * tty_buffer_request_room - grow tty buffer if needed | ||
417 | * @tty: tty structure | ||
418 | * @size: size desired | ||
419 | * | ||
420 | * Make at least size bytes of linear space available for the tty | ||
421 | * buffer. If we fail return the size we managed to find. | ||
422 | * | ||
423 | * Locking: Takes tty->buf.lock | ||
424 | */ | ||
356 | int tty_buffer_request_room(struct tty_struct *tty, size_t size) | 425 | int tty_buffer_request_room(struct tty_struct *tty, size_t size) |
357 | { | 426 | { |
358 | struct tty_buffer *b, *n; | 427 | struct tty_buffer *b, *n; |
diff --git a/include/linux/tty.h b/include/linux/tty.h index e421d5e34818..04827ca65781 100644 --- a/include/linux/tty.h +++ b/include/linux/tty.h | |||
@@ -59,6 +59,7 @@ struct tty_bufhead { | |||
59 | struct tty_buffer *head; /* Queue head */ | 59 | struct tty_buffer *head; /* Queue head */ |
60 | struct tty_buffer *tail; /* Active buffer */ | 60 | struct tty_buffer *tail; /* Active buffer */ |
61 | struct tty_buffer *free; /* Free queue head */ | 61 | struct tty_buffer *free; /* Free queue head */ |
62 | int memory_used; /* Buffer space used excluding free queue */ | ||
62 | }; | 63 | }; |
63 | /* | 64 | /* |
64 | * The pty uses char_buf and flag_buf as a contiguous buffer | 65 | * The pty uses char_buf and flag_buf as a contiguous buffer |