diff options
| author | Amit Shah <amit.shah@redhat.com> | 2010-03-12 01:23:15 -0500 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@suse.de> | 2010-03-19 10:17:54 -0400 |
| commit | e74d098c66543d0731de62eb747ccd5b636a6f4c (patch) | |
| tree | 8ed9937f653cf42a82ca7bd319a69dd35fb2325d | |
| parent | f157b58511e56d418eb582de96fedc4ea03d8061 (diff) | |
hvc_console: Fix race between hvc_close and hvc_remove
Alan pointed out a race in the code where hvc_remove is invoked. The
recent virtio_console work is the first user of hvc_remove().
Alan describes it thus:
The hvc_console assumes that a close and remove call can't occur at the
same time.
In addition tty_hangup(tty) is problematic as tty_hangup is asynchronous
itself....
So this can happen
hvc_close hvc_remove
hung up ? - no
lock
tty = hp->tty
unlock
lock
hp->tty = NULL
unlock
notify del
kref_put the hvc struct
close completes
tty is destroyed
tty_hangup dead tty
tty->ops will be NULL
NULL->...
This patch adds some tty krefs and also converts to using tty_vhangup().
Reported-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: Amit Shah <amit.shah@redhat.com>
CC: Alan Cox <alan@lxorguk.ukuu.org.uk>
CC: linuxppc-dev@ozlabs.org
CC: Rusty Russell <rusty@rustcorp.com.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
| -rw-r--r-- | drivers/char/hvc_console.c | 31 |
1 files changed, 21 insertions, 10 deletions
diff --git a/drivers/char/hvc_console.c b/drivers/char/hvc_console.c index 465185fc0f52..ba55bba151b9 100644 --- a/drivers/char/hvc_console.c +++ b/drivers/char/hvc_console.c | |||
| @@ -312,6 +312,7 @@ static int hvc_open(struct tty_struct *tty, struct file * filp) | |||
| 312 | spin_lock_irqsave(&hp->lock, flags); | 312 | spin_lock_irqsave(&hp->lock, flags); |
| 313 | /* Check and then increment for fast path open. */ | 313 | /* Check and then increment for fast path open. */ |
| 314 | if (hp->count++ > 0) { | 314 | if (hp->count++ > 0) { |
| 315 | tty_kref_get(tty); | ||
| 315 | spin_unlock_irqrestore(&hp->lock, flags); | 316 | spin_unlock_irqrestore(&hp->lock, flags); |
| 316 | hvc_kick(); | 317 | hvc_kick(); |
| 317 | return 0; | 318 | return 0; |
| @@ -319,7 +320,7 @@ static int hvc_open(struct tty_struct *tty, struct file * filp) | |||
| 319 | 320 | ||
| 320 | tty->driver_data = hp; | 321 | tty->driver_data = hp; |
| 321 | 322 | ||
| 322 | hp->tty = tty; | 323 | hp->tty = tty_kref_get(tty); |
| 323 | 324 | ||
| 324 | spin_unlock_irqrestore(&hp->lock, flags); | 325 | spin_unlock_irqrestore(&hp->lock, flags); |
| 325 | 326 | ||
| @@ -336,6 +337,7 @@ static int hvc_open(struct tty_struct *tty, struct file * filp) | |||
| 336 | spin_lock_irqsave(&hp->lock, flags); | 337 | spin_lock_irqsave(&hp->lock, flags); |
| 337 | hp->tty = NULL; | 338 | hp->tty = NULL; |
| 338 | spin_unlock_irqrestore(&hp->lock, flags); | 339 | spin_unlock_irqrestore(&hp->lock, flags); |
| 340 | tty_kref_put(tty); | ||
| 339 | tty->driver_data = NULL; | 341 | tty->driver_data = NULL; |
| 340 | kref_put(&hp->kref, destroy_hvc_struct); | 342 | kref_put(&hp->kref, destroy_hvc_struct); |
| 341 | printk(KERN_ERR "hvc_open: request_irq failed with rc %d.\n", rc); | 343 | printk(KERN_ERR "hvc_open: request_irq failed with rc %d.\n", rc); |
| @@ -363,13 +365,18 @@ static void hvc_close(struct tty_struct *tty, struct file * filp) | |||
| 363 | return; | 365 | return; |
| 364 | 366 | ||
| 365 | hp = tty->driver_data; | 367 | hp = tty->driver_data; |
| 368 | |||
| 366 | spin_lock_irqsave(&hp->lock, flags); | 369 | spin_lock_irqsave(&hp->lock, flags); |
| 370 | tty_kref_get(tty); | ||
| 367 | 371 | ||
| 368 | if (--hp->count == 0) { | 372 | if (--hp->count == 0) { |
| 369 | /* We are done with the tty pointer now. */ | 373 | /* We are done with the tty pointer now. */ |
| 370 | hp->tty = NULL; | 374 | hp->tty = NULL; |
| 371 | spin_unlock_irqrestore(&hp->lock, flags); | 375 | spin_unlock_irqrestore(&hp->lock, flags); |
