aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2009-08-25 12:12:43 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2009-08-25 12:12:43 -0400
commit5c58ceff103d8a654f24769bb1baaf84a841b0cc (patch)
tree593c9f47c927850c7b2410c865d4c97aad9f2660
parent7111dc73923e9737b38a3ef5b5f236109000ff28 (diff)
tty: make sure to flush any pending work when halting the ldisc
When I rewrote tty ldisc code to use proper reference counts (commits 65b770468e98 and cbe9352fa08f) in order to avoid a race with hangup, the test-program that Eric Biederman used to trigger the original problem seems to have exposed another long-standing bug: the hangup code did the 'tty_ldisc_halt()' to stop any buffer flushing activity, but unlike the other call sites it never actually flushed any pending work. As a result, if you get just the right timing, the pending work may be just about to execute (ie the timer has already triggered and thus cancel_delayed_work() was a no-op), when we then re-initialize the ldisc from under it. That, in turn, results in various random problems, usually seen as a NULL pointer dereference in run_timer_softirq() or a BUG() in worker_thread (but it can be almost anything). Fix it by adding the required 'flush_scheduled_work()' after doing the tty_ldisc_halt() (this also requires us to move the ldisc halt to before taking the ldisc mutex in order to avoid a deadlock with the workqueue executing do_tty_hangup, which requires the mutex). The locking should be cleaned up one day (the requirement to do this outside the ldisc_mutex is very annoying, and weakens the lock), but that's a larger and separate undertaking. Reported-by: Eric W. Biederman <ebiederm@xmission.com> Tested-by: Xiaotian Feng <xtfeng@gmail.com> Tested-by: Yanmin Zhang <yanmin_zhang@linux.intel.com> Tested-by: Dave Young <hidave.darkstar@gmail.com> Cc: Frederic Weisbecker <fweisbec@gmail.com> Cc: Greg Kroah-Hartman <gregkh@suse.de> Cc: Alan Cox <alan@lxorguk.ukuu.org.uk> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r--drivers/char/tty_ldisc.c10
1 files changed, 7 insertions, 3 deletions
diff --git a/drivers/char/tty_ldisc.c b/drivers/char/tty_ldisc.c
index 1733d3439ad2..e48af9f79219 100644
--- a/drivers/char/tty_ldisc.c
+++ b/drivers/char/tty_ldisc.c
@@ -508,8 +508,9 @@ static void tty_ldisc_restore(struct tty_struct *tty, struct tty_ldisc *old)
508 * be obtained while the delayed work queue halt ensures that no more 508 * be obtained while the delayed work queue halt ensures that no more
509 * data is fed to the ldisc. 509 * data is fed to the ldisc.
510 * 510 *
511 * In order to wait for any existing references to complete see 511 * You need to do a 'flush_scheduled_work()' (outside the ldisc_mutex)
512 * tty_ldisc_wait_idle. 512 * in order to make sure any currently executing ldisc work is also
513 * flushed.
513 */ 514 */
514 515
515static int tty_ldisc_halt(struct tty_struct *tty) 516static int tty_ldisc_halt(struct tty_struct *tty)
@@ -753,11 +754,14 @@ void tty_ldisc_hangup(struct tty_struct *tty)
753 * N_TTY. 754 * N_TTY.
754 */ 755 */
755 if (tty->driver->flags & TTY_DRIVER_RESET_TERMIOS) { 756 if (tty->driver->flags & TTY_DRIVER_RESET_TERMIOS) {
757 /* Make sure the old ldisc is quiescent */
758 tty_ldisc_halt(tty);
759 flush_scheduled_work();
760
756 /* Avoid racing set_ldisc or tty_ldisc_release */ 761 /* Avoid racing set_ldisc or tty_ldisc_release */
757 mutex_lock(&tty->ldisc_mutex); 762 mutex_lock(&tty->ldisc_mutex);
758 if (tty->ldisc) { /* Not yet closed */ 763 if (tty->ldisc) { /* Not yet closed */
759 /* Switch back to N_TTY */ 764 /* Switch back to N_TTY */
760 tty_ldisc_halt(tty);
761 tty_ldisc_reinit(tty); 765 tty_ldisc_reinit(tty);
762 /* At this point we have a closed ldisc and we want to 766 /* At this point we have a closed ldisc and we want to
763 reopen it. We could defer this to the next open but 767 reopen it. We could defer this to the next open but