X-Git-Url: https://git.saurik.com/apple/xnu.git/blobdiff_plain/d7e50217d7adf6e52786a38bcaa4cd698cb9a79e..04b8595b18b1b41ac7a206e4b3d51a635f8413d7:/iokit/Kernel/IODataQueue.cpp diff --git a/iokit/Kernel/IODataQueue.cpp b/iokit/Kernel/IODataQueue.cpp index 3c7c3df10..79c97e1af 100644 --- a/iokit/Kernel/IODataQueue.cpp +++ b/iokit/Kernel/IODataQueue.cpp @@ -1,16 +1,19 @@ /* * Copyright (c) 1998-2000 Apple Computer, Inc. All rights reserved. * - * @APPLE_LICENSE_HEADER_START@ - * - * Copyright (c) 1999-2003 Apple Computer, Inc. All Rights Reserved. + * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ * * This file contains Original Code and/or Modifications of Original Code * as defined in and that are subject to the Apple Public Source License * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. + * compliance with the License. The rights granted to you under the License + * may not be used to create, or enable the creation or redistribution of, + * unlawful or unlicensed copies of an Apple operating system, or to + * circumvent, violate, or enable the circumvention or violation of, any + * terms of an Apple operating system software license agreement. + * + * Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this file. * * The Original Code and all software distributed under the License are * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER @@ -20,13 +23,19 @@ * Please see the License for the specific language governing rights and * limitations under the License. * - * @APPLE_LICENSE_HEADER_END@ + * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ */ +#define DISABLE_DATAQUEUE_WARNING + #include + +#undef DISABLE_DATAQUEUE_WARNING + #include #include #include +#include #ifdef enqueue #undef enqueue @@ -70,31 +79,67 @@ IODataQueue *IODataQueue::withEntries(UInt32 numEntries, UInt32 entrySize) Boolean IODataQueue::initWithCapacity(UInt32 size) { + vm_size_t allocSize = 0; + if (!super::init()) { return false; } - dataQueue = (IODataQueueMemory *)IOMallocAligned(round_page_32(size + DATA_QUEUE_MEMORY_HEADER_SIZE), PAGE_SIZE); + if (size > UINT32_MAX - DATA_QUEUE_MEMORY_HEADER_SIZE) { + return false; + } + + allocSize = round_page(size + DATA_QUEUE_MEMORY_HEADER_SIZE); + + if (allocSize < size) { + return false; + } + + dataQueue = (IODataQueueMemory *)IOMallocAligned(allocSize, PAGE_SIZE); if (dataQueue == 0) { return false; } + bzero(dataQueue, allocSize); - dataQueue->queueSize = size; - dataQueue->head = 0; - dataQueue->tail = 0; + dataQueue->queueSize = size; +// dataQueue->head = 0; +// dataQueue->tail = 0; + + if (!notifyMsg) { + notifyMsg = IOMalloc(sizeof(mach_msg_header_t)); + if (!notifyMsg) + return false; + } + bzero(notifyMsg, sizeof(mach_msg_header_t)); return true; } Boolean IODataQueue::initWithEntries(UInt32 numEntries, UInt32 entrySize) { + // Checking overflow for (numEntries + 1)*(entrySize + DATA_QUEUE_ENTRY_HEADER_SIZE): + // check (entrySize + DATA_QUEUE_ENTRY_HEADER_SIZE) + if ((entrySize > UINT32_MAX - DATA_QUEUE_ENTRY_HEADER_SIZE) || + // check (numEntries + 1) + (numEntries > UINT32_MAX-1) || + // check (numEntries + 1)*(entrySize + DATA_QUEUE_ENTRY_HEADER_SIZE) + (entrySize + DATA_QUEUE_ENTRY_HEADER_SIZE > UINT32_MAX/(numEntries+1))) { + return false; + } + return (initWithCapacity((numEntries + 1) * (DATA_QUEUE_ENTRY_HEADER_SIZE + entrySize))); } void IODataQueue::free() { if (dataQueue) { - IOFreeAligned(dataQueue, round_page_32(dataQueue->queueSize + DATA_QUEUE_MEMORY_HEADER_SIZE)); + IOFreeAligned(dataQueue, round_page(dataQueue->queueSize + DATA_QUEUE_MEMORY_HEADER_SIZE)); + dataQueue = NULL; + + if (notifyMsg) { + IOFree(notifyMsg, sizeof(mach_msg_header_t)); + notifyMsg = NULL; + } } super::free(); @@ -109,10 +154,20 @@ Boolean IODataQueue::enqueue(void * data, UInt32 