[linux-dvb] Bug in ring buffer implementation

[Oliver Endriss <o.endriss@gmx.de>]

Hi,

while reading through the driver sources, I found that the free byte 
count of the ring buffers is not calculated correctly.

In the current implementation, code like this is used (example taken 
from dmxdev.c):

        free=buf->pread-buf->pwrite;    (1)
        split=0;
        if (free<=0) {
                free+=buf->size;
                split=buf->size-buf->pwrite;
        }

(1) is not correct. It should read:
        free=buf->pread-buf->pwrite-1;  (2)
                                   ^^
        ...

Obviously a ring buffer of size <n> cannot hold more than <n-1> bytes.
Otherwise you cannot distinguish between an empty and a full buffer.

Example:
ring buffer size=10, pread=0, pwrite=0
Current code would compute free=10. Writing 10 bytes would result in 
pread=pwrite=0, which means that the buffer is empty! 
In this case all data is lost.

Fixed code (2) will produce free=9 which is correct.

All driver versions (head, dvb-kernel, metzler-driver) have this bug.
In the head driver I found 4 places in av7110.c and 1 in dmxdev.c.
There might be more.

Oliver



-- 
Info:
To unsubscribe send a mail to listar@linuxtv.org with "unsubscribe linux-dvb" as subject.