Module Name: src
Committed By: riastradh
Date: Mon May 22 14:07:37 UTC 2023
Modified Files:
src/sys/kern: tty.c
Log Message:
tty(9): Make ttwrite update uio with only how much it has consumed.
As is, it leaves uio in an inconsistent state. Good enough for the
write(2) return value to be correct for a userland caller to restart
write(2) where it left off, but not good enough for a loop in the
kernel to reuse the same uio.
Reported-by: syzbot+e0f56178d0add0d8b...@syzkaller.appspotmail.com
https://syzkaller.appspot.com/bug?id=6290eb02b8fe73361dc15c7bc44e1208601e6af8
Reported-by: syzbot+7caa189e8fccd9263...@syzkaller.appspotmail.com
https://syzkaller.appspot.com/bug?id=c0a3b77b4831dfa81fc855857bde81755d246bd3
Reported-by: syzbot+4a1eff91eb4e7c197...@syzkaller.appspotmail.com
https://syzkaller.appspot.com/bug?id=10523a633a4ad9749f57dc7cf03f9447d518c5b8
Reported-by: syzbot+1d3c280f59099dc82...@syzkaller.appspotmail.com
https://syzkaller.appspot.com/bug?id=8e02ebb0da76a8e286461f33502117a1d30275c6
Reported-by: syzbot+080d51214d0634472...@syzkaller.appspotmail.com
https://syzkaller.appspot.com/bug?id=1f617747db8087e5554d3df1b79a545dee26a650
Reported-by: syzbot+dd50b448e49e50201...@syzkaller.appspotmail.com
https://syzkaller.appspot.com/bug?id=f71c8cef4110b7eeac6eca67b6a4d1f4a8b3e96f
Reported-by: syzbot+26b675ecf0cc9dfd8...@syzkaller.appspotmail.com
https://syzkaller.appspot.com/bug?id=57b1901f5b3e090a964d08dd0d729f9909f203be
Reported-by: syzbot+87f0df2c9056313a5...@syzkaller.appspotmail.com
https://syzkaller.appspot.com/bug?id=67994a3da32d075144e25d1ac314be1d9694ae6e
Reported-by: syzbot+e5bc98e18aa42f0cb...@syzkaller.appspotmail.com
https://syzkaller.appspot.com/bug?id=6374bd286532423c63f2b331748280729134224c
Reported-by: syzbot+7e587f4c5aaaf80e8...@syzkaller.appspotmail.com
https://syzkaller.appspot.com/bug?id=976210ed438d48ac275d77d7ebf4a086e43b5fcb
To generate a diff of this commit:
cvs rdiff -u -r1.310 -r1.311 src/sys/kern/tty.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/tty.c
diff -u src/sys/kern/tty.c:1.310 src/sys/kern/tty.c:1.311
--- src/sys/kern/tty.c:1.310 Wed Apr 12 06:35:26 2023
+++ src/sys/kern/tty.c Mon May 22 14:07:37 2023
@@ -1,4 +1,4 @@
-/* $NetBSD: tty.c,v 1.310 2023/04/12 06:35:26 riastradh Exp $ */
+/* $NetBSD: tty.c,v 1.311 2023/05/22 14:07:37 riastradh Exp $ */
/*-
* Copyright (c) 2008, 2020 The NetBSD Foundation, Inc.
@@ -63,7 +63,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: tty.c,v 1.310 2023/04/12 06:35:26 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: tty.c,v 1.311 2023/05/22 14:07:37 riastradh Exp $");
#ifdef _KERNEL_OPT
#include "opt_compat_netbsd.h"
@@ -2229,13 +2229,13 @@ ttwrite(struct tty *tp, struct uio *uio,
{
u_char *cp;
struct proc *p;
- int cc, ce, i, hiwat, error;
+ int cc, cc0, ce, i, hiwat, error;
u_char obuf[OBUFSIZ];
cp = NULL;
hiwat = tp->t_hiwat;
error = 0;
- cc = 0;
+ cc0 = cc = 0;
loop:
mutex_spin_enter(&tty_lock);
if (!CONNECTED(tp)) {
@@ -2300,9 +2300,10 @@ ttwrite(struct tty *tp, struct uio *uio,
* leftover from last time.
*/
if (cc == 0) {
- cc = uimin(uio->uio_resid, OBUFSIZ);
+ uioskip(cc0, uio);
+ cc0 = cc = uimin(uio->uio_resid, OBUFSIZ);
cp = obuf;
- error = uiomove(cp, cc, uio);
+ error = uiopeek(cp, cc, uio);
if (error) {
cc = 0;
goto out;
@@ -2373,13 +2374,9 @@ ttwrite(struct tty *tp, struct uio *uio,
}
out:
- /*
- * If cc is nonzero, we leave the uio structure inconsistent, as the
- * offset and iov pointers have moved forward, but it doesn't matter
- * (the call will either return short or restart with a new uio).
- */
KASSERTMSG(error || cc == 0, "error=%d cc=%d", error, cc);
- uio->uio_resid += cc;
+ KASSERTMSG(cc0 >= cc, "cc0=%d cc=%d", cc0, cc);
+ uioskip(cc0 - cc, uio);
return (error);
overfull:
