Commit 01da5fd8 authored by Alan Cox's avatar Alan Cox Committed by Linus Torvalds

[PATCH] Fix tty layer DoS and comment relevant code

Unlike the other tty comment patch this one has code changes.  Specifically
it limits the queue size for a tty to 64K characters (128Kbytes) worst case
even if the tty is ignoring tty->throttle.  This is because certain drivers
don't honour the throttle value correctly, although it is a useful
safeguard anyway.
Signed-off-by: default avatarAlan Cox <alan@redhat.com>
Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
parent af9b897e
...@@ -265,6 +265,17 @@ static int check_tty_count(struct tty_struct *tty, const char *routine) ...@@ -265,6 +265,17 @@ static int check_tty_count(struct tty_struct *tty, const char *routine)
*/ */
/**
* tty_buffer_free_all - free buffers used by a tty
* @tty: tty to free from
*
* Remove all the buffers pending on a tty whether queued with data
* or in the free ring. Must be called when the tty is no longer in use
*
* Locking: none
*/
/** /**
* tty_buffer_free_all - free buffers used by a tty * tty_buffer_free_all - free buffers used by a tty
* @tty: tty to free from * @tty: tty to free from
...@@ -287,19 +298,47 @@ static void tty_buffer_free_all(struct tty_struct *tty) ...@@ -287,19 +298,47 @@ static void tty_buffer_free_all(struct tty_struct *tty)
kfree(thead); kfree(thead);
} }
tty->buf.tail = NULL; tty->buf.tail = NULL;
tty->buf.memory_used = 0;
} }
/**
* tty_buffer_init - prepare a tty buffer structure
* @tty: tty to initialise
*
* Set up the initial state of the buffer management for a tty device.
* Must be called before the other tty buffer functions are used.
*
* Locking: none
*/
static void tty_buffer_init(struct tty_struct *tty) static void tty_buffer_init(struct tty_struct *tty)
{ {
spin_lock_init(&tty->buf.lock); spin_lock_init(&tty->buf.lock);
tty->buf.head = NULL; tty->buf.head = NULL;
tty->buf.tail = NULL; tty->buf.tail = NULL;
tty->buf.free = NULL; tty->buf.free = NULL;
tty->buf.memory_used = 0;
} }
static struct tty_buffer *tty_buffer_alloc(size_t size) /**
* tty_buffer_alloc - allocate a tty buffer
* @tty: tty device
* @size: desired size (characters)
*
* Allocate a new tty buffer to hold the desired number of characters.
* Return NULL if out of memory or the allocation would exceed the
* per device queue
*
* Locking: Caller must hold tty->buf.lock
*/
static struct tty_buffer *tty_buffer_alloc(struct tty_struct *tty, size_t size)
{ {
struct tty_buffer *p = kmalloc(sizeof(struct tty_buffer) + 2 * size, GFP_ATOMIC); struct tty_buffer *p;
if (tty->buf.memory_used + size > 65536)
return NULL;
p = kmalloc(sizeof(struct tty_buffer) + 2 * size, GFP_ATOMIC);
if(p == NULL) if(p == NULL)
return NULL; return NULL;
p->used = 0; p->used = 0;
...@@ -309,17 +348,27 @@ static struct tty_buffer *tty_buffer_alloc(size_t size) ...@@ -309,17 +348,27 @@ static struct tty_buffer *tty_buffer_alloc(size_t size)
p->read = 0; p->read = 0;
p->char_buf_ptr = (char *)(p->data); p->char_buf_ptr = (char *)(p->data);
p->flag_buf_ptr = (unsigned char *)p->char_buf_ptr + size; p->flag_buf_ptr = (unsigned char *)p->char_buf_ptr + size;
/* printk("Flip create %p\n", p); */ tty->buf.memory_used += size;
return p; return p;
} }
/* Must be called with the tty_read lock held. This needs to acquire strategy /**
code to decide if we should kfree or relink a given expired buffer */ * tty_buffer_free - free a tty buffer
