Kernel: Fix subtle race condition in sys$write implementation

There is a slight race condition in our implementation of write().
We call File::can_write() before attempting to write to it (blocking if
it returns false). If it returns true, we assume that we can write to
the file, and our code assumes that File::write() cannot possibly fail
by being blocked. There is, however, the rare case where another process
writes to the file and prevents further writes in between the call to
Files::can_write() and File::write() in the first process. This would
result in the first process calling File::write() when it cannot be
written to.

We fix this by adding a mechanism for File::can_write() to signal that
it was blocked, making it the responsibilty of File::write() to check
whether it can write and then finally making sys$write() check if the
write failed due to it being blocked.

Kernel/Devices/SerialDevice.cpp

@@ -31,6 +31,7 @@ KResultOr<size_t> SerialDevice::read(FileDescription&, u64, UserOrKernelBuffer&
  if (!size)
  return 0;
 
+ ScopedSpinLock lock(m_serial_lock);
  if (!(get_line_status() & DataReady))
  return 0;
 
@@ -46,13 +47,14 @@ bool SerialDevice::can_write(const FileDescription&, size_t) const
  return (get_line_status() & EmptyTransmitterHoldingRegister) != 0;
 }
 
-KResultOr<size_t> SerialDevice::write(FileDescription&, u64, const UserOrKernelBuffer& buffer, size_t size)
+KResultOr<size_t> SerialDevice::write(FileDescription& description, u64, const UserOrKernelBuffer& buffer, size_t size)
 {
  if (!size)
  return 0;
 
- if (!(get_line_status() & EmptyTransmitterHoldingRegister))
- return 0;
+ ScopedSpinLock lock(m_serial_lock);
+ if (!can_write(description, size))
+ return EAGAIN;
 
  return buffer.read_buffered<128>(size, [&](u8 const* data, size_t data_size) {
  for (size_t i = 0; i < data_size; i++)

Kernel/Devices/SerialDevice.h

@@ -135,6 +135,7 @@ class SerialDevice final : public CharacterDevice {
  bool m_break_enable { false };
  u8 m_modem_control { 0 };
  bool m_last_put_char_was_carriage_return { false };
+ SpinLock<u8> m_serial_lock;
 };
 
 }

Kernel/Syscalls/write.cpp

@@ -60,10 +60,6 @@ KResultOr<ssize_t> Process::sys$writev(int fd, Userspace<const struct iovec*> io
 KResultOr<ssize_t> Process::do_write(FileDescription& description, const UserOrKernelBuffer& data, size_t data_size)
 {
  ssize_t total_nwritten = 0;
- if (!description.is_blocking()) {
- if (!description.can_write())
- return EAGAIN;
- }
 
  if (description.should_append() && description.file().is_seekable()) {
  auto seek_result = description.seek(0, SEEK_END);
@@ -72,11 +68,12 @@ KResultOr<ssize_t> Process::do_write(FileDescription& description, const UserOrK
  }
 
  while ((size_t)total_nwritten < data_size) {
- if (!description.can_write()) {
+ while (!description.can_write()) {
  if (!description.is_blocking()) {
- // Short write: We can no longer write to this non-blocking description.
- VERIFY(total_nwritten > 0);
- return total_nwritten;
+ if (total_nwritten > 0)
+ return total_nwritten;
+ else
+ return EAGAIN;
  }
  auto unblock_flags = Thread::FileBlocker::BlockFlags::None;
  if (Thread::current()->block<Thread::WriteBlocker>({}, description, unblock_flags).was_interrupted()) {
@@ -87,12 +84,13 @@ KResultOr<ssize_t> Process::do_write(FileDescription& description, const UserOrK
  }
  auto nwritten_or_error = description.write(data.offset(total_nwritten), data_size - total_nwritten);
  if (nwritten_or_error.is_error()) {
- if (total_nwritten)
+ if (total_nwritten > 0)
  return total_nwritten;
+ if (nwritten_or_error.error() == EAGAIN)
+ continue;
  return nwritten_or_error.error();
  }
- if (nwritten_or_error.value() == 0)
- break;
+ VERIFY(nwritten_or_error.value() > 0);
  total_nwritten += nwritten_or_error.value();
  }
  return total_nwritten;