| 372 | 376 | ||
| 377 | /* Put the ref obtained in hvc_open() */ | ||
| 378 | tty_kref_put(tty); | ||
| 379 | |||
| 373 | if (hp->ops->notifier_del) | 380 | if (hp->ops->notifier_del) |
| 374 | hp->ops->notifier_del(hp, hp->data); | 381 | hp->ops->notifier_del(hp, hp->data); |
| 375 | 382 | ||
| @@ -389,6 +396,7 @@ static void hvc_close(struct tty_struct *tty, struct file * filp) | |||
| 389 | spin_unlock_irqrestore(&hp->lock, flags); | 396 | spin_unlock_irqrestore(&hp->lock, flags); |
| 390 | } | 397 | } |
| 391 | 398 | ||
| 399 | tty_kref_put(tty); | ||
| 392 | kref_put(&hp->kref, destroy_hvc_struct); | 400 | kref_put(&hp->kref, destroy_hvc_struct); |
| 393 | } | 401 | } |
| 394 | 402 | ||
| @@ -424,10 +432,11 @@ static void hvc_hangup(struct tty_struct *tty) | |||
| 424 | spin_unlock_irqrestore(&hp->lock, flags); | 432 | spin_unlock_irqrestore(&hp->lock, flags); |
| 425 | 433 | ||
| 426 | if (hp->ops->notifier_hangup) | 434 | if (hp->ops->notifier_hangup) |
| 427 | hp->ops->notifier_hangup(hp, hp->data); | 435 | hp->ops->notifier_hangup(hp, hp->data); |
| 428 | 436 | ||
| 429 | while(temp_open_count) { | 437 | while(temp_open_count) { |
| 430 | --temp_open_count; | 438 | --temp_open_count; |
| 439 | tty_kref_put(tty); | ||
| 431 | kref_put(&hp->kref, destroy_hvc_struct); | 440 | kref_put(&hp->kref, destroy_hvc_struct); |
| 432 | } | 441 | } |
| 433 | } | 442 | } |
| @@ -592,7 +601,7 @@ int hvc_poll(struct hvc_struct *hp) | |||
| 592 | } | 601 | } |
| 593 | 602 | ||
| 594 | /* No tty attached, just skip */ | 603 | /* No tty attached, just skip */ |
| 595 | tty = hp->tty; | 604 | tty = tty_kref_get(hp->tty); |
| 596 | if (tty == NULL) | 605 | if (tty == NULL) |
| 597 | goto bail; | 606 | goto bail; |
| 598 | 607 | ||
| @@ -672,6 +681,8 @@ int hvc_poll(struct hvc_struct *hp) | |||
| 672 | 681 | ||
| 673 | tty_flip_buffer_push(tty); | 682 | tty_flip_buffer_push(tty); |
| 674 | } | 683 | } |
| 684 | if (tty) | ||
| 685 | tty_kref_put(tty); | ||
| 675 | 686 | ||
| 676 | return poll_mask; | 687 | return poll_mask; |
| 677 | } | 688 | } |
| @@ -807,7 +818,7 @@ int hvc_remove(struct hvc_struct *hp) | |||
| 807 | struct tty_struct *tty; | 818 | struct tty_struct *tty; |
| 808 | 819 | ||
| 809 | spin_lock_irqsave(&hp->lock, flags); | 820 | spin_lock_irqsave(&hp->lock, flags); |
| 810 | tty = hp->tty; | 821 | tty = tty_kref_get(hp->tty); |
| 811 | 822 | ||
| 812 | if (hp->index < MAX_NR_HVC_CONSOLES) | 823 | if (hp->index < MAX_NR_HVC_CONSOLES) |
| 813 | vtermnos[hp->index] = -1; | 824 | vtermnos[hp->index] = -1; |
| @@ -819,18 +830,18 @@ int hvc_remove(struct hvc_struct *hp) | |||
| 819 | /* | 830 | /* |
| 820 | * We 'put' the instance that was grabbed when the kref instance | 831 | * We 'put' the instance that was grabbed when the kref instance |
| 821 | * was initialized using kref_init(). Let the last holder of this | 832 | * was initialized using kref_init(). Let the last holder of this |
| 822 | * kref cause it to be removed, which will probably be the tty_hangup | 833 | * kref cause it to be removed, which will probably be the tty_vhangup |
| 823 | * below. | 834 | * below. |
| 824 | */ | 835 | */ |
| 825 | kref_put(&hp->kref, destroy_hvc_struct); | 836 | kref_put(&hp->kref, destroy_hvc_struct); |
| 826 | 837 | ||
| 827 | /* | 838 | /* |
| 828 | * This function call will auto chain call hvc_hangup. The tty should | 839 | * This function call will auto chain call hvc_hangup. |
| 829 | * always be valid at this time unless a simultaneous tty close already | ||
| 830 | * cleaned up the hvc_struct. | ||
| 831 | */ | 840 | */ |
| 832 | if (tty) | 841 | if (tty) { |
| 833 | tty_hangup(tty); | 842 | tty_vhangup(tty); |
| 843 | tty_kref_put(tty); | ||
| 844 | } | ||
| 834 | return 0; | 845 | return 0; |
| 835 | } | 846 | } |
| 836 | EXPORT_SYMBOL_GPL(hvc_remove); | 847 | EXPORT_SYMBOL_GPL(hvc_remove); |