* @tty: tty owning the buffer
* @b: the buffer to free
*
* Free a tty buffer, or add it to the free list according to our
* internal strategy
*
* Locking: Caller must hold tty->buf.lock
*/
static void tty_buffer_free(struct tty_struct *tty, struct tty_buffer *b) static void tty_buffer_free(struct tty_struct *tty, struct tty_buffer *b)
{ {
/* Dumb strategy for now - should keep some stats */ /* Dumb strategy for now - should keep some stats */
/* printk("Flip dispose %p\n", b); */ tty->buf.memory_used -= b->size;
WARN_ON(tty->buf.memory_used < 0);
if(b->size >= 512) if(b->size >= 512)
kfree(b); kfree(b);
else { else {
...@@ -328,6 +377,18 @@ static void tty_buffer_free(struct tty_struct *tty, struct tty_buffer *b) ...@@ -328,6 +377,18 @@ static void tty_buffer_free(struct tty_struct *tty, struct tty_buffer *b)
} }
} }
/**
* tty_buffer_find - find a free tty buffer
* @tty: tty owning the buffer
* @size: characters wanted
*
* Locate an existing suitable tty buffer or if we are lacking one then
* allocate a new one. We round our buffers off in 256 character chunks
* to get better allocation behaviour.
*
* Locking: Caller must hold tty->buf.lock
*/
static struct tty_buffer *tty_buffer_find(struct tty_struct *tty, size_t size) static struct tty_buffer *tty_buffer_find(struct tty_struct *tty, size_t size)
{ {
struct tty_buffer **tbh = &tty->buf.free; struct tty_buffer **tbh = &tty->buf.free;
...@@ -339,20 +400,28 @@ static struct tty_buffer *tty_buffer_find(struct tty_struct *tty, size_t size) ...@@ -339,20 +400,28 @@ static struct tty_buffer *tty_buffer_find(struct tty_struct *tty, size_t size)
t->used = 0; t->used = 0;
t->commit = 0; t->commit = 0;
t->read = 0; t->read = 0;
/* DEBUG ONLY */ tty->buf.memory_used += t->size;
/* memset(t->data, '*', size); */
/* printk("Flip recycle %p\n", t); */
return t; return t;
} }
tbh = &((*tbh)->next); tbh = &((*tbh)->next);
} }
/* Round the buffer size out */ /* Round the buffer size out */
size = (size + 0xFF) & ~ 0xFF; size = (size + 0xFF) & ~ 0xFF;
return tty_buffer_alloc(size); return tty_buffer_alloc(tty, size);
/* Should possibly check if this fails for the largest buffer we /* Should possibly check if this fails for the largest buffer we
have queued and recycle that ? */ have queued and recycle that ? */
} }
/**
* tty_buffer_request_room - grow tty buffer if needed
* @tty: tty structure
* @size: size desired
*
* Make at least size bytes of linear space available for the tty
* buffer. If we fail return the size we managed to find.
*
* Locking: Takes tty->buf.lock
*/
int tty_buffer_request_room(struct tty_struct *tty, size_t size) int tty_buffer_request_room(struct tty_struct *tty, size_t size)
{ {
struct tty_buffer *b, *n; struct tty_buffer *b, *n;
......
...@@ -59,6 +59,7 @@ struct tty_bufhead { ...@@ -59,6 +59,7 @@ struct tty_bufhead {
struct tty_buffer *head; /* Queue head */ struct tty_buffer *head; /* Queue head */
struct tty_buffer *tail; /* Active buffer */ struct tty_buffer *tail; /* Active buffer */
struct tty_buffer *free; /* Free queue head */ struct tty_buffer *free; /* Free queue head */
int memory_used; /* Buffer space used excluding free queue */
}; };
/* /*
* The pty uses char_buf and flag_buf as a contiguous buffer * The pty uses char_buf and flag_buf as a contiguous buffer
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment