From: Chen Gang <gang.chen@asianux.com>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
linux-serial@vger.kernel.org, Alan Cox <alan@lxorguk.ukuu.org.uk>
Subject: Re: [Suggestion] drivers/tty: drivers/char/: for MAX_ASYNC_BUFFER_SIZE
Date: Fri, 30 Nov 2012 10:52:38 +0800 [thread overview]
Message-ID: <50B81F76.8020508@asianux.com> (raw)
In-Reply-To: <20121129183207.GA4688@kroah.com>
于 2012年11月30日 02:32, Greg KH 写道:
> On Thu, Nov 29, 2012 at 01:57:59PM +0800, Chen Gang wrote:
>>> And, I really don't understand here, why do you want to change this?
>>> What is it going to change? And why?
>>>
>>
>> Why:
>> for the context MGSLPC_INFO *info in drivers/char/pcmcia/synclink_cs.c
>> info->max_frame_size can be the value between 4096 .. 65535 (can be
>> set by its module input parameter)
>> info->flag_buf length is 4096 (MAX_ASYNC_BUFFER_SIZE)
>> in function rx_get_frame
>> the framesize is limit by info->max_frame_size, but may still be
>> larger that 4096.
>> when call function ldisc_receive_buf, info->flag_buf is equal to
>> 4096, but framesize can be more than 4096. it will cause memory over flow.
>
> Do you use that pcmcia driver for anything? Are those cards still
> around?
I am not use them.
I am just through code review (so it is only a suggestion).
this issue has effect with 4 synclink drivers
I checked their source code, all of them have the same issue.
drivers/char/pcmcia/synclink_cs.c:213: char flag_buf[MAX_ASYNC_BUFFER_SIZE];
drivers/tty/synclink_gt.c:320: char flag_buf[MAX_ASYNC_BUFFER_SIZE];
drivers/tty/synclink.c:294: char flag_buf[MAX_ASYNC_BUFFER_SIZE];
drivers/tty/synclinkmp.c:265: char flag_buf[MAX_ASYNC_BUFFER_SIZE];
by the way, for the char_buf, has already useless (can be removed)
drivers/tty/synclink_gt.c:321: char char_buf[MAX_ASYNC_BUFFER_SIZE];
drivers/tty/synclink.c:295: char char_buf[MAX_ASYNC_BUFFER_SIZE];
drivers/tty/synclinkmp.c:266: char char_buf[MAX_ASYNC_BUFFER_SIZE];
>
>> What:
>> #define MAX_ASYNC_BUFFER_SIZE 0x10000 (instead of 4096, originally).
>> let it match the max frame size.
>>
>> At last:
>> my suggestion may be incorrect, need relative member (who expert about
>> it) to help checking.
>
> That driver might be incorrect, yes, care to make up a patch for it and
> test it to verify it fixes the problem?
>
and now Alan Cox has his own opinions
at least, I think it is valuable to continue discussing about it.
if Alan Cox agree with it (but it seems not), I will make patch, and try to perform test.
also welcome another members to help testing.
> thanks,
>
> greg k-h
>
>
--
Chen Gang
Asianux Corporation
--
To unsubscribe from this list: send the line "unsubscribe linux-serial" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Chen Gang <gang.chen@asianux.com>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
linux-serial@vger.kernel.org, Alan Cox <alan@lxorguk.ukuu.org.uk>
Subject: Re: [Suggestion] drivers/tty: drivers/char/: for MAX_ASYNC_BUFFER_SIZE
Date: Fri, 30 Nov 2012 10:52:38 +0800 [thread overview]
Message-ID: <50B81F76.8020508@asianux.com> (raw)
In-Reply-To: <20121129183207.GA4688@kroah.com>
于 2012年11月30日 02:32, Greg KH 写道:
> On Thu, Nov 29, 2012 at 01:57:59PM +0800, Chen Gang wrote:
>>> And, I really don't understand here, why do you want to change this?
>>> What is it going to change? And why?
>>>
>>
>> Why:
>> for the context MGSLPC_INFO *info in drivers/char/pcmcia/synclink_cs.c
>> info->max_frame_size can be the value between 4096 .. 65535 (can be
>> set by its module input parameter)
>> info->flag_buf length is 4096 (MAX_ASYNC_BUFFER_SIZE)
>> in function rx_get_frame
>> the framesize is limit by info->max_frame_size, but may still be
>> larger that 4096.
>> when call function ldisc_receive_buf, info->flag_buf is equal to
>> 4096, but framesize can be more than 4096. it will cause memory over flow.
>
> Do you use that pcmcia driver for anything? Are those cards still
> around?
I am not use them.
