diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2009-08-25 12:12:43 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2009-08-25 12:12:43 -0400 |
commit | 5c58ceff103d8a654f24769bb1baaf84a841b0cc (patch) | |
tree | 593c9f47c927850c7b2410c865d4c97aad9f2660 | |
parent | 7111dc73923e9737b38a3ef5b5f236109000ff28 (diff) |
tty: make sure to flush any pending work when halting the ldisc
When I rewrote tty ldisc code to use proper reference counts (commits
65b770468e98 and cbe9352fa08f) in order to avoid a race with hangup, the
test-program that Eric Biederman used to trigger the original problem
seems to have exposed another long-standing bug: the hangup code did the
'tty_ldisc_halt()' to stop any buffer flushing activity, but unlike the
other call sites it never actually flushed any pending work.
As a result, if you get just the right timing, the pending work may be
just about to execute (ie the timer has already triggered and thus
cancel_delayed_work() was a no-op), when we then re-initialize the ldisc
from under it.
That, in turn, results in various random problems, usually seen as a
NULL pointer dereference in run_timer_softirq() or a BUG() in
worker_thread (but it can be almost anything).
Fix it by adding the required 'flush_scheduled_work()' after doing the
tty_ldisc_halt() (this also requires us to move the ldisc halt to before
taking the ldisc mutex in order to avoid a deadlock with the workqueue
executing do_tty_hangup, which requires the mutex).
The locking should be cleaned up one day (the requirement to do this
outside the ldisc_mutex is very annoying, and weakens the lock), but
that's a larger and separate undertaking.
Reported-by: Eric W. Biederman <ebiederm@xmission.com>
Tested-by: Xiaotian Feng <xtfeng@gmail.com>
Tested-by: Yanmin Zhang <yanmin_zhang@linux.intel.com>
Tested-by: Dave Young <hidave.darkstar@gmail.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Greg Kroah-Hartman <gregkh@suse.de>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r-- | drivers/char/tty_ldisc.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/drivers/char/tty_ldisc.c b/drivers/char/tty_ldisc.c index 1733d3439ad2..e48af9f79219 100644 --- a/drivers/char/tty_ldisc.c +++ b/drivers/char/tty_ldisc.c | |||
@@ -508,8 +508,9 @@ static void tty_ldisc_restore(struct tty_struct *tty, struct tty_ldisc *old) | |||
508 | * be obtained while the delayed work queue halt ensures that no more | 508 | * be obtained while the delayed work queue halt ensures that no more |
509 | * data is fed to the ldisc. | 509 | * data is fed to the ldisc. |
510 | * | 510 | * |
511 | * In order to wait for any existing references to complete see | 511 | * You need to do a 'flush_scheduled_work()' (outside the ldisc_mutex) |
512 | * tty_ldisc_wait_idle. | 512 | * in order to make sure any currently executing ldisc work is also |
513 | * flushed. | ||
513 | */ | 514 | */ |
514 | 515 | ||
515 | static int tty_ldisc_halt(struct tty_struct *tty) | 516 | static int tty_ldisc_halt(struct tty_struct *tty) |
@@ -753,11 +754,14 @@ void tty_ldisc_hangup(struct tty_struct *tty) | |||
753 | * N_TTY. | 754 | * N_TTY. |
754 | */ | 755 | */ |
755 | if (tty->driver->flags & TTY_DRIVER_RESET_TERMIOS) { | 756 | if (tty->driver->flags & TTY_DRIVER_RESET_TERMIOS) { |
757 | /* Make sure the old ldisc is quiescent */ | ||
758 | tty_ldisc_halt(tty); | ||
759 | flush_scheduled_work(); | ||
760 | |||
756 | /* Avoid racing set_ldisc or tty_ldisc_release */ | 761 | /* Avoid racing set_ldisc or tty_ldisc_release */ |
757 | mutex_lock(&tty->ldisc_mutex); | 762 | mutex_lock(&tty->ldisc_mutex); |
758 | if (tty->ldisc) { /* Not yet closed */ | 763 | if (tty->ldisc) { /* Not yet closed */ |
759 | /* Switch back to N_TTY */ | 764 | /* Switch back to N_TTY */ |
760 | tty_ldisc_halt(tty); | ||
761 | tty_ldisc_reinit(tty); | 765 | tty_ldisc_reinit(tty); |
762 | /* At this point we have a closed ldisc and we want to | 766 | /* At this point we have a closed ldisc and we want to |
763 | reopen it. We could defer this to the next open but | 767 | reopen it. We could defer this to the next open but |