From: Peter Hurley <peter@hurleysoftware.com>
To: Christian Riesch <christian.riesch@omicron.at>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Jiri Slaby <jslaby@suse.cz>,
linux-serial@vger.kernel.org,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
stable <stable@vger.kernel.org>
Subject: Re: [PATCH] n_tty: Fix unordered accesses to lockless read buffer
Date: Thu, 01 Jan 2015 09:06:34 -0500 [thread overview]
Message-ID: <54A5546A.6080804@hurleysoftware.com> (raw)
In-Reply-To: <CABkLObp9jt6y94Ss6H=F2UGm4n1kv9jJU2tJfdg+EUO=e=BVNw@mail.gmail.com>
Hi Christian,
On 01/01/2015 08:55 AM, Christian Riesch wrote:
> On Thu, Jan 1, 2015 at 12:00 PM, Christian Riesch >> @@ -164,15
> +160,17 @@ static inline int tty_put_user(struct tty_struct *tty,
> unsigned char x,
>>> static int receive_room(struct tty_struct *tty)
>>> {
>>> struct n_tty_data *ldata = tty->disc_data;
>>> + size_t head = ACCESS_ONCE(ldata->commit_head);
>>> + size_t tail = ACCESS_ONCE(ldata->read_tail);
>>> int left;
>>>
>>> if (I_PARMRK(tty)) {
>>> - /* Multiply read_cnt by 3, since each byte might take up to
>>> + /* Multiply count by 3, since each byte might take up to
>>> * three times as many spaces when PARMRK is set (depending on
>>> * its flags, e.g. parity error). */
>>> - left = N_TTY_BUF_SIZE - read_cnt(ldata) * 3 - 1;
>>> + left = N_TTY_BUF_SIZE - (head - tail) * 3 - 1;
>>> } else
>>> - left = N_TTY_BUF_SIZE - read_cnt(ldata) - 1;
>>> + left = N_TTY_BUF_SIZE - (head - tail) - 1;
>>
>> Actually, less room may be available, if read_head != commit_head.
>> Could this cause problems? I guess yes, at least in
>> n_tty_receive_buf_common, where this could lead to a buffer overflow,
>> right?
>
> Sorry, should not be a problem, at least not for
> n_tty_receive_buf_common, since this is producer path, right?
Yeah, that's what I was in the process of writing just now.
BTW, I did see your note about the I_PARMRK computation being
overly conservative; I'll address that in a separate patch
on top of this.
> But how about the other calls of receive_room()?
Those are all either consumer-side or exclusive, ie., when both
producer and consumer are prevented from running by the termios_rwsem
write lock (eg., n_tty_set_termios()).
next prev parent reply other threads:[~2015-01-01 14:06 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-12-30 12:05 [PATCH] n_tty: Fix unordered accesses to lockless read buffer Peter Hurley
2015-01-01 11:00 ` Christian Riesch
2015-01-01 13:55 ` Christian Riesch
2015-01-01 14:06 ` Peter Hurley [this message]
2015-01-04 19:44 ` Peter Hurley
2015-01-09 19:09 ` Peter Hurley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54A5546A.6080804@hurleysoftware.com \
--to=peter@hurleysoftware.com \
--cc=christian.riesch@omicron.at \
--cc=gregkh@linuxfoundation.org \
--cc=jslaby@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-serial@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).