Is this a bug that n_tty_set_room not serialized? If so please correct it.

Is this a bug that n_tty_set_room not serialized? If so please correct it.

[snakky.zhang]

Hi experts,

Seems there is an bug related to function n_tty_set_roomin source file
drivers/tty/n_tty.c. This function is used to set receive_room based on
the read_cntby both the consumer and the producer of the tty's read buffer.

But this function is not serialized, so I am afraid there is
a risk like: The producer make the buffer full and then call this 
function to
set the receive_room to 0; while it is preempted by the consumer that empty
the buffer(read_cnt is 0)and then call this very function to set the
receive_room to a non-zero value. But when the producer continue, 
receive_room
was set to 0 again. Thus both read_cnt and receive_room is 0.For consumer
theread_cnt is 0 that no data can be read; while for the producer, thebuffer
is full since the receive_room is 0. Both of them blockhere...

Two methods to avoid it:
A) Addor find a lock to serialize this function;
B) Once the producer find the buffer is full, double check/set the 
buffer with
n_tty_set_room. For example in function "flush_to_ldisc".

Please correct me if I misunderstand something. Or please fix it.

Thanks
Xiao

Is this a bug that n_tty_set_room not serialized? If so please correct it.

[snakky.zhang]

Hi experts,

Seems there is an bug related to function n_tty_set_roomin source file
drivers/tty/n_tty.c. This function is used to set receive_room based on
the read_cntby both the consumer and the producer of the tty's read buffer.

But this function is not serialized, so I am afraid there is
a risk like: The producer make the buffer full and then call this 
function to
set the receive_room to 0; while it is preempted by the consumer that empty
the buffer(read_cnt is 0)and then call this very function to set the
receive_room to a non-zero value. But when the producer continue, 
receive_room
was set to 0 again. Thus both read_cnt and receive_room is 0.For consumer
theread_cnt is 0 that no data can be read; while for the producer, 
thebuffer
is full since the receive_room is 0. Both of them blockhere...

Two methods to avoid it:
A) Addor find a lock to serialize this function;
B) Once the producer find the buffer is full, double check/set the 
buffer with
n_tty_set_room. For example in function "flush_to_ldisc".

Please correct me if I misunderstand something. Or please fix it.

Thanks
Xiao

Re: Is this a bug that n_tty_set_room not serialized? If so please correct it.

[Alan Cox]

On Wed, 23 Jan 2013 12:40:38 +0800
snakky.zhang@gmail.com wrote:

> Hi experts,
> 
> Seems there is an bug related to function n_tty_set_roomin source file
> drivers/tty/n_tty.c. This function is used to set receive_room based on
> the read_cntby both the consumer and the producer of the tty's read buffer.
> 
> But this function is not serialized, so I am afraid there is
> a risk like: The producer make the buffer full and then call this 
> function to

It's not entirely robust - it should be ok for current usage. The proper
fix IMHO is to make the ldisc receive function return the number of bytes
actually consumed. That cures the problem rather than patching around it.

It's an interesting little project for someone, and as I think only n_tty
uses that level of flow control probably not too horrible now.

Alan