Fix OpenSSH pty regression on close

OpenSSH expects the (non-blocking) read() of pty master to return
EAGAIN only if it has received all of the slave-side output after
it has received SIGCHLD. This used to work on pre-3.12 kernels.

This fix effectively forces non-blocking read() and poll() to
block for parallel i/o to complete for all ttys. It also unwinds
these changes:

1) f8747d4a466ab2cafe56112c51b3379f9fdb7a12
   tty: Fix pty master read() after slave closes

2) 52bce7f8d4fc633c9a9d0646eef58ba6ae9a3b73
   pty, n_tty: Simplify input processing on final close

3) 1a48632ffed61352a7810ce089dc5a8bcd505a60
   pty: Fix input race when closing

Inspired by analysis and patch from Marc Aurele La France <tsi@tuyoix.net>

Reported-by: Volth <openssh@volth.com>
Reported-by: Marc Aurele La France <tsi@tuyoix.net>
BugLink: https://bugzilla.mindrot.org/show_bug.cgi?id=52
BugLink: https://bugzilla.mindrot.org/show_bug.cgi?id=2492
Signed-off-by: Brian Bloniarz <brian.bloniarz@gmail.com>
Reviewed-by: Peter Hurley <peter@hurleysoftware.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

4 files changed, 42 insertions, 70 deletions

diff --git a/drivers/tty/n_hdlc.c b/drivers/tty/n_hdlc.c
index bcaba17688f6..a7fa016f31eb 100644
--- a/drivers/tty/n_hdlc.c
+++ b/drivers/tty/n_hdlc.c
@@ -599,7 +599,7 @@ static ssize_t n_hdlc_tty_read(struct tty_struct *tty, struct file *file,
         add_wait_queue(&tty->read_wait, &wait);
 
         for (;;) {
-                if (test_bit(TTY_OTHER_DONE, &tty->flags)) {
+                if (test_bit(TTY_OTHER_CLOSED, &tty->flags)) {
                         ret = -EIO;
                         break;
                 }
@@ -827,7 +827,7 @@ static unsigned int n_hdlc_tty_poll(struct tty_struct *tty, struct file *filp,
                 /* set bits for operations that won't block */
                 if (n_hdlc->rx_buf_list.head)
                         mask |= POLLIN | POLLRDNORM;    /* readable */
-                if (test_bit(TTY_OTHER_DONE, &tty->flags))
+                if (test_bit(TTY_OTHER_CLOSED, &tty->flags))
                         mask |= POLLHUP;
                 if (tty_hung_up_p(filp))
                         mask |= POLLHUP;
diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
index fb76a7d80e7e..bdf0e6e89991 100644
--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -1917,18 +1917,6 @@ static inline int input_available_p(struct tty_struct *tty, int poll)
                 return ldata->commit_head - ldata->read_tail >= amt;
 }
 
-static inline int check_other_done(struct tty_struct *tty)
-{
-        int done = test_bit(TTY_OTHER_DONE, &tty->flags);
-        if (done) {
-                /* paired with cmpxchg() in check_other_closed(); ensures
-                 * read buffer head index is not stale
-                 */
-                smp_mb__after_atomic();
-        }
-        return done;
-}
-
 /**
  *      copy_from_read_buf      -       copy read data directly
  *      @tty: terminal device
@@ -2124,7 +2112,7 @@ static ssize_t n_tty_read(struct tty_struct *tty, struct file *file,
         struct n_tty_data *ldata = tty->disc_data;
         unsigned char __user *b = buf;
         DEFINE_WAIT_FUNC(wait, woken_wake_function);
-        int c, done;
+        int c;
         int minimum, time;
         ssize_t retval = 0;
         long timeout;
@@ -2183,32 +2171,35 @@ static ssize_t n_tty_read(struct tty_struct *tty, struct file *file,
                         break;
                 }
 
-                done = check_other_done(tty);
-
                 if (!input_available_p(tty, 0)) {
-                        if (done) {
-                                retval = -EIO;
-                                break;
-                        }
-                        if (tty_hung_up_p(file))
-                                break;
-                        if (!timeout)
-                                break;
-                        if (file->f_flags & O_NONBLOCK) {
-                                retval = -EAGAIN;
-                                break;
-                        }
-                        if (signal_pending(current)) {
-                                retval = -ERESTARTSYS;
-                                break;
-                        }
                         up_read(&tty->termios_rwsem);
+                        tty_buffer_flush_work(tty->port);
+                        down_read(&tty->termios_rwsem);
+                        if (!input_available_p(tty, 0)) {
+                                if (test_bit(TTY_OTHER_CLOSED, &tty->flags)) {
+                                        retval = -EIO;
+                                        break;
+                                }
+                                if (tty_hung_up_p(file))
+                                        break;
+                                if (!timeout)
+                                        break;
+                                if (file->f_flags & O_NONBLOCK) {
+                                        retval = -EAGAIN;
+                                        break;
+                                }
+                                if (signal_pending(current)) {
+                                        retval = -ERESTARTSYS;
+                                        break;
+                                }
+                                up_read(&tty->termios_rwsem);
 
