commit 42fd552e8647316757ded0176466c41d17934dcf

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

fix serial buffer memory leak

Patch c5c34d4862e18ef07c1276d233507f540fb5a532 (tty: flush flip buffer on
ldisc input queue flush) introduces a race condition which can lead to memory
leaks.

The problem can be triggered when tcflush() is called when data are being
pushed to the line discipline driver by flush_to_ldisc().

flush_to_ldisc() releases tty->buf.lock when calling the line discipline
receive_buf function. At that poing tty_buffer_flush() kicks in and sets both
tty->buf.head and tty->buf.tail to NULL. When flush_to_ldisc() finishes, it
restores tty->buf.head but doesn't touch tty->buf.tail. This corrups the
buffer queue, and the next call to tty_buffer_request_room() will allocate a
new buffer and overwrite tty->buf.head. The previous buffer is then lost
forever without being released.

(Thanks to Laurent for the above text, for finding, disgnosing and reporting
the bug)

- Use tty->flags bits for the flush status.

- Wait for the flag to clear again before returning

- Fix the doc error noted

- Fix flush of empty queue leaving stale flushpending

[akpm@linux-foundation.org: cleanup]
Signed-off-by: Alan Cox <alan@redhat.com>
Acked-by: Paul Fulghum <paulkf@microgate.com>
Cc: Laurent Pinchart <laurentp@cse-semaphore.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

authored by

Alan Cox and committed by

Linus Torvalds 18 years ago 42fd552e f8a74594

+54 -8

2 changed files

expand all

unified split

drivers

char

tty_io.c

include

linux

tty.h

+52 -8

drivers/char/tty_io.c

··· 369 } 370 371 /** 372 * tty_buffer_flush - flush full tty buffers 373 * @tty: tty to flush 374 * 375 - * flush all the buffers containing receive data 376 * 377 * Locking: none 378 */ 379 380 static void tty_buffer_flush(struct tty_struct *tty) 381 { 382 - struct tty_buffer *thead; 383 unsigned long flags; 384 - 385 spin_lock_irqsave(&tty->buf.lock, flags); 386 - while((thead = tty->buf.head) != NULL) { 387 - tty->buf.head = thead->next; 388 - tty_buffer_free(tty, thead); 389 - } 390 - tty->buf.tail = NULL; 391 spin_unlock_irqrestore(&tty->buf.lock, flags); 392 } 393 ··· 3623 return; 3624 3625 spin_lock_irqsave(&tty->buf.lock, flags); 3626 head = tty->buf.head; 3627 if (head != NULL) { 3628 tty->buf.head = NULL; ··· 3637 tty_buffer_free(tty, tbuf); 3638 continue; 3639 } 3640 if (!tty->receive_room) { 3641 schedule_delayed_work(&tty->buf.work, 1); 3642 break; ··· 3655 disc->receive_buf(tty, char_buf, flag_buf, count); 3656 spin_lock_irqsave(&tty->buf.lock, flags); 3657 } 3658 tty->buf.head = head; 3659 } 3660 spin_unlock_irqrestore(&tty->buf.lock, flags); 3661 3662 tty_ldisc_deref(disc);

··· 369 } 370 371 /** 372 + * __tty_buffer_flush - flush full tty buffers 373 + * @tty: tty to flush 374 + * 375 + * flush all the buffers containing receive data. Caller must 376 + * hold the buffer lock and must have ensured no parallel flush to 377 + * ldisc is running. 378 + * 379 + * Locking: Caller must hold tty->buf.lock 380 + */ 381 + 382 + static void __tty_buffer_flush(struct tty_struct *tty) 383 + { 384 + struct tty_buffer *thead; 385 + 386 + while((thead = tty->buf.head) != NULL) { 387 + tty->buf.head = thead->next; 388 + tty_buffer_free(tty, thead); 389 + } 390 + tty->buf.tail = NULL; 391 + } 392 + 393 + /** 394 * tty_buffer_flush - flush full tty buffers 395 * @tty: tty to flush 396 * 397 + * flush all the buffers containing receive data. If the buffer is 398 + * being processed by flush_to_ldisc then we defer the processing 399 + * to that function 400 * 401 * Locking: none 402 */ 403 404 static void tty_buffer_flush(struct tty_struct *tty) 405 { 406 unsigned long flags; 407 spin_lock_irqsave(&tty->buf.lock, flags); 408 + 409 + /* If the data is being pushed to the tty layer then we can't 410 + process it here. Instead set a flag and the flush_to_ldisc 411 + path will process the flush request before it exits */ 412 + if (test_bit(TTY_FLUSHING, &tty->flags)) { 413 + set_bit(TTY_FLUSHPENDING, &tty->flags); 414 + spin_unlock_irqrestore(&tty->buf.lock, flags); 415 + wait_event(tty->read_wait, 416 + test_bit(TTY_FLUSHPENDING, &tty->flags) == 0); 417 + return; 418 + } else 419 + __tty_buffer_flush(tty); 420 spin_unlock_irqrestore(&tty->buf.lock, flags); 421 } 422 ··· 3594 return; 3595 3596 spin_lock_irqsave(&tty->buf.lock, flags); 3597 + set_bit(TTY_FLUSHING, &tty->flags); /* So we know a flush is running */ 3598 head = tty->buf.head; 3599 if (head != NULL) { 3600 tty->buf.head = NULL; ··· 3607 tty_buffer_free(tty, tbuf); 3608 continue; 3609 } 3610 + /* Ldisc or user is trying to flush the buffers 3611 + we are feeding to the ldisc, stop feeding the 3612 + line discipline as we want to empty the queue */ 3613 + if (test_bit(TTY_FLUSHPENDING, &tty->flags)) 3614 + break; 3615 if (!tty->receive_room) { 3616 schedule_delayed_work(&tty->buf.work, 1); 3617 break; ··· 3620 disc->receive_buf(tty, char_buf, flag_buf, count); 3621 spin_lock_irqsave(&tty->buf.lock, flags); 3622 } 3623 + /* Restore the queue head */ 3624 tty->buf.head = head; 3625 } 3626 + /* We may have a deferred request to flush the input buffer, 3627 + if so pull the chain under the lock and empty the queue */ 3628 + if (test_bit(TTY_FLUSHPENDING, &tty->flags)) { 3629 + __tty_buffer_flush(tty); 3630 + clear_bit(TTY_FLUSHPENDING, &tty->flags); 3631 + wake_up(&tty->read_wait); 3632 + } 3633 + clear_bit(TTY_FLUSHING, &tty->flags); 3634 spin_unlock_irqrestore(&tty->buf.lock, flags); 3635 3636 tty_ldisc_deref(disc);

include/linux/tty.h

··· 274 #define TTY_PTY_LOCK 16 /* pty private */ 275 #define TTY_NO_WRITE_SPLIT 17 /* Preserve write boundaries to driver */ 276 #define TTY_HUPPED 18 /* Post driver->hangup() */ 277 + #define TTY_FLUSHING 19 /* Flushing to ldisc in progress */ 278 + #define TTY_FLUSHPENDING 20 /* Queued buffer flush pending */ 279 280 #define TTY_WRITE_FLUSH(tty) tty_write_flush((tty)) 281