dataSize) const UInt32 entrySize = dataSize + DATA_QUEUE_ENTRY_HEADER_SIZE; IODataQueueEntry * entry; + // Check for overflow of entrySize + if (dataSize > UINT32_MAX - DATA_QUEUE_ENTRY_HEADER_SIZE) { + return false; + } + // Check for underflow of (dataQueue->queueSize - tail) + if (dataQueue->queueSize < tail) { + return false; + } + if ( tail >= head ) { // Is there enough room at the end for the entry? - if ( (tail + entrySize) <= dataQueue->queueSize ) + if ((entrySize <= UINT32_MAX - tail) && + ((tail + entrySize) <= dataQueue->queueSize) ) { entry = (IODataQueueEntry *)((UInt8 *)dataQueue->queue + tail); @@ -122,10 +177,10 @@ Boolean IODataQueue::enqueue(void * data, UInt32 dataSize) // The tail can be out of bound when the size of the new entry // exactly matches the available space at the end of the queue. // The tail can range from 0 to dataQueue->queueSize inclusive. - - dataQueue->tail += entrySize; + + OSAddAtomic(entrySize, (SInt32 *)&dataQueue->tail); } - else if ( head > entrySize ) // Is there enough room at the beginning? + else if ( head > entrySize ) // Is there enough room at the beginning? { // Wrap around to the beginning, but do not allow the tail to catch // up to the head. @@ -142,11 +197,11 @@ Boolean IODataQueue::enqueue(void * data, UInt32 dataSize) } memcpy(&dataQueue->queue->data, data, dataSize); - dataQueue->tail = entrySize; + OSCompareAndSwap(dataQueue->tail, entrySize, &dataQueue->tail); } else { - return false; // queue is full + return false; // queue is full } } else @@ -160,17 +215,17 @@ Boolean IODataQueue::enqueue(void * data, UInt32 dataSize) entry->size = dataSize; memcpy(&entry->data, data, dataSize); - dataQueue->tail += entrySize; + OSAddAtomic(entrySize, (SInt32 *)&dataQueue->tail); } else { - return false; // queue is full + return false; // queue is full } } // Send notification (via mach message) that data is available. - if ( ( head == tail ) /* queue was empty prior to enqueue() */ + if ( ( head == tail ) /* queue was empty prior to enqueue() */ || ( dataQueue->head == tail ) ) /* queue was emptied during enqueue() */ { sendDataAvailableNotification(); @@ -181,35 +236,28 @@ Boolean IODataQueue::enqueue(void * data, UInt32 dataSize) void IODataQueue::setNotificationPort(mach_port_t port) { - static struct _notifyMsg init_msg = { { - MACH_MSGH_BITS(MACH_MSG_TYPE_COPY_SEND, 0), - sizeof (struct _notifyMsg), - MACH_PORT_NULL, - MACH_PORT_NULL, - 0, - 0 - } }; + mach_msg_header_t * msgh = (mach_msg_header_t *) notifyMsg; - if (notifyMsg == 0) { - notifyMsg = IOMalloc(sizeof(struct _notifyMsg)); + if (msgh) { + bzero(msgh, sizeof(mach_msg_header_t)); + msgh->msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_COPY_SEND, 0); + msgh->msgh_size = sizeof(mach_msg_header_t); + msgh->msgh_remote_port = port; } - - *((struct _notifyMsg *)notifyMsg) = init_msg; - - ((struct _notifyMsg *)notifyMsg)->h.msgh_remote_port = port; } void IODataQueue::sendDataAvailableNotification() { - kern_return_t kr; - mach_msg_header_t * msgh; + kern_return_t kr; + mach_msg_header_t * msgh; - msgh = (mach_msg_header_t *)notifyMsg; - if (msgh) { - kr = mach_msg_send_from_kernel(msgh, msgh->msgh_size); + msgh = (mach_msg_header_t *) notifyMsg; + if (msgh && msgh->msgh_remote_port) { + kr = mach_msg_send_from_kernel_with_options(msgh, msgh->msgh_size, MACH_SEND_TIMEOUT, MACH_MSG_TIMEOUT_NONE); switch(kr) { - case MACH_SEND_TIMED_OUT: // Notification already sent + case MACH_SEND_TIMED_OUT: // Notification already sent case MACH_MSG_SUCCESS: + case MACH_SEND_NO_BUFFER: break; default: IOLog("%s: dataAvailableNotification failed - msg_send returned: %d\n", /*getName()*/"IODataQueue", kr); @@ -229,3 +277,4 @@ IOMemoryDescriptor *IODataQueue::getMemoryDescriptor() return descriptor; } +