[PATCH -next 2/2] tty: Correct tty buffer flush.

[PATCH -next 2/2] tty: Correct tty buffer flush.

[Ilya Zykov]

tty: Correct tty buffer flush.

Signed-off-by: Ilya Zykov <ilya@ilyx.ru>
---
 drivers/tty/tty_buffer.c |   11 +++++++----
 1 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/drivers/tty/tty_buffer.c b/drivers/tty/tty_buffer.c
index 7602df8..8a3333d 100644
--- a/drivers/tty/tty_buffer.c
+++ b/drivers/tty/tty_buffer.c
@@ -119,11 +119,14 @@ static void __tty_buffer_flush(struct tty_port *port)
 	struct tty_bufhead *buf = &port->buf;
 	struct tty_buffer *thead;
 
-	while ((thead = buf->head) != NULL) {
-		buf->head = thead->next;
-		tty_buffer_free(port, thead);
+	if (unlikely(buf->head == NULL))
+		return;
+	while ((thead = buf->head->next) != NULL) {
+		tty_buffer_free(port, buf->head);
+		buf->head = thead;
 	}
-	buf->tail = NULL;
+	WARN_ON(buf->head != buf->tail);
+	buf->head->read = buf->head->commit;
 }
 
 /**

Re: [PATCH -next 2/2] tty: Correct tty buffer flush.

[Jiri Slaby]

On 12/05/2012 09:48 AM, Ilya Zykov wrote:
> tty: Correct tty buffer flush.

NAK just because of the insufficient commit log. That line does not
belong here. Instead, please add here proper description as you have
already done before. IOW what is in 0/2 should be here so that we know
the reasons. 0/2 text is not stored in git. This one is.

> Signed-off-by: Ilya Zykov <ilya@ilyx.ru>
> ---
>  drivers/tty/tty_buffer.c |   11 +++++++----
>  1 files changed, 7 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/tty/tty_buffer.c b/drivers/tty/tty_buffer.c
> index 7602df8..8a3333d 100644
> --- a/drivers/tty/tty_buffer.c
> +++ b/drivers/tty/tty_buffer.c
> @@ -119,11 +119,14 @@ static void __tty_buffer_flush(struct tty_port *port)
>  	struct tty_bufhead *buf = &port->buf;
>  	struct tty_buffer *thead;
>  
> -	while ((thead = buf->head) != NULL) {
> -		buf->head = thead->next;
> -		tty_buffer_free(port, thead);
> +	if (unlikely(buf->head == NULL))
> +		return;
> +	while ((thead = buf->head->next) != NULL) {
> +		tty_buffer_free(port, buf->head);
> +		buf->head = thead;
>  	}
> -	buf->tail = NULL;
> +	WARN_ON(buf->head != buf->tail);
> +	buf->head->read = buf->head->commit;
>  }
>  
>  /**
> 

thanks,
-- 
js
suse labs

[PATCH -next 2/2] tty: Correct tty buffer flush.

[Ilya Zykov]

  The root of problem is carelessly zeroing pointer(in function __tty_buffer_flush()),
when another thread can use it. It can be cause of "NULL pointer dereference".
  Main idea of the patch, this is never free last (struct tty_buffer) in the active buffer.
Only flush the data for ldisc(tty->buf.head->read = tty->buf.head->commit).
At that moment driver can collect(write) data in buffer without conflict.
It is repeat behavior of flush_to_ldisc(), only without feeding data to ldisc.

Signed-off-by: Ilya Zykov <ilya@ilyx.ru>
---
diff --git a/drivers/tty/tty_buffer.c b/drivers/tty/tty_buffer.c
index 7602df8..8a3333d 100644
--- a/drivers/tty/tty_buffer.c
+++ b/drivers/tty/tty_buffer.c
@@ -119,11 +119,14 @@ static void __tty_buffer_flush(struct tty_port *port)
 	struct tty_bufhead *buf = &port->buf;
 	struct tty_buffer *thead;
 
-	while ((thead = buf->head) != NULL) {
-		buf->head = thead->next;
-		tty_buffer_free(port, thead);
+	if (unlikely(buf->head == NULL))
+		return;
+	while ((thead = buf->head->next) != NULL) {
+		tty_buffer_free(port, buf->head);
+		buf->head = thead;
 	}
-	buf->tail = NULL;
+	WARN_ON(buf->head != buf->tail);
+	buf->head->read = buf->head->commit;
 }
 
 /**