diff options
| author | Alan Cox <alan@lxorguk.ukuu.org.uk> | 2007-08-10 16:01:05 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@woody.linux-foundation.org> | 2007-08-11 18:47:41 -0400 |
| commit | 42fd552e8647316757ded0176466c41d17934dcf (patch) | |
| tree | 07b0f4ed1934c05c6495c62ba943ab90bde6be84 /drivers/char | |
| parent | f8a745942b1b7f052cb76bb8a893d12cb6329c84 (diff) | |
fix serial buffer memory leak
Patch c5c34d4862e18ef07c1276d233507f540fb5a532 (tty: flush flip buffer on
ldisc input queue flush) introduces a race condition which can lead to memory
leaks.
The problem can be triggered when tcflush() is called when data are being
pushed to the line discipline driver by flush_to_ldisc().
flush_to_ldisc() releases tty->buf.lock when calling the line discipline
receive_buf function. At that poing tty_buffer_flush() kicks in and sets both
tty->buf.head and tty->buf.tail to NULL. When flush_to_ldisc() finishes, it
restores tty->buf.head but doesn't touch tty->buf.tail. This corrups the
buffer queue, and the next call to tty_buffer_request_room() will allocate a
new buffer and overwrite tty->buf.head. The previous buffer is then lost
forever without being released.
(Thanks to Laurent for the above text, for finding, disgnosing and reporting
the bug)
- Use tty->flags bits for the flush status.
- Wait for the flag to clear again before returning
- Fix the doc error noted
- Fix flush of empty queue leaving stale flushpending
[akpm@linux-foundation.org: cleanup]
Signed-off-by: Alan Cox <alan@redhat.com>
Acked-by: Paul Fulghum <paulkf@microgate.com>
Cc: Laurent Pinchart <laurentp@cse-semaphore.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'drivers/char')
| -rw-r--r-- | drivers/char/tty_io.c | 56 |
1 files changed, 50 insertions, 6 deletions
diff --git a/drivers/char/tty_io.c b/drivers/char/tty_io.c index de37ebc3a4cf..51ea93cab6c4 100644 --- a/drivers/char/tty_io.c +++ b/drivers/char/tty_io.c | |||
| @@ -369,25 +369,54 @@ static void tty_buffer_free(struct tty_struct *tty, struct tty_buffer *b) | |||
| 369 | } | 369 | } |
| 370 | 370 | ||
| 371 | /** | 371 | /** |
| 372 | * tty_buffer_flush - flush full tty buffers | 372 | * __tty_buffer_flush - flush full tty buffers |
| 373 | * @tty: tty to flush | 373 | * @tty: tty to flush |
| 374 | * | 374 | * |
| 375 | * flush all the buffers containing receive data | 375 | * flush all the buffers containing receive data. Caller must |
| 376 | * hold the buffer lock and must have ensured no parallel flush to | ||
| 377 | * ldisc is running. | ||
| 376 | * | 378 | * |
| 377 | * Locking: none | 379 | * Locking: Caller must hold tty->buf.lock |
| 378 | */ | 380 | */ |
| 379 | 381 | ||
| 380 | static void tty_buffer_flush(struct tty_struct *tty) | 382 | static void __tty_buffer_flush(struct tty_struct *tty) |
| 381 | { | 383 | { |
| 382 | struct tty_buffer *thead; | 384 | struct tty_buffer *thead; |
| 383 | unsigned long flags; | ||
| 384 | 385 | ||
| 385 | spin_lock_irqsave(&tty->buf.lock, flags); | ||
| 386 | while((thead = tty->buf.head) != NULL) { | 386 | while((thead = tty->buf.head) != NULL) { |
| 387 | tty->buf.head = thead->next; | 387 | tty->buf.head = thead->next; |
| 388 | tty_buffer_free(tty, thead); | 388 | tty_buffer_free(tty, thead); |
| 389 | } | 389 | } |
| 390 | tty->buf.tail = NULL; | 390 | tty->buf.tail = NULL; |
| 391 | } | ||
| 392 | |||
| 393 | /** | ||
| 394 | * tty_buffer_flush - flush full tty buffers | ||
| 395 | * @tty: tty to flush | ||
