aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/net/slip
diff options
context:
space:
mode:
authorTyler Hall <tylerwhall@gmail.com>2014-06-15 22:23:16 -0400
committerDavid S. Miller <davem@davemloft.net>2014-06-17 00:29:12 -0400
commit661f7fda21b15ec52f57fcd397c03370acc28688 (patch)
treee23b6e136614f9e08dc2aa663345719b93065aed /drivers/net/slip
parentf00e2b0ac3ae25a37c04a113ed03bf249fad15d8 (diff)
slip: Fix deadlock in write_wakeup
Use schedule_work() to avoid potentially taking the spinlock in interrupt context. Commit cc9fa74e2a ("slip/slcan: added locking in wakeup function") added necessary locking to the wakeup function and 367525c8c2/ddcde142be ("can: slcan: Fix spinlock variant") converted it to spin_lock_bh() because the lock is also taken in timers. Disabling softirqs is not sufficient, however, as tty drivers may call write_wakeup from interrupt context. This driver calls tty->ops->write() with its spinlock held, which may immediately cause an interrupt on the same CPU and subsequent spin_bug(). Simply converting to spin_lock_irq/irqsave() prevents this deadlock, but causes lockdep to point out a possible circular locking dependency between these locks: (&(&sl->lock)->rlock){-.....}, at: slip_write_wakeup (&port_lock_key){-.....}, at: serial8250_handle_irq.part.13 The slip transmit is holding the slip spinlock when calling the tty write. This grabs the port lock. On an interrupt, the handler grabs the port lock and calls write_wakeup which grabs the slip lock. This could be a problem if a serial interrupt occurs on another CPU during the slip transmit. To deal with these issues, don't grab the lock in the wakeup function by deferring the writeout to a workqueue. Also hold the lock during close when de-assigning the tty pointer to safely disarm the worker and timers. This bug is easily reproducible on the first transmit when slip is used with the standard 8250 serial driver. [<c0410b7c>] (spin_bug+0x0/0x38) from [<c006109c>] (do_raw_spin_lock+0x60/0x1d0) r5:eab27000 r4:ec02754c [<c006103c>] (do_raw_spin_lock+0x0/0x1d0) from [<c04185c0>] (_raw_spin_lock+0x28/0x2c) r10:0000001f r9:eabb814c r8:eabb8140 r7:40070193 r6:ec02754c r5:eab27000 r4:ec02754c r3:00000000 [<c0418598>] (_raw_spin_lock+0x0/0x2c) from [<bf3a0220>] (slip_write_wakeup+0x50/0xe0 [slip]) r4:ec027540 r3:00000003 [<bf3a01d0>] (slip_write_wakeup+0x0/0xe0 [slip]) from [<c026e420>] (tty_wakeup+0x48/0x68) r6:00000000 r5:ea80c480 r4:eab27000 r3:bf3a01d0 [<c026e3d8>] (tty_wakeup+0x0/0x68) from [<c028a8ec>] (uart_write_wakeup+0x2c/0x30) r5:ed68ea90 r4:c06790d8 [<c028a8c0>] (uart_write_wakeup+0x0/0x30) from [<c028dc44>] (serial8250_tx_chars+0x114/0x170) [<c028db30>] (serial8250_tx_chars+0x0/0x170) from [<c028dffc>] (serial8250_handle_irq+0xa0/0xbc) r6:000000c2 r5:00000060 r4:c06790d8 r3:00000000 [<c028df5c>] (serial8250_handle_irq+0x0/0xbc) from [<c02933a4>] (dw8250_handle_irq+0x38/0x64) r7:00000000 r6:edd2f390 r5:000000c2 r4:c06790d8 [<c029336c>] (dw8250_handle_irq+0x0/0x64) from [<c028d2f4>] (serial8250_interrupt+0x44/0xc4) r6:00000000 r5:00000000 r4:c06791c4 r3:c029336c [<c028d2b0>] (serial8250_interrupt+0x0/0xc4) from [<c0067fe4>] (handle_irq_event_percpu+0xb4/0x2b0) r10:c06790d8 r9:eab27000 r8:00000000 r7:00000000 r6:0000001f r5:edd52980 r4:ec53b6c0 r3:c028d2b0 [<c0067f30>] (handle_irq_event_percpu+0x0/0x2b0) from [<c006822c>] (handle_irq_event+0x4c/0x6c) r10:c06790d8 r9:eab27000 r8:c0673ae0 r7:c05c2020 r6:ec53b6c0 r5:edd529d4 r4:edd52980 [<c00681e0>] (handle_irq_event+0x0/0x6c) from [<c006b140>] (handle_level_irq+0xe8/0x100) r6:00000000 r5:edd529d4 r4:edd52980 r3:00022000 [<c006b058>] (handle_level_irq+0x0/0x100) from [<c00676f8>] (generic_handle_irq+0x30/0x40) r5:0000001f r4:0000001f [<c00676c8>] (generic_handle_irq+0x0/0x40) from [<c000f57c>] (handle_IRQ+0xd0/0x13c) r4:ea997b18 r3:000000e0 [<c000f4ac>] (handle_IRQ+0x0/0x13c) from [<c00086c4>] (armada_370_xp_handle_irq+0x4c/0x118) r8:000003ff r7:ea997b18 r6:ffffffff r5:60070013 r4:c0674dc0 [<c0008678>] (armada_370_xp_handle_irq+0x0/0x118) from [<c0013840>] (__irq_svc+0x40/0x70) Exception stack(0xea997b18 to 0xea997b60) 7b00: 00000001 20070013 7b20: 00000000 0000000b 20070013 eab27000 20070013 00000000 ed10103e eab27000 7b40: c06790d8 ea997b74 ea997b60 ea997b60 c04186c0 c04186c8 60070013 ffffffff r9:eab27000 r8:ed10103e r7:ea997b4c r6:ffffffff r5:60070013 r4:c04186c8 [<c04186a4>] (_raw_spin_unlock_irqrestore+0x0/0x54) from [<c0288fc0>] (uart_start+0x40/0x44) r4:c06790d8 r3:c028ddd8 [<c0288f80>] (uart_start+0x0/0x44) from [<c028982c>] (uart_write+0xe4/0xf4) r6:0000003e r5:00000000 r4:ed68ea90 r3:0000003e [<c0289748>] (uart_write+0x0/0xf4) from [<bf3a0d20>] (sl_xmit+0x1c4/0x228 [slip]) r10:ed388e60 r9:0000003c r8:ffffffdd r7:0000003e r6:ec02754c r5:ea717eb8 r4:ec027000 [<bf3a0b5c>] (sl_xmit+0x0/0x228 [slip]) from [<c0368d74>] (dev_hard_start_xmit+0x39c/0x6d0) r8:eaf163c0 r7:ec027000 r6:ea717eb8 r5:00000000 r4:00000000 Signed-off-by: Tyler Hall <tylerwhall@gmail.com> Cc: Oliver Hartkopp <socketcan@hartkopp.net> Cc: Andre Naujoks <nautsch2@gmail.com> Cc: David S. Miller <davem@davemloft.net> Cc: linux-kernel@vger.kernel.org Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'drivers/net/slip')
-rw-r--r--drivers/net/slip/slip.c36
-rw-r--r--drivers/net/slip/slip.h1
2 files changed, 27 insertions, 10 deletions
diff --git a/drivers/net/slip/slip.c b/drivers/net/slip/slip.c
index ad4a94e9ff57..87526443841f 100644
--- a/drivers/net/slip/slip.c
+++ b/drivers/net/slip/slip.c
@@ -83,6 +83,7 @@
83#include <linux/delay.h> 83#include <linux/delay.h>
84#include <linux/init.h> 84#include <linux/init.h>
85#include <linux/slab.h> 85#include <linux/slab.h>
86#include <linux/workqueue.h>
86#include "slip.h" 87#include "slip.h"
87#ifdef CONFIG_INET 88#ifdef CONFIG_INET
88#include <linux/ip.h> 89#include <linux/ip.h>
@@ -416,36 +417,46 @@ static void sl_encaps(struct slip *sl, unsigned char *icp, int len)
416#endif 417#endif
417} 418}
418 419
419/* 420/* Write out any remaining transmit buffer. Scheduled when tty is writable */
420 * Called by the driver when there's room for more data. If we have 421static void slip_transmit(struct work_struct *work)
421 * more packets to send, we send them here.
