+32 -23

drivers/tty/n_tty.c

··· 124 124 struct mutex output_lock; 125 125 }; 126 126 127 127 + #define MASK(x) ((x) & (N_TTY_BUF_SIZE - 1)) 128 128 + 127 129 static inline size_t read_cnt(struct n_tty_data *ldata) 128 130 { 129 131 return ldata->read_head - ldata->read_tail; ··· 143 141 144 142 static inline unsigned char echo_buf(struct n_tty_data *ldata, size_t i) 145 143 { 144 144 + smp_rmb(); /* Matches smp_wmb() in add_echo_byte(). */ 146 145 return ldata->echo_buf[i & (N_TTY_BUF_SIZE - 1)]; 147 146 } 148 147 ··· 319 316 static void reset_buffer_flags(struct n_tty_data *ldata) 320 317 { 321 318 ldata->read_head = ldata->canon_head = ldata->read_tail = 0; 322 322 - ldata->echo_head = ldata->echo_tail = ldata->echo_commit = 0; 323 319 ldata->commit_head = 0; 324 324 - ldata->echo_mark = 0; 325 320 ldata->line_start = 0; 326 321 327 322 ldata->erasing = 0; ··· 618 617 old_space = space = tty_write_room(tty); 619 618 620 619 tail = ldata->echo_tail; 621 621 - while (ldata->echo_commit != tail) { 620 620 + while (MASK(ldata->echo_commit) != MASK(tail)) { 622 621 c = echo_buf(ldata, tail); 623 622 if (c == ECHO_OP_START) { 624 623 unsigned char op; 625 624 int no_space_left = 0; 626 625 626 626 + /* 627 627 + * Since add_echo_byte() is called without holding 628 628 + * output_lock, we might see only portion of multi-byte 629 629 + * operation. 630 630 + */ 631 631 + if (MASK(ldata->echo_commit) == MASK(tail + 1)) 632 632 + goto not_yet_stored; 627 633 /* 628 634 * If the buffer byte is the start of a multi-byte 629 635 * operation, get the next byte, which is either the ··· 642 634 unsigned int num_chars, num_bs; 643 635 644 636 case ECHO_OP_ERASE_TAB: 637 637 + if (MASK(ldata->echo_commit) == MASK(tail + 2)) 638 638 + goto not_yet_stored; 645 639 num_chars = echo_buf(ldata, tail + 2); 646 640 647 641 /* ··· 738 728 /* If the echo buffer is nearly full (so that the possibility exists 739 729 * of echo overrun before the next commit), then discard enough 740 730 * data at the tail to prevent a subsequent overrun */ 741 741 - while (ldata->echo_commit - tail >= ECHO_DISCARD_WATERMARK) { 731 731 + while (ldata->echo_commit > tail && 732 732 + ldata->echo_commit - tail >= ECHO_DISCARD_WATERMARK) { 742 733 if (echo_buf(ldata, tail) == ECHO_OP_START) { 743 734 if (echo_buf(ldata, tail + 1) == ECHO_OP_ERASE_TAB) 744 735 tail += 3; ··· 749 738 tail++; 750 739 } 751 740 741 741 + not_yet_stored: 752 742 ldata->echo_tail = tail; 753 743 return old_space - space; 754 744 } ··· 760 748 size_t nr, old, echoed; 761 749 size_t head; 762 750 751 751 + mutex_lock(&ldata->output_lock); 763 752 head = ldata->echo_head; 764 753 ldata->echo_mark = head; 765 754 old = ldata->echo_commit - ldata->echo_tail; ··· 769 756 * is over the threshold (and try again each time another 770 757 * block is accumulated) */ 771 758 nr = head - ldata->echo_tail; 772 772 - if (nr < ECHO_COMMIT_WATERMARK || (nr % ECHO_BLOCK > old % ECHO_BLOCK)) 759 759 + if (nr < ECHO_COMMIT_WATERMARK || 760 760 + (nr % ECHO_BLOCK > old % ECHO_BLOCK)) { 761 761 + mutex_unlock(&ldata->output_lock); 773 762 return; 763 763 + } 774 764 775 775 - mutex_lock(&ldata->output_lock); 776 765 ldata->echo_commit = head; 777 766 echoed = __process_echoes(tty); 778 767 mutex_unlock(&ldata->output_lock); ··· 825 810 826 811 static inline void add_echo_byte(unsigned char c, struct n_tty_data *ldata) 827 812 { 828 828 - *echo_buf_addr(ldata, ldata->echo_head++) = c; 813 813 + *echo_buf_addr(ldata, ldata->echo_head) = c; 814 814 + smp_wmb(); /* Matches smp_rmb() in echo_buf(). */ 815 815 + ldata->echo_head++; 829 816 } 830 817 831 818 /** ··· 995 978 } 996 979 997 980 seen_alnums = 0; 998 998 - while (ldata->read_head != ldata->canon_head) { 981 981 + while (MASK(ldata->read_head) != MASK(ldata->canon_head)) { 999 982 head = ldata->read_head; 1000 983 1001 984 /* erase a single possibly multibyte character */ 1002 985 do { 1003 986 head--; 1004 987 c = read_buf(ldata, head); 1005 1005 - } while (is_continuation(c, tty) && head != ldata->canon_head); 988 988 + } while (is_continuation(c, tty) && 989 989 + MASK(head) != MASK(ldata->canon_head)); 1006 990 1007 991 /* do not partially erase */ 1008 992 if (is_continuation(c, tty)) ··· 1045 1027 * This info is used to go back the correct 1046 1028 * number of columns. 1047 1029 */ 1048 1048 - while (tail != ldata->canon_head) { 1030 1030 + while (MASK(tail) != MASK(ldata->canon_head)) { 1049 1031 tail--; 1050 1032 c = read_buf(ldata, tail); 1051 1033 if (c == '\t') { ··· 1320 1302 finish_erasing(ldata); 1321 1303 echo_char(c, tty); 1322 1304 echo_char_raw('\n', ldata); 1323 1323 - while (tail != ldata->read_head) { 1305 1305 + while (MASK(tail) != MASK(ldata->read_head)) { 1324 1306 echo_char(read_buf(ldata, tail), tty); 1325 1307 tail++; 1326 1308 } ··· 1896 1878 struct n_tty_data *ldata; 1897 1879 1898 1880 /* Currently a malloc failure here can panic */ 1899 1899 - ldata = vmalloc(sizeof(*ldata)); 1881 1881 + ldata = vzalloc(sizeof(*ldata)); 1900 1882 if (!ldata) 1901 1901 - goto err; 1883 1883 + return -ENOMEM; 1902 1884 1903 1885 ldata->overrun_time = jiffies; 1904 1886 mutex_init(&ldata->atomic_read_lock); 1905 1887 mutex_init(&ldata->output_lock); 1906 1888 1907 1889 tty->disc_data = ldata; 1908 1908 - reset_buffer_flags(tty->disc_data); 1909 1909 - ldata->column = 0; 1910 1910 - ldata->canon_column = 0; 1911 1911 - ldata->num_overrun = 0; 1912 1912 - ldata->no_room = 0; 1913 1913 - ldata->lnext = 0; 1914 1890 tty->closing = 0; 1915 1891 /* indicate buffer work may resume */ 1916 1892 clear_bit(TTY_LDISC_HALTED, &tty->flags); 1917 1893 n_tty_set_termios(tty, NULL); 1918 1894 tty_unthrottle(tty); 1919 1919 - 1920 1895 return 0; 1921 1921 - err: 1922 1922 - return -ENOMEM; 1923 1896 } 1924 1897 1925 1898 static inline int input_available_p(struct tty_struct *tty, int poll) ··· 2420 2411 tail = ldata->read_tail; 2421 2412 nr = head - tail; 2422 2413 /* Skip EOF-chars.. */ 2423 2423 - while (head != tail) { 2414 2414 + while (MASK(head) != MASK(tail)) { 2424 2415 if (test_bit(tail & (N_TTY_BUF_SIZE - 1), ldata->read_flags) && 2425 2416 read_buf(ldata, tail) == __DISABLED_CHAR) 2426 2417 nr--;

