| From 00de977f9e0aa9760d9a79d1e41ff780f74e3424 Mon Sep 17 00:00:00 2001 |
| From: Johan Hovold <johan@kernel.org> |
| Date: Mon, 8 Nov 2021 09:54:31 +0100 |
| Subject: serial: core: fix transmit-buffer reset and memleak |
| |
| From: Johan Hovold <johan@kernel.org> |
| |
| commit 00de977f9e0aa9760d9a79d1e41ff780f74e3424 upstream. |
| |
| Commit 761ed4a94582 ("tty: serial_core: convert uart_close to use |
| tty_port_close") converted serial core to use tty_port_close() but |
| failed to notice that the transmit buffer still needs to be freed on |
| final close. |
| |
| Not freeing the transmit buffer means that the buffer is no longer |
| cleared on next open so that any ioctl() waiting for the buffer to drain |
| might wait indefinitely (e.g. on termios changes) or that stale data can |
| end up being transmitted in case tx is restarted. |
| |
| Furthermore, the buffer of any port that has been opened would leak on |
| driver unbind. |
| |
| Note that the port lock is held when clearing the buffer pointer due to |
| the ldisc race worked around by commit a5ba1d95e46e ("uart: fix race |
| between uart_put_char() and uart_shutdown()"). |
| |
| Also note that the tty-port shutdown() callback is not called for |
| console ports so it is not strictly necessary to free the buffer page |
| after releasing the lock (cf. d72402145ace ("tty/serial: do not free |
| trasnmit buffer page under port lock")). |
| |
| Link: https://lore.kernel.org/r/319321886d97c456203d5c6a576a5480d07c3478.1635781688.git.baruch@tkos.co.il |
| Fixes: 761ed4a94582 ("tty: serial_core: convert uart_close to use tty_port_close") |
| Cc: stable@vger.kernel.org # 4.9 |
| Cc: Rob Herring <robh@kernel.org> |
| Reported-by: Baruch Siach <baruch@tkos.co.il> |
| Tested-by: Baruch Siach <baruch@tkos.co.il> |
| Signed-off-by: Johan Hovold <johan@kernel.org> |
| Link: https://lore.kernel.org/r/20211108085431.12637-1-johan@kernel.org |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| drivers/tty/serial/serial_core.c | 13 ++++++++++++- |
| 1 file changed, 12 insertions(+), 1 deletion(-) |
| |
| --- a/drivers/tty/serial/serial_core.c |
| +++ b/drivers/tty/serial/serial_core.c |
| @@ -1576,6 +1576,7 @@ static void uart_tty_port_shutdown(struc |
| { |
| struct uart_state *state = container_of(port, struct uart_state, port); |
| struct uart_port *uport = uart_port_check(state); |
| + char *buf; |
| |
| /* |
| * At this point, we stop accepting input. To do this, we |
| @@ -1597,8 +1598,18 @@ static void uart_tty_port_shutdown(struc |
| */ |
| tty_port_set_suspended(port, 0); |
| |
| - uart_change_pm(state, UART_PM_STATE_OFF); |
| + /* |
| + * Free the transmit buffer. |
| + */ |
| + spin_lock_irq(&uport->lock); |
| + buf = state->xmit.buf; |
| + state->xmit.buf = NULL; |
| + spin_unlock_irq(&uport->lock); |
| + |
| + if (buf) |
| + free_page((unsigned long)buf); |
| |
| + uart_change_pm(state, UART_PM_STATE_OFF); |
| } |
| |
| static void uart_wait_until_sent(struct tty_struct *tty, int timeout) |