diff options
author | Amit Shah <amit.shah@redhat.com> | 2010-03-12 01:23:15 -0500 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2010-03-19 10:17:54 -0400 |
commit | e74d098c66543d0731de62eb747ccd5b636a6f4c (patch) | |
tree | 8ed9937f653cf42a82ca7bd319a69dd35fb2325d /drivers | |
parent | f157b58511e56d418eb582de96fedc4ea03d8061 (diff) |
hvc_console: Fix race between hvc_close and hvc_remove
Alan pointed out a race in the code where hvc_remove is invoked. The
recent virtio_console work is the first user of hvc_remove().
Alan describes it thus:
The hvc_console assumes that a close and remove call can't occur at the
same time.
In addition tty_hangup(tty) is problematic as tty_hangup is asynchronous
itself....
So this can happen
hvc_close hvc_remove
hung up ? - no
lock
tty = hp->tty
unlock
lock
hp->tty = NULL
unlock
notify del
kref_put the hvc struct
close completes
tty is destroyed
tty_hangup dead tty
tty->ops will be NULL
NULL->...
This patch adds some tty krefs and also converts to using tty_vhangup().
Reported-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: Amit Shah <amit.shah@redhat.com>
CC: Alan Cox <alan@lxorguk.ukuu.org.uk>
CC: linuxppc-dev@ozlabs.org
CC: Rusty Russell <rusty@rustcorp.com.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/char/hvc_console.c | 31 |
1 files changed, 21 insertions, 10 deletions
diff --git a/drivers/char/hvc_console.c b/drivers/char/hvc_console.c index 465185fc0f5..ba55bba151b 100644 --- a/drivers/char/hvc_console.c +++ b/drivers/char/hvc_console.c | |||
@@ -312,6 +312,7 @@ static int hvc_open(struct tty_struct *tty, struct file * filp) | |||
312 | spin_lock_irqsave(&hp->lock, flags); | 312 | spin_lock_irqsave(&hp->lock, flags); |
313 | /* Check and then increment for fast path open. */ | 313 | /* Check and then increment for fast path open. */ |
314 | if (hp->count++ > 0) { | 314 | if (hp->count++ > 0) { |
315 | tty_kref_get(tty); | ||
315 | spin_unlock_irqrestore(&hp->lock, flags); | 316 | spin_unlock_irqrestore(&hp->lock, flags); |
316 | hvc_kick(); | 317 | hvc_kick(); |
317 | return 0; | 318 | return 0; |
@@ -319,7 +320,7 @@ static int hvc_open(struct tty_struct *tty, struct file * filp) | |||
319 | 320 | ||
320 | tty->driver_data = hp; | 321 | tty->driver_data = hp; |
321 | 322 | ||
322 | hp->tty = tty; | 323 | hp->tty = tty_kref_get(tty); |
323 | 324 | ||
324 | spin_unlock_irqrestore(&hp->lock, flags); | 325 | spin_unlock_irqrestore(&hp->lock, flags); |
325 | 326 | ||
@@ -336,6 +337,7 @@ static int hvc_open(struct tty_struct *tty, struct file * filp) | |||
336 | spin_lock_irqsave(&hp->lock, flags); | 337 | spin_lock_irqsave(&hp->lock, flags); |
337 | hp->tty = NULL; | 338 | hp->tty = NULL; |
338 | spin_unlock_irqrestore(&hp->lock, flags); | 339 | spin_unlock_irqrestore(&hp->lock, flags); |
340 | tty_kref_put(tty); | ||
339 | tty->driver_data = NULL; | 341 | tty->driver_data = NULL; |
340 | kref_put(&hp->kref, destroy_hvc_struct); | 342 | kref_put(&hp->kref, destroy_hvc_struct); |
341 | printk(KERN_ERR "hvc_open: request_irq failed with rc %d.\n", rc); | 343 | printk(KERN_ERR "hvc_open: request_irq failed with rc %d.\n", rc); |
@@ -363,13 +365,18 @@ static void hvc_close(struct tty_struct *tty, struct file * filp) | |||
363 | return; | 365 | return; |
364 | 366 | ||
365 | hp = tty->driver_data; | 367 | hp = tty->driver_data; |
368 | |||
366 | spin_lock_irqsave(&hp->lock, flags); | 369 | spin_lock_irqsave(&hp->lock, flags); |
370 | tty_kref_get(tty); | ||
367 | 371 | ||
368 | if (--hp->count == 0) { | 372 | if (--hp->count == 0) { |
369 | /* We are done with the tty pointer now. */ | 373 | /* We are done with the tty pointer now. */ |
370 | hp->tty = NULL; | 374 | hp->tty = NULL; |
371 | spin_unlock_irqrestore(&hp->lock, flags); | 375 | spin_unlock_irqrestore(&hp->lock, flags); |
