Message-ID: <46B9CF8D.1000209@microgate.com>
Date: Wed, 08 Aug 2007 08:13:33 -0600
From: Paul Fulghum <paulkf@microgate.com>
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Laurent Pinchart <laurentp@cse-semaphore.com>
CC: linux-kernel@vger.kernel.org
Subject: Re: Serial buffer memory leak
References: <200708081158.06843.laurentp@cse-semaphore.com>
In-Reply-To: <200708081158.06843.laurentp@cse-semaphore.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1150
Lines: 25

Laurent Pinchart wrote:
> Patch c5c34d4862e18ef07c1276d233507f540fb5a532 (tty: flush flip buffer on 
> ldisc input queue flush) introduces a race condition which can lead to memory 
> leaks.
> 
> The problem can be triggered when tcflush() is called when data are being 
> pushed to the line discipline driver by flush_to_ldisc().
> 
> flush_to_ldisc() releases tty->buf.lock when calling the line discipline 
> receive_buf function. At that poing tty_buffer_flush() kicks in and sets both 
> tty->buf.head and tty->buf.tail to NULL. When flush_to_ldisc() finishes, it 
> restores tty->buf.head but doesn't touch tty->buf.tail. This corrups the 
> buffer queue, and the next call to tty_buffer_request_room() will allocate a 
> new buffer and overwrite tty->buf.head. The previous buffer is then lost 
> forever without being released.

Your description is clear enough, I'll make the patch.

Thanks,
Paul
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/