I am just through code review (so it is only a suggestion).
this issue has effect with 4 synclink drivers
I checked their source code, all of them have the same issue.
drivers/char/pcmcia/synclink_cs.c:213: char flag_buf[MAX_ASYNC_BUFFER_SIZE];
drivers/tty/synclink_gt.c:320: char flag_buf[MAX_ASYNC_BUFFER_SIZE];
drivers/tty/synclink.c:294: char flag_buf[MAX_ASYNC_BUFFER_SIZE];
drivers/tty/synclinkmp.c:265: char flag_buf[MAX_ASYNC_BUFFER_SIZE];
by the way, for the char_buf, has already useless (can be removed)
drivers/tty/synclink_gt.c:321: char char_buf[MAX_ASYNC_BUFFER_SIZE];
drivers/tty/synclink.c:295: char char_buf[MAX_ASYNC_BUFFER_SIZE];
drivers/tty/synclinkmp.c:266: char char_buf[MAX_ASYNC_BUFFER_SIZE];
>
>> What:
>> #define MAX_ASYNC_BUFFER_SIZE 0x10000 (instead of 4096, originally).
>> let it match the max frame size.
>>
>> At last:
>> my suggestion may be incorrect, need relative member (who expert about
>> it) to help checking.
>
> That driver might be incorrect, yes, care to make up a patch for it and
> test it to verify it fixes the problem?
>
and now Alan Cox has his own opinions
at least, I think it is valuable to continue discussing about it.
if Alan Cox agree with it (but it seems not), I will make patch, and try to perform test.
also welcome another members to help testing.
> thanks,
>
> greg k-h
>
>
--
Chen Gang
Asianux Corporation
next prev parent reply other threads:[~2012-11-30 2:51 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <50B6E751.9000000@asianux.com>
2012-11-29 5:07 ` [Suggestion] drivers/tty: drivers/char/: for MAX_ASYNC_BUFFER_SIZE Chen Gang
2012-11-29 13:41 ` Alan Cox
2012-11-30 2:27 ` Chen Gang
2012-11-30 3:39 ` Chen Gang
2012-11-29 5:13 ` 【Suggestion】drivers/tty: " Greg KH
2012-11-29 5:57 ` [Suggestion] drivers/tty: " Chen Gang
2012-11-29 6:14 ` [PATCH] MAINTAINERS: TTY - Add linux-serial mailing list Joe Perches
2012-11-29 6:27 ` Chen Gang
2012-11-29 6:27 ` Chen Gang
2012-11-29 8:23 ` Jiri Slaby
2012-11-29 18:32 ` [Suggestion] drivers/tty: drivers/char/: for MAX_ASYNC_BUFFER_SIZE Greg KH
2012-11-30 2:52 ` Chen Gang [this message]
2012-11-30 2:52 ` Chen Gang
[not found] ` <C7D3911F-7B6B-4353-A84B-0218FAB27198@microgate.com>
2012-11-30 6:28 ` Chen Gang
2012-11-30 7:14 ` Chen Gang
2012-11-30 16:24 ` Paul Fulghum
2012-11-30 19:46 ` [PATCH] synclink fix ldisc buffer argument Paul Fulghum
2012-12-02 15:13 ` Alan Cox
[not found] ` <F6B8A325-7DBF-4623-B16C-CDC5642EFD16@microgate.com>
2012-12-02 18:10 ` Alan Cox
2012-12-02 18:10 ` Alan Cox
[not found] ` <989CB961-79F8-479B-B16C-41358A60AC94@microgate.com>
2012-12-03 2:20 ` Chen Gang
2012-12-03 16:03 ` Paul Fulghum
2012-12-05 1:57 ` Chen Gang
2012-12-05 1:57 ` Chen Gang
2012-12-19 2:23 ` Chen Gang
2012-12-19 2:23 ` Chen Gang
2012-12-19 4:09 ` Greg KH
2012-12-19 4:10 ` Chen Gang
2012-12-19 4:10 ` Chen Gang
2012-12-20 4:16 ` [PATCH] drivers/tty/synclink: let receive buffer size match max frame size Chen Gang
2012-12-03 17:13 ` [PATCH] synclink fix ldisc buffer argument Paul Fulghum
2012-12-05 1:35 ` Chen Gang
2012-12-05 1:35 ` Chen Gang
2012-12-07 2:15 ` Chen Gang
2012-12-07 2:15 ` Chen Gang
2012-12-10 1:32 ` [Consult]: " Chen Gang
2012-12-10 1:32 ` Chen Gang
2012-12-01 9:01 ` [Suggestion] drivers/tty: drivers/char/: for MAX_ASYNC_BUFFER_SIZE Chen Gang
2012-12-01 9:01 ` Chen Gang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50B81F76.8020508@asianux.com \
--to=gang.chen@asianux.com \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-serial@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.