372 | 376 | ||
377 | /* Put the ref obtained in hvc_open() */ | ||
378 | tty_kref_put(tty); | ||
379 | |||
373 | if (hp->ops->notifier_del) | 380 | if (hp->ops->notifier_del) |
374 | hp->ops->notifier_del(hp, hp->data); | 381 | hp->ops->notifier_del(hp, hp->data); |
375 | 382 | ||
@@ -389,6 +396,7 @@ static void hvc_close(struct tty_struct *tty, struct file * filp) | |||
389 | spin_unlock_irqrestore(&hp->lock, flags); | 396 | spin_unlock_irqrestore(&hp->lock, flags); |
390 | } | 397 | } |
391 | 398 | ||
399 | tty_kref_put(tty); | ||
392 | kref_put(&hp->kref, destroy_hvc_struct); | 400 | kref_put(&hp->kref, destroy_hvc_struct); |
393 | } | 401 | } |
394 | 402 | ||
@@ -424,10 +432,11 @@ static void hvc_hangup(struct tty_struct *tty) | |||
424 | spin_unlock_irqrestore(&hp->lock, flags); | 432 | spin_unlock_irqrestore(&hp->lock, flags); |
425 | 433 | ||
426 | if (hp->ops->notifier_hangup) | 434 | if (hp->ops->notifier_hangup) |
427 | hp->ops->notifier_hangup(hp, hp->data); | 435 | hp->ops->notifier_hangup(hp, hp->data); |
428 | 436 | ||
429 | while(temp_open_count) { | 437 | while(temp_open_count) { |
430 | --temp_open_count; | 438 | --temp_open_count; |
439 | tty_kref_put(tty); | ||
431 | kref_put(&hp->kref, destroy_hvc_struct); | 440 | kref_put(&hp->kref, destroy_hvc_struct); |
432 | } | 441 | } |
433 | } | 442 | } |
@@ -592,7 +601,7 @@ int hvc_poll(struct hvc_struct *hp) | |||
592 | } | 601 | } |
593 | 602 | ||
594 | /* No tty attached, just skip */ | 603 | /* No tty attached, just skip */ |
595 | tty = hp->tty; | 604 | tty = tty_kref_get(hp->tty); |
596 | if (tty == NULL) | 605 | if (tty == NULL) |
597 | goto bail; | 606 | goto bail; |
598 | 607 | ||
@@ -672,6 +681,8 @@ int hvc_poll(struct hvc_struct *hp) | |||
672 | 681 | ||
673 | tty_flip_buffer_push(tty); | 682 | tty_flip_buffer_push(tty); |
674 | } | 683 | } |
684 | if (tty) | ||
685 | tty_kref_put(tty); | ||
675 | 686 | ||
676 | return poll_mask; | 687 | return poll_mask; |
677 | } | 688 | } |
@@ -807,7 +818,7 @@ int hvc_remove(struct hvc_struct *hp) | |||
807 | struct tty_struct *tty; | 818 | struct tty_struct *tty; |
808 | 819 | ||
809 | spin_lock_irqsave(&hp->lock, flags); | 820 | spin_lock_irqsave(&hp->lock, flags); |
810 | tty = hp->tty; | 821 | tty = tty_kref_get(hp->tty); |
811 | 822 | ||
812 | if (hp->index < MAX_NR_HVC_CONSOLES) | 823 | if (hp->index < MAX_NR_HVC_CONSOLES) |
813 | vtermnos[hp->index] = -1; | 824 | vtermnos[hp->index] = -1; |
@@ -819,18 +830,18 @@ int hvc_remove(struct hvc_struct *hp) | |||
819 | /* | 830 | /* |
820 | * We 'put' the instance that was grabbed when the kref instance | 831 | * We 'put' the instance that was grabbed when the kref instance |
821 | * was initialized using kref_init(). Let the last holder of this | 832 | * was initialized using kref_init(). Let the last holder of this |
822 | * kref cause it to be removed, which will probably be the tty_hangup | 833 | * kref cause it to be removed, which will probably be the tty_vhangup |
823 | * below. | 834 | * below. |
824 | */ | 835 | */ |
825 | kref_put(&hp->kref, destroy_hvc_struct); | 836 | kref_put(&hp->kref, destroy_hvc_struct); |
826 | 837 | ||
827 | /* | 838 | /* |
828 | * This function call will auto chain call hvc_hangup. The tty should | 839 | * This function call will auto chain call hvc_hangup. |
829 | * always be valid at this time unless a simultaneous tty close already | ||
830 | * cleaned up the hvc_struct. | ||
831 | */ | 840 | */ |
832 | if (tty) | 841 | if (tty) { |
833 | tty_hangup(tty); | 842 | tty_vhangup(tty); |
843 | tty_kref_put(tty); | ||
844 | } | ||
834 | return 0; | 845 | return 0; |
835 | } | 846 | } |
836 | EXPORT_SYMBOL_GPL(hvc_remove); | 847 | EXPORT_SYMBOL_GPL(hvc_remove); |