2019-03-29 14:12:17 +08:00
|
|
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
2018-12-10 15:51:05 +08:00
|
|
|
From: padmarao edapalapati <padmarao.edapalapati@intel.com>
|
|
|
|
Date: Fri, 16 Nov 2018 11:30:09 +0530
|
2019-03-29 14:12:17 +08:00
|
|
|
Subject: [PATCH] Fix the race in cbc buffer queue
|
2018-12-10 15:51:05 +08:00
|
|
|
|
|
|
|
There is a possible race in cbc_buffer_release in memset
|
|
|
|
Anothe issue is the cbc_buffer_queue read write defined as
|
|
|
|
u8, it will cause the read write overflow in queue and dequeue
|
|
|
|
|
|
|
|
Change-Id: I80047adbabfbeb065a178b7ab8a706957c488a5a
|
|
|
|
Signed-off-by: padmarao edapalapati <padmarao.edapalapati@intel.com>
|
|
|
|
Tracked-On: PKT-1554
|
|
|
|
---
|
|
|
|
drivers/tty/cbc/cbc_memory.c | 22 ++++++++--------------
|
|
|
|
drivers/tty/cbc/cbc_mux_multiplexer.c | 5 -----
|
|
|
|
2 files changed, 8 insertions(+), 19 deletions(-)
|
|
|
|
|
|
|
|
diff --git a/drivers/tty/cbc/cbc_memory.c b/drivers/tty/cbc/cbc_memory.c
|
2020-05-05 09:02:46 +08:00
|
|
|
index 69cf65e89..7b8fbb78c 100644
|
2018-12-10 15:51:05 +08:00
|
|
|
--- a/drivers/tty/cbc/cbc_memory.c
|
|
|
|
+++ b/drivers/tty/cbc/cbc_memory.c
|
|
|
|
@@ -91,17 +91,10 @@ struct cbc_buffer *cbc_memory_pool_get_buffer(struct cbc_memory_pool *pool)
|
|
|
|
|
|
|
|
void cbc_buffer_release(struct cbc_buffer *buffer)
|
|
|
|
{
|
|
|
|
- int tmp;
|
|
|
|
-
|
|
|
|
if (!buffer)
|
|
|
|
return;
|
|
|
|
|
|
|
|
- atomic_read(&buffer->refcount);
|
|
|
|
-
|
|
|
|
- tmp = atomic_dec_return(&buffer->refcount);
|
|
|
|
- if (tmp == 0)
|
|
|
|
- memset(buffer->data, 0xCD, CBC_BUFFER_SIZE);
|
|
|
|
-
|
|
|
|
+ atomic_dec(&buffer->refcount);
|
|
|
|
}
|
|
|
|
|
|
|
|
void cbc_buffer_increment_ref(struct cbc_buffer *buffer)
|
|
|
|
@@ -122,13 +115,14 @@ int cbc_buffer_queue_enqueue(struct cbc_buffer_queue *queue,
|
|
|
|
if (!queue || !buffer)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
- if (queue->read + CBC_QUEUE_LENGTH == queue->write) {
|
|
|
|
+ if (queue->read == ((queue->write + 1) & CBC_QUEUE_BM)) {
|
|
|
|
pr_err("cbc buffer queue full\n");
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
- queue->queue[queue->write & CBC_QUEUE_BM] = buffer;
|
|
|
|
- queue->write++;
|
|
|
|
+ queue->queue[queue->write] = buffer;
|
|
|
|
+ queue->write = ((queue->write + 1) & CBC_QUEUE_BM);
|
|
|
|
+
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
@@ -144,9 +138,9 @@ struct cbc_buffer *cbc_buffer_queue_dequeue(struct cbc_buffer_queue *queue)
|
|
|
|
return buffer;
|
|
|
|
}
|
|
|
|
|
|
|
|
- buffer = queue->queue[queue->read & CBC_QUEUE_BM];
|
|
|
|
- queue->queue[queue->read & CBC_QUEUE_BM] = NULL;
|
|
|
|
- queue->read++;
|
|
|
|
+ buffer = queue->queue[queue->read];
|
|
|
|
+ queue->queue[queue->read] = NULL;
|
|
|
|
+ queue->read = ((queue->read + 1) & CBC_QUEUE_BM);
|
|
|
|
|
|
|
|
return buffer;
|
|
|
|
}
|
|
|
|
diff --git a/drivers/tty/cbc/cbc_mux_multiplexer.c b/drivers/tty/cbc/cbc_mux_multiplexer.c
|
2020-05-05 09:02:46 +08:00
|
|
|
index 4439e34f5..714fd95c7 100644
|
2018-12-10 15:51:05 +08:00
|
|
|
--- a/drivers/tty/cbc/cbc_mux_multiplexer.c
|
|
|
|
+++ b/drivers/tty/cbc/cbc_mux_multiplexer.c
|
|
|
|
@@ -94,11 +94,6 @@ enum cbc_error cbc_mux_multiplexer_transmit_buffer(
|
|
|
|
(u8) channel_idx,
|
|
|
|
config->cbc_mux_channel_list[channel_idx].priority,
|
|
|
|
cbc_buffer);
|
|
|
|
-
|
|
|
|
- /* Send to debug device */
|
|
|
|
- channel = &config->cbc_mux_channel_list[CBC_CHANNEL_DEBUG_OUT];
|
|
|
|
- if (channel && channel->buffer_receive)
|
|
|
|
- channel->buffer_receive(channel->data, cbc_buffer);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Send to debug device */
|
|
|
|
--
|
2019-04-08 18:08:36 +08:00
|
|
|
https://clearlinux.org
|
2018-12-10 15:51:05 +08:00
|
|
|
|