+1

drivers/tty/serdev/core.c

··· 617 617 static void __exit serdev_exit(void) 618 618 { 619 619 bus_unregister(&serdev_bus_type); 620 620 + ida_destroy(&ctrl_ida); 620 621 } 621 622 module_exit(serdev_exit); 622 623

-2

drivers/tty/serial/8250/8250_pci.c

··· 3339 3339 /* multi-io cards handled by parport_serial */ 3340 3340 { PCI_DEVICE(0x4348, 0x7053), }, /* WCH CH353 2S1P */ 3341 3341 { PCI_DEVICE(0x4348, 0x5053), }, /* WCH CH353 1S1P */ 3342 3342 - { PCI_DEVICE(0x4348, 0x7173), }, /* WCH CH355 4S */ 3343 3342 { PCI_DEVICE(0x1c00, 0x3250), }, /* WCH CH382 2S1P */ 3344 3344 - { PCI_DEVICE(0x1c00, 0x3470), }, /* WCH CH384 4S */ 3345 3343 3346 3344 /* Moxa Smartio MUE boards handled by 8250_moxa */ 3347 3345 { PCI_VDEVICE(MOXA, 0x1024), },

+2 -2

drivers/tty/vt/vt.c

··· 784 784 if (!*vc->vc_uni_pagedir_loc) 785 785 con_set_default_unimap(vc); 786 786 787 787 - vc->vc_screenbuf = kmalloc(vc->vc_screenbuf_size, GFP_KERNEL); 787 787 + vc->vc_screenbuf = kzalloc(vc->vc_screenbuf_size, GFP_KERNEL); 788 788 if (!vc->vc_screenbuf) 789 789 goto err_free; 790 790 ··· 871 871 872 872 if (new_screen_size > (4 << 20)) 873 873 return -EINVAL; 874 874 - newscreen = kmalloc(new_screen_size, GFP_USER); 874 874 + newscreen = kzalloc(new_screen_size, GFP_USER); 875 875 if (!newscreen) 876 876 return -ENOMEM; 877 877