[PATCH] Fix hvc console sleep in spinlock bug

From: Jeremy Kerr <jk@ozlabs.org> This patch fixes the sleep in spinlock hvc bug in hvc_write(). The code is a little longer, but protects against large amounts of memory being kmalloc()ed by userspace, and minimises calls to copy_from_user().

[PATCH] Fix hvc console sleep in spinlock bug
From: Jeremy Kerr <jk@ozlabs.org> This patch fixes the sleep in spinlock hvc bug in hvc_write(). The code is a little longer, but protects against large amounts of memory being kmalloc()ed by userspace, and minimises calls to copy_from_user().
c7e74ca2 · Andrew Morton · Linus Torvalds · 824315d9 · c7e74ca2
Commit c7e74ca2 authored Mar 15, 2004 by Andrew Morton Committed by Linus Torvalds Mar 15, 2004
Hide whitespace changes
Inline Side-by-side

Showing with 52 additions and 18 deletions

drivers/char/hvc_console.c drivers/char/hvc_console.c +52 -18

No files found.
--- a/drivers/char/hvc_console.c
+++ b/drivers/char/hvc_console.c
@@ -131,31 +131,65 @@ static int hvc_write(struct tty_struct *tty, int from_user,
 		     const unsigned char *buf, int count)
 {
 	struct hvc_struct *hp = tty->driver_data;
-	char *p;
-	int todo, written = 0;
+	char *tbuf, *p;
+	int tbsize, rsize, written = 0;
 	unsigned long flags;

-	spin_lock_irqsave(&hp->lock, flags);
-	while (count > 0 && (todo = N_OUTBUF - hp->n_outbuf) > 0) {
-		if (todo > count)
-			todo = count;
-		p = hp->outbuf + hp->n_outbuf;
-		if (from_user) {
-			todo -= copy_from_user(p, buf, todo);
-			if (todo == 0) {
+	if (from_user) {
+		tbsize = min(count, (int)PAGE_SIZE);
+		if (!(tbuf = kmalloc(tbsize, GFP_KERNEL)))
+			return -ENOMEM;
+
+		while ((rsize = count - written) > 0) {
+			int wsize;
+			if (rsize > tbsize)
+				rsize = tbsize;
+
+			p = tbuf;
+			rsize -= copy_from_user(p, buf, rsize);
+			if (!rsize) {
 				if (written == 0)
 					written = -EFAULT;
 				break;
 			}
-		} else
-			memcpy(p, buf, todo);
-		count -= todo;
-		buf += todo;
-		hp->n_outbuf += todo;
-		written += todo;
-		hvc_push(hp);
+			buf += rsize;
+			written += rsize;
+
+			spin_lock_irqsave(&hp->lock, flags);
+			for (wsize = N_OUTBUF - hp->n_outbuf; rsize && wsize;
+					wsize = N_OUTBUF - hp->n_outbuf) {
+				if (wsize > rsize)
+					wsize = rsize;
+				memcpy(hp->outbuf + hp->n_outbuf, p, wsize);
+				hp->n_outbuf += wsize;
+				hvc_push(hp);
+				rsize -= wsize;
+				p += wsize;
+			}
+			spin_unlock_irqrestore(&hp->lock, flags);
+
+			if (rsize)
+				break;
+
+			if (count < tbsize)
+				tbsize = count;
+		}
+
+		kfree(tbuf);
+	} else {
+		spin_lock_irqsave(&hp->lock, flags);
+		while (count > 0 && (rsize = N_OUTBUF - hp->n_outbuf) > 0) {
+			if (rsize > count)
+				rsize = count;
+			memcpy(hp->outbuf + hp->n_outbuf, buf, rsize);
+			count -= rsize;
+			buf += rsize;
+			hp->n_outbuf += rsize;
+			written += rsize;
+			hvc_push(hp);
+		}
+		spin_unlock_irqrestore(&hp->lock, flags);
 	}
-	spin_unlock_irqrestore(&hp->lock, flags);

 	return written;
 }