| 396 | * | ||
| 397 | * flush all the buffers containing receive data. If the buffer is | ||
| 398 | * being processed by flush_to_ldisc then we defer the processing | ||
| 399 | * to that function | ||
| 400 | * | ||
| 401 | * Locking: none | ||
| 402 | */ | ||
| 403 | |||
| 404 | static void tty_buffer_flush(struct tty_struct *tty) | ||
| 405 | { | ||
| 406 | unsigned long flags; | ||
| 407 | spin_lock_irqsave(&tty->buf.lock, flags); | ||
| 408 | |||
| 409 | /* If the data is being pushed to the tty layer then we can't | ||
| 410 | process it here. Instead set a flag and the flush_to_ldisc | ||
| 411 | path will process the flush request before it exits */ | ||
| 412 | if (test_bit(TTY_FLUSHING, &tty->flags)) { | ||
| 413 | set_bit(TTY_FLUSHPENDING, &tty->flags); | ||
| 414 | spin_unlock_irqrestore(&tty->buf.lock, flags); | ||
| 415 | wait_event(tty->read_wait, | ||
| 416 | test_bit(TTY_FLUSHPENDING, &tty->flags) == 0); | ||
| 417 | return; | ||
| 418 | } else | ||
| 419 | __tty_buffer_flush(tty); | ||
| 391 | spin_unlock_irqrestore(&tty->buf.lock, flags); | 420 | spin_unlock_irqrestore(&tty->buf.lock, flags); |
| 392 | } | 421 | } |
| 393 | 422 | ||
| @@ -3594,6 +3623,7 @@ static void flush_to_ldisc(struct work_struct *work) | |||
| 3594 | return; | 3623 | return; |
| 3595 | 3624 | ||
| 3596 | spin_lock_irqsave(&tty->buf.lock, flags); | 3625 | spin_lock_irqsave(&tty->buf.lock, flags); |
| 3626 | set_bit(TTY_FLUSHING, &tty->flags); /* So we know a flush is running */ | ||
| 3597 | head = tty->buf.head; | 3627 | head = tty->buf.head; |
| 3598 | if (head != NULL) { | 3628 | if (head != NULL) { |
| 3599 | tty->buf.head = NULL; | 3629 | tty->buf.head = NULL; |
| @@ -3607,6 +3637,11 @@ static void flush_to_ldisc(struct work_struct *work) | |||
| 3607 | tty_buffer_free(tty, tbuf); | 3637 | tty_buffer_free(tty, tbuf); |
| 3608 | continue; | 3638 | continue; |
| 3609 | } | 3639 | } |
| 3640 | /* Ldisc or user is trying to flush the buffers | ||
| 3641 | we are feeding to the ldisc, stop feeding the | ||
| 3642 | line discipline as we want to empty the queue */ | ||
| 3643 | if (test_bit(TTY_FLUSHPENDING, &tty->flags)) | ||
| 3644 | break; | ||
| 3610 | if (!tty->receive_room) { | 3645 | if (!tty->receive_room) { |
| 3611 | schedule_delayed_work(&tty->buf.work, 1); | 3646 | schedule_delayed_work(&tty->buf.work, 1); |
| 3612 | break; | 3647 | break; |
| @@ -3620,8 +3655,17 @@ static void flush_to_ldisc(struct work_struct *work) | |||
| 3620 | disc->receive_buf(tty, char_buf, flag_buf, count); | 3655 | disc->receive_buf(tty, char_buf, flag_buf, count); |
| 3621 | spin_lock_irqsave(&tty->buf.lock, flags); | 3656 | spin_lock_irqsave(&tty->buf.lock, flags); |
| 3622 | } | 3657 | } |
| 3658 | /* Restore the queue head */ | ||
| 3623 | tty->buf.head = head; | 3659 | tty->buf.head = head; |
| 3624 | } | 3660 | } |
| 3661 | /* We may have a deferred request to flush the input buffer, | ||
| 3662 | if so pull the chain under the lock and empty the queue */ | ||
| 3663 | if (test_bit(TTY_FLUSHPENDING, &tty->flags)) { | ||
| 3664 | __tty_buffer_flush(tty); | ||
| 3665 | clear_bit(TTY_FLUSHPENDING, &tty->flags); | ||
| 3666 | wake_up(&tty->read_wait); | ||
| 3667 | } | ||
| 3668 | clear_bit(TTY_FLUSHING, &tty->flags); | ||
| 3625 | spin_unlock_irqrestore(&tty->buf.lock, flags); | 3669 | spin_unlock_irqrestore(&tty->buf.lock, flags); |
| 3626 | 3670 | ||
| 3627 | tty_ldisc_deref(disc); | 3671 | tty_ldisc_deref(disc); |