diff options
author | Alan Cox <alan@linux.intel.com> | 2009-07-16 11:07:03 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2009-07-16 12:19:16 -0400 |
commit | 807708844979ba8c6d5717345a8608454992696d (patch) | |
tree | 97daa91a0ddd6ed6fe48a5967762523c4fe1f924 /drivers/char | |
parent | 9237a81a1468d0aca1cc4e244bba2362d6f81b35 (diff) |
n_tty: Fix echo race
If a tty in N_TTY mode with echo enabled manages to get itself into a state
where
- echo characters are pending
- FASYNC is enabled
- tty_write_wakeup is called from either
- a device write path (pty)
- an IRQ (serial)
then it either deadlocks or explodes taking a mutex in the IRQ path.
On the serial side it is almost impossible to reproduce because you have to
go from a full serial port to a near empty one with echo characters
pending. The pty case happens to have become possible to trigger using
emacs and ptys, the pty changes having created a scenario which shows up
this bug.
The code path is
n_tty:process_echoes() (takes mutex)
tty_io:tty_put_char()
pty:pty_write (or serial paths)
tty_wakeup (from pty_write or serial IRQ)
n_tty_write_wakeup()
process_echoes()
*KABOOM*
Signed-off-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'drivers/char')
-rw-r--r-- | drivers/char/n_tty.c | 3 |
1 files changed, 0 insertions, 3 deletions
diff --git a/drivers/char/n_tty.c b/drivers/char/n_tty.c index 94a5d5020abc..ff47907ff1bf 100644 --- a/drivers/char/n_tty.c +++ b/drivers/char/n_tty.c | |||
@@ -1331,9 +1331,6 @@ handle_newline: | |||
1331 | 1331 | ||
1332 | static void n_tty_write_wakeup(struct tty_struct *tty) | 1332 | static void n_tty_write_wakeup(struct tty_struct *tty) |
1333 | { | 1333 | { |
1334 | /* Write out any echoed characters that are still pending */ | ||
1335 | process_echoes(tty); | ||
1336 | |||
1337 | if (tty->fasync && test_and_clear_bit(TTY_DO_WRITE_WAKEUP, &tty->flags)) | 1334 | if (tty->fasync && test_and_clear_bit(TTY_DO_WRITE_WAKEUP, &tty->flags)) |
1338 | kill_fasync(&tty->fasync, SIGIO, POLL_OUT); | 1335 | kill_fasync(&tty->fasync, SIGIO, POLL_OUT); |
1339 | } | 1336 | } |