| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
commit e045fec48970df84647a47930fcf7a22ff7229c0 upstream.
There's a small window inside the flush_to_ldisc function,
where the tty is unlocked and calling ldisc's receive_buf
function. If in this window new buffer is added to the tty,
the processing might never leave the flush_to_ldisc function.
This scenario will hog the cpu, causing other tty processing
starving, and making it impossible to interface the computer
via tty.
I was able to exploit this via pty interface by sending only
control characters to the master input, causing the flush_to_ldisc
to be scheduled, but never actually generate any output.
To reproduce, please run multiple instances of following code.
- SNIP
#define _XOPEN_SOURCE
#include <stdlib.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
int main(int argc, char **argv)
{
int i, slave, master = getpt();
char buf[8192];
sprintf(buf, "%s", ptsname(master));
grantpt(master);
unlockpt(master);
slave = open(buf, O_RDWR);
if (slave < 0) {
perror("open slave failed");
return 1;
}
for(i = 0; i < sizeof(buf); i++)
buf[i] = rand() % 32;
while(1) {
write(master, buf, sizeof(buf));
}
return 0;
}
- SNIP
The attached patch (based on -next tree) fixes this by checking on the
tty buffer tail. Once it's reached, the current work is rescheduled
and another could run.
Signed-off-by: Jiri Olsa <jolsa@redhat.com>
Acked-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
Comment was not updated when tty_insert_flip_string was generalised.
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
CC drivers/char/tty_buffer.o
drivers/char/tty_buffer.c: In function ‘tty_insert_flip_string_fixed_flag’:
drivers/char/tty_buffer.c:251: warning: comparison of distinct pointer types lacks a cast
drivers/char/tty_buffer.c: In function ‘tty_insert_flip_string_flags’:
drivers/char/tty_buffer.c:288: warning: comparison of distinct pointer types lacks a cast
Fix it by replacing min() with min_t() in tty_insert_flip_string_flags and
tty_insert_flip_string_fixed_flag().
Signed-off-by: Fang Wenqi <antonf@turbolinux.com.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
* git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb-2.6: (220 commits)
USB: backlight, appledisplay: fix incomplete registration failure handling
USB: pl2303: remove unnecessary reset of usb_device in urbs
USB: ftdi_sio: remove obsolete check in unthrottle
USB: ftdi_sio: remove unused tx_bytes counter
USB: qcaux: driver for auxiliary serial ports on Qualcomm devices
USB: pl2303: initial TIOCGSERIAL support
USB: option: add Longcheer/Longsung vendor ID
USB: fix I2C API usage in ohci-pnx4008.
USB: usbmon: mask seconds properly in text API
USB: sisusbvga: no unnecessary GFP_ATOMIC
USB: storage: onetouch: unnecessary GFP_ATOMIC
USB: serial: ftdi: add CONTEC vendor and product id
USB: remove references to port->port.count from the serial drivers
USB: tty: Prune uses of tty_request_room in the USB layer
USB: tty: Add a function to insert a string of characters with the same flag
USB: don't read past config->interface[] if usb_control_msg() fails in usb_reset_configuration()
USB: tty: kill request_room for USB ACM class
USB: tty: sort out the request_room handling for whiteheat
USB: storage: fix misplaced parenthesis
USB: vstusb.c: removal of driver for Vernier Software & Technology, Inc., devices and spectrometers
...
|
|
The USB drivers often want to insert a series of bytes all with the same
flag set - provide a helper for this case.
Signed-off-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
We allocate during interrupts so while our buffering is normally diced up
small anyway on some hardware at speed we can pressure the VM excessively
for page pairs. We don't really need big buffers to be linear so don't try
so hard.
In order to make this work well we will tidy up excess callers to request_room,
which cannot itself enforce this break up.
Signed-off-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
This way all flush_to_ldisc work is always done through the workqueues,
and we thus have a single point of serialization.
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
|
|
We really don't want to mark the pty as a low-latency device, because as
Alan points out, the ->write method can be called from an IRQ (ppp?),
and that means we can't use ->low_latency=1 as we take mutexes in the
low_latency case.
So rather than using low_latency to force the written data to be pushed
to the ldisc handling at 'write()' time, just make the reader side (or
the poll function) do the flush when it checks whether there is data to
be had.
This also fixes the problem with lost data in an emacs compile buffer
(bugzilla 13815), and we can thus revert the low_latency pty hack
(commit 3a54297478e6578f96fd54bf4daa1751130aca86: "pty: quickfix for the
pty ENXIO timing problems").
Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Tested-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
[ Modified to do the tty_flush_to_ldisc() inside input_available_p() so
that it triggers for both read and poll() - Linus]
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
The two are basically independent chunks of code so lets split them up for
readability and sanity. It also makes the API boundaries much clearer.
Signed-off-by: Alan Cox <alan@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
