From: Peter Hurley <peter@hurleysoftware.com>
To: Christian Riesch <christian.riesch@omicron.at>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Jiri Slaby <jslaby@suse.cz>,
linux-serial@vger.kernel.org,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
stable <stable@vger.kernel.org>
Subject: Re: [PATCH] n_tty: Fix unordered accesses to lockless read buffer
Date: Thu, 01 Jan 2015 09:06:34 -0500 [thread overview]
Message-ID: <54A5546A.6080804@hurleysoftware.com> (raw)
In-Reply-To: <CABkLObp9jt6y94Ss6H=F2UGm4n1kv9jJU2tJfdg+EUO=e=BVNw@mail.gmail.com>
Hi Christian,
On 01/01/2015 08:55 AM, Christian Riesch wrote:
> On Thu, Jan 1, 2015 at 12:00 PM, Christian Riesch >> @@ -164,15
> +160,17 @@ static inline int tty_put_user(struct tty_struct *tty,
> unsigned char x,
>>> static int receive_room(struct tty_struct *tty)
>>> {
>>> struct n_tty_data *ldata = tty->disc_data;
>>> + size_t head = ACCESS_ONCE(ldata->commit_head);
>>> + size_t tail = ACCESS_ONCE(ldata->read_tail);
>>> int left;
>>>
>>> if (I_PARMRK(tty)) {
>>> - /* Multiply read_cnt by 3, since each byte might take up to
>>> + /* Multiply count by 3, since each byte might take up to
>>> * three times as many spaces when PARMRK is set (depending on
>>> * its flags, e.g. parity error). */
>>> - left = N_TTY_BUF_SIZE - read_cnt(ldata) * 3 - 1;
>>> + left = N_TTY_BUF_SIZE - (head - tail) * 3 - 1;
>>> } else
>>> - left = N_TTY_BUF_SIZE - read_cnt(ldata) - 1;
>>> + left = N_TTY_BUF_SIZE - (head - tail) - 1;
>>
>> Actually, less room may be available, if read_head != commit_head.
>> Could this cause problems? I guess yes, at least in
>> n_tty_receive_buf_common, where this could lead to a buffer overflow,
>> right?
>
> Sorry, should not be a problem, at least not for
> n_tty_receive_buf_common, since this is producer path, right?
Yeah, that's what I was in the process of writing just now.
BTW, I did see your note about the I_PARMRK computation being
overly conservative; I'll address that in a separate patch
on top of this.
> But how about the other calls of receive_room()?
Those are all either consumer-side or exclusive, ie., when both
producer and consumer are prevented from running by the termios_rwsem
write lock (eg., n_tty_set_termios()).
next prev parent reply other threads:[~2015-01-01 14:06 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-12-30 12:05 [PATCH] n_tty: Fix unordered accesses to lockless read buffer Peter Hurley
2014-12-30 12:05 ` Peter Hurley
2015-01-01 11:00 ` Christian Riesch
2015-01-01 13:55 ` Christian Riesch
2015-01-01 14:06 ` Peter Hurley [this message]
2015-01-04 19:44 ` Peter Hurley
2015-01-09 19:09 ` Peter Hurley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54A5546A.6080804@hurleysoftware.com \
--to=peter@hurleysoftware.com \
--cc=christian.riesch@omicron.at \
--cc=gregkh@linuxfoundation.org \
--cc=jslaby@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-serial@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.