Skip to content

Commit

Permalink
tty(9): Make ttwrite update uio with only how much it has consumed.
Browse files Browse the repository at this point in the history 
As is, it leaves uio in an inconsistent state.  Good enough for the
write(2) return value to be correct for a userland caller to restart
write(2) where it left off, but not good enough for a loop in the
kernel to reuse the same uio.

Reported-by: syzbot+e0f56178d0add0d8be20@syzkaller.appspotmail.com
https://syzkaller.appspot.com/bug?id=6290eb02b8fe73361dc15c7bc44e1208601e6af8

Reported-by: syzbot+7caa189e8fccd926357e@syzkaller.appspotmail.com
https://syzkaller.appspot.com/bug?id=c0a3b77b4831dfa81fc855857bde81755d246bd3

Reported-by: syzbot+4a1eff91eb4e7c1970b6@syzkaller.appspotmail.com
https://syzkaller.appspot.com/bug?id=10523a633a4ad9749f57dc7cf03f9447d518c5b8

Reported-by: syzbot+1d3c280f59099dc82e17@syzkaller.appspotmail.com
https://syzkaller.appspot.com/bug?id=8e02ebb0da76a8e286461f33502117a1d30275c6

Reported-by: syzbot+080d51214d0634472b12@syzkaller.appspotmail.com
https://syzkaller.appspot.com/bug?id=1f617747db8087e5554d3df1b79a545dee26a650

Reported-by: syzbot+dd50b448e49e5020131a@syzkaller.appspotmail.com
https://syzkaller.appspot.com/bug?id=f71c8cef4110b7eeac6eca67b6a4d1f4a8b3e96f

Reported-by: syzbot+26b675ecf0cc9dfd8586@syzkaller.appspotmail.com
https://syzkaller.appspot.com/bug?id=57b1901f5b3e090a964d08dd0d729f9909f203be

Reported-by: syzbot+87f0df2c9056313a5c4b@syzkaller.appspotmail.com
https://syzkaller.appspot.com/bug?id=67994a3da32d075144e25d1ac314be1d9694ae6e

Reported-by: syzbot+e5bc98e18aa42f0cb25d@syzkaller.appspotmail.com
https://syzkaller.appspot.com/bug?id=6374bd286532423c63f2b331748280729134224c

Reported-by: syzbot+7e587f4c5aaaf80e84b3@syzkaller.appspotmail.com
https://syzkaller.appspot.com/bug?id=976210ed438d48ac275d77d7ebf4a086e43b5fcb
  • Loading branch information
riastradh authored and riastradh committed May 22, 2023
1 parent 819a01c commit a7a3e2a
Showing 1 changed file with 9 additions and 12 deletions.
21 changes: 9 additions & 12 deletions sys/kern/tty.c
View file
@@ -1,4 +1,4 @@
/* $NetBSD: tty.c,v 1.310 2023/04/12 06:35:26 riastradh Exp $ */
/* $NetBSD: tty.c,v 1.311 2023/05/22 14:07:37 riastradh Exp $ */

/*-
* Copyright (c) 2008, 2020 The NetBSD Foundation, Inc.
Expand Down Expand Up @@ -63,7 +63,7 @@
*/

#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: tty.c,v 1.310 2023/04/12 06:35:26 riastradh Exp $");
__KERNEL_RCSID(0, "$NetBSD: tty.c,v 1.311 2023/05/22 14:07:37 riastradh Exp $");

#ifdef _KERNEL_OPT
#include "opt_compat_netbsd.h"
Expand Down Expand Up @@ -2229,13 +2229,13 @@ ttwrite(struct tty *tp, struct uio *uio, int flag)
{
u_char *cp;
struct proc *p;
int cc, ce, i, hiwat, error;
int cc, cc0, ce, i, hiwat, error;
u_char obuf[OBUFSIZ];

cp = NULL;
hiwat = tp->t_hiwat;
error = 0;
cc = 0;
cc0 = cc = 0;
loop:
mutex_spin_enter(&tty_lock);
if (!CONNECTED(tp)) {
Expand Down Expand Up @@ -2300,9 +2300,10 @@ ttwrite(struct tty *tp, struct uio *uio, int flag)
* leftover from last time.
*/
if (cc == 0) {
cc = uimin(uio->uio_resid, OBUFSIZ);
uioskip(cc0, uio);
cc0 = cc = uimin(uio->uio_resid, OBUFSIZ);
cp = obuf;
error = uiomove(cp, cc, uio);
error = uiopeek(cp, cc, uio);
if (error) {
cc = 0;
goto out;
Expand Down Expand Up @@ -2373,13 +2374,9 @@ ttwrite(struct tty *tp, struct uio *uio, int flag)
}

out:
/*
* If cc is nonzero, we leave the uio structure inconsistent, as the
* offset and iov pointers have moved forward, but it doesn't matter
* (the call will either return short or restart with a new uio).
*/
KASSERTMSG(error || cc == 0, "error=%d cc=%d", error, cc);
uio->uio_resid += cc;
KASSERTMSG(cc0 >= cc, "cc0=%d cc=%d", cc0, cc);
uioskip(cc0 - cc, uio);
return (error);

overfull:
Expand Down

0 comments on commit a7a3e2a

Please sign in to comment.