422 */
423static void slip_write_wakeup(struct tty_struct *tty)
424{ 422{
423 struct slip *sl = container_of(work, struct slip, tx_work);
425 int actual; 424 int actual;
426 struct slip *sl = tty->disc_data;
427 425
426 spin_lock_bh(&sl->lock);
428 /* First make sure we're connected. */ 427 /* First make sure we're connected. */
429 if (!sl || sl->magic != SLIP_MAGIC || !netif_running(sl->dev)) 428 if (!sl->tty || sl->magic != SLIP_MAGIC || !netif_running(sl->dev)) {
429 spin_unlock_bh(&sl->lock);
430 return; 430 return;
431 }
431 432
432 spin_lock_bh(&sl->lock);
433 if (sl->xleft <= 0) { 433 if (sl->xleft <= 0) {
434 /* Now serial buffer is almost free & we can start 434 /* Now serial buffer is almost free & we can start
435 * transmission of another packet */ 435 * transmission of another packet */
436 sl->dev->stats.tx_packets++; 436 sl->dev->stats.tx_packets++;
437 clear_bit(TTY_DO_WRITE_WAKEUP, &tty->flags); 437 clear_bit(TTY_DO_WRITE_WAKEUP, &sl->tty->flags);
438 spin_unlock_bh(&sl->lock); 438 spin_unlock_bh(&sl->lock);
439 sl_unlock(sl); 439 sl_unlock(sl);
440 return; 440 return;
441 } 441 }
442 442
443 actual = tty->ops->write(tty, sl->xhead, sl->xleft); 443 actual = sl->tty->ops->write(sl->tty, sl->xhead, sl->xleft);
444 sl->xleft -= actual; 444 sl->xleft -= actual;
445 sl->xhead += actual; 445 sl->xhead += actual;
446 spin_unlock_bh(&sl->lock); 446 spin_unlock_bh(&sl->lock);
447} 447}
448 448
449/*
450 * Called by the driver when there's room for more data.
451 * Schedule the transmit.
452 */
453static void slip_write_wakeup(struct tty_struct *tty)
454{
455 struct slip *sl = tty->disc_data;
456
457 schedule_work(&sl->tx_work);
458}
459
449static void sl_tx_timeout(struct net_device *dev) 460static void sl_tx_timeout(struct net_device *dev)
450{ 461{
451 struct slip *sl = netdev_priv(dev); 462 struct slip *sl = netdev_priv(dev);
@@ -749,6 +760,7 @@ static struct slip *sl_alloc(dev_t line)
749 sl->magic = SLIP_MAGIC; 760 sl->magic = SLIP_MAGIC;
750 sl->dev = dev; 761 sl->dev = dev;
751 spin_lock_init(&sl->lock); 762 spin_lock_init(&sl->lock);
763 INIT_WORK(&sl->tx_work, slip_transmit);
752 sl->mode = SL_MODE_DEFAULT; 764 sl->mode = SL_MODE_DEFAULT;
753#ifdef CONFIG_SLIP_SMART 765#ifdef CONFIG_SLIP_SMART
754 /* initialize timer_list struct */ 766 /* initialize timer_list struct */
@@ -872,8 +884,12 @@ static void slip_close(struct tty_struct *tty)
872 if (!sl || sl->magic != SLIP_MAGIC || sl->tty != tty) 884 if (!sl || sl->magic != SLIP_MAGIC || sl->tty != tty)
873 return; 885 return;
874 886
887 spin_lock_bh(&sl->lock);
875 tty->disc_data = NULL; 888 tty->disc_data = NULL;
876 sl->tty = NULL; 889 sl->tty = NULL;
890 spin_unlock_bh(&sl->lock);
891
892 flush_work(&sl->tx_work);
877 893
878 /* VSV = very important to remove timers */ 894 /* VSV = very important to remove timers */
879#ifdef CONFIG_SLIP_SMART 895#ifdef CONFIG_SLIP_SMART
diff --git a/drivers/net/slip/slip.h b/drivers/net/slip/slip.h
index 67673cf1266b..cf32aadf508f 100644
--- a/drivers/net/slip/slip.h
+++ b/drivers/net/slip/slip.h
@@ -53,6 +53,7 @@ struct slip {
53 struct tty_struct *tty; /* ptr to TTY structure */ 53 struct tty_struct *tty; /* ptr to TTY structure */
54 struct net_device *dev; /* easy for intr handling */ 54 struct net_device *dev; /* easy for intr handling */
55 spinlock_t lock; 55 spinlock_t lock;
56 struct work_struct tx_work; /* Flushes transmit buffer */
56 57
57#ifdef SL_INCLUDE_CSLIP 58#ifdef SL_INCLUDE_CSLIP
58 struct slcompress *slcomp; /* for header compression */ 59 struct slcompress *slcomp; /* for header compression */
generated by cgit v1.2.2 (git 2.25.0) at 2025-02-22 11:33:48 -0500