-                        timeout = wait_woken(&wait, TASK_INTERRUPTIBLE,
-                                             timeout);
+                                timeout = wait_woken(&wait, TASK_INTERRUPTIBLE,
+                                                timeout);
 
-                        down_read(&tty->termios_rwsem);
-                        continue;
+                                down_read(&tty->termios_rwsem);
+                                continue;
+                        }
                 }
 
                 if (ldata->icanon && !L_EXTPROC(tty)) {
@@ -2386,12 +2377,17 @@ static unsigned int n_tty_poll(struct tty_struct *tty, struct file *file,
 
         poll_wait(file, &tty->read_wait, wait);
         poll_wait(file, &tty->write_wait, wait);
-        if (check_other_done(tty))
-                mask |= POLLHUP;
         if (input_available_p(tty, 1))
                 mask |= POLLIN | POLLRDNORM;
+        else {
+                tty_buffer_flush_work(tty->port);
+                if (input_available_p(tty, 1))
+                        mask |= POLLIN | POLLRDNORM;
+        }
         if (tty->packet && tty->link->ctrl_status)
                 mask |= POLLPRI | POLLIN | POLLRDNORM;
+        if (test_bit(TTY_OTHER_CLOSED, &tty->flags))
+                mask |= POLLHUP;
         if (tty_hung_up_p(file))
                 mask |= POLLHUP;
         if (tty->ops->write && !tty_is_writelocked(tty) &&
diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c
index a8a292fd564f..ee0e84798399 100644
--- a/drivers/tty/pty.c
+++ b/drivers/tty/pty.c
@@ -59,7 +59,7 @@ static void pty_close(struct tty_struct *tty, struct file *filp)
         if (!tty->link)
                 return;
         set_bit(TTY_OTHER_CLOSED, &tty->link->flags);
-        tty_flip_buffer_push(tty->link->port);
+        wake_up_interruptible(&tty->link->read_wait);
         wake_up_interruptible(&tty->link->write_wait);
         if (tty->driver->subtype == PTY_TYPE_MASTER) {
                 set_bit(TTY_OTHER_CLOSED, &tty->flags);
@@ -247,9 +247,7 @@ static int pty_open(struct tty_struct *tty, struct file *filp)
                 goto out;
 
         clear_bit(TTY_IO_ERROR, &tty->flags);
-        /* TTY_OTHER_CLOSED must be cleared before TTY_OTHER_DONE */
         clear_bit(TTY_OTHER_CLOSED, &tty->link->flags);
-        clear_bit(TTY_OTHER_DONE, &tty->link->flags);
         set_bit(TTY_THROTTLED, &tty->flags);
         return 0;
 
diff --git a/drivers/tty/tty_buffer.c b/drivers/tty/tty_buffer.c
index a946e49a2626..aa80dc94ddc2 100644
--- a/drivers/tty/tty_buffer.c
+++ b/drivers/tty/tty_buffer.c
@@ -37,29 +37,6 @@
 
 #define TTY_BUFFER_PAGE (((PAGE_SIZE - sizeof(struct tty_buffer)) / 2) & ~0xFF)
 
-/*
- * If all tty flip buffers have been processed by flush_to_ldisc() or
- * dropped by tty_buffer_flush(), check if the linked pty has been closed.
- * If so, wake the reader/poll to process
- */
-static inline void check_other_closed(struct tty_struct *tty)
-{
-        unsigned long flags, old;
-
-        /* transition from TTY_OTHER_CLOSED => TTY_OTHER_DONE must be atomic */
-        for (flags = ACCESS_ONCE(tty->flags);
-             test_bit(TTY_OTHER_CLOSED, &flags);
-             ) {
-                old = flags;
-                __set_bit(TTY_OTHER_DONE, &flags);
-                flags = cmpxchg(&tty->flags, old, flags);
-                if (old == flags) {
-                        wake_up_interruptible(&tty->read_wait);
-                        break;
-                }
-        }
-}
-
 /**
  *      tty_buffer_lock_exclusive       -       gain exclusive access to buffer
  *      tty_buffer_unlock_exclusive     -       release exclusive access
@@ -254,8 +231,6 @@ void tty_buffer_flush(struct tty_struct *tty, struct tty_ldisc *ld)
         if (ld && ld->ops->flush_buffer)
                 ld->ops->flush_buffer(tty);
 
-        check_other_closed(tty);
-
         atomic_dec(&buf->priority);
         mutex_unlock(&buf->lock);
 }
@@ -522,10 +497,8 @@ static void flush_to_ldisc(struct work_struct *work)
                  */
                 count = smp_load_acquire(&head->commit) - head->read;
                 if (!count) {
-                        if (next == NULL) {
-                                check_other_closed(tty);
+                        if (next == NULL)
                                 break;
-                        }
                         buf->head = next;
                         tty_buffer_free(port, head);
                         continue;
@@ -614,3 +587,8 @@ bool tty_buffer_cancel_work(struct tty_port *port)
 {
         return cancel_work_sync(&port->buf.work);
 }
+
+void tty_buffer_flush_work(struct tty_port *port)
+{
+        flush_work(&port->buf.work);
+}