Prevent an O_NDELAY writer from blocking when a tty write is blocked by the tty atomic writer mutex

Without this a tty write could block if a previous blocking tty write was
in progress on the same tty and blocked by a line discipline or hardware
event.  Originally found and reported by Dave Johnson.

Signed-off-by: Alan Cox <alan@redhat.com>
Acked-by: Dave Johnson <djohnson+linux-kernel@sw.starentnetworks.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

4 files changed, 37 insertions, 19 deletions

diff --git a/drivers/char/n_hdlc.c b/drivers/char/n_hdlc.c
index 337a87f86a3b..37f7d3403040 100644
--- a/drivers/char/n_hdlc.c
+++ b/drivers/char/n_hdlc.c
@@ -780,13 +780,14 @@ static unsigned int n_hdlc_tty_poll(struct tty_struct *tty, struct file *filp,
                 poll_wait(filp, &tty->write_wait, wait);
 
                 /* set bits for operations that won't block */
-                if(n_hdlc->rx_buf_list.head)
+                if (n_hdlc->rx_buf_list.head)
                         mask |= POLLIN | POLLRDNORM;    /* readable */
                 if (test_bit(TTY_OTHER_CLOSED, &tty->flags))
                         mask |= POLLHUP;
-                if(tty_hung_up_p(filp))
+                if (tty_hung_up_p(filp))
                         mask |= POLLHUP;
-                if(n_hdlc->tx_free_buf_list.head)
+                if (!tty_is_writelocked(tty) &&
+                                n_hdlc->tx_free_buf_list.head)
                         mask |= POLLOUT | POLLWRNORM;   /* writable */
         }
         return mask;
@@ -861,7 +862,7 @@ static void n_hdlc_buf_put(struct n_hdlc_buf_list *list,
         spin_lock_irqsave(&list->spinlock,flags);
         
         buf->link=NULL;
-        if(list->tail)
+        if (list->tail)
                 list->tail->link = buf;
         else
                 list->head = buf;
diff --git a/drivers/char/n_tty.c b/drivers/char/n_tty.c
index 154f42203b05..371631f4bfb9 100644
--- a/drivers/char/n_tty.c
+++ b/drivers/char/n_tty.c
@@ -1538,7 +1538,8 @@ static unsigned int normal_poll(struct tty_struct * tty, struct file * file, pol
                 else
                         tty->minimum_to_wake = 1;
         }
-        if (tty->driver->chars_in_buffer(tty) < WAKEUP_CHARS &&
+        if (!tty_is_writelocked(tty) &&
+                        tty->driver->chars_in_buffer(tty) < WAKEUP_CHARS &&
                         tty->driver->write_room(tty) > 0)
                 mask |= POLLOUT | POLLWRNORM;
         return mask;
diff --git a/drivers/char/tty_io.c b/drivers/char/tty_io.c
index a96f26a63fa2..a37e6330db8a 100644
--- a/drivers/char/tty_io.c
+++ b/drivers/char/tty_io.c
@@ -1726,6 +1726,23 @@ static ssize_t tty_read(struct file * file, char __user * buf, size_t count,
         return i;
 }
 
+void tty_write_unlock(struct tty_struct *tty)
+{
+        mutex_unlock(&tty->atomic_write_lock);
+        wake_up_interruptible(&tty->write_wait);
+}
+
+int tty_write_lock(struct tty_struct *tty, int ndelay)
+{
+        if (!mutex_trylock(&tty->atomic_write_lock)) {
+                if (ndelay)
+                        return -EAGAIN;
+                if (mutex_lock_interruptible(&tty->atomic_write_lock))
+                        return -ERESTARTSYS;
+        }
+        return 0;
+}
+
 /*
  * Split writes up in sane blocksizes to avoid
  * denial-of-service type attacks
@@ -1737,13 +1754,12 @@ static inline ssize_t do_tty_write(
         const char __user *buf,
         size_t count)
 {
-        ssize_t ret = 0, written = 0;
+        ssize_t ret, written = 0;
         unsigned int chunk;
         
-        /* FIXME: O_NDELAY ... */
-        if (mutex_lock_interruptible(&tty->atomic_write_lock)) {
-                return -ERESTARTSYS;
-        }
+        ret = tty_write_lock(tty, file->f_flags & O_NDELAY);
+        if (ret < 0)
+                return ret;
 
         /*
          * We chunk up writes into a temporary buffer. This
@@ -1776,8 +1792,8 @@ static inline ssize_t do_tty_write(
 
                 buf = kmalloc(chunk, GFP_KERNEL);
                 if (!buf) {
-                        mutex_unlock(&tty->atomic_write_lock);
-                        return -ENOMEM;
+                        ret = -ENOMEM;
+                        goto out;
                 }
                 kfree(tty->write_buf);
                 tty->write_cnt = chunk;
@@ -1812,7 +1828,8 @@ static inline ssize_t do_tty_write(
                 inode->i_mtime = current_fs_time(inode->i_sb);
                 ret = written;
         }
-        mutex_unlock(&tty->atomic_write_lock);
+out:
+        tty_write_unlock(tty);
         return ret;
 }
 
@@ -3163,14 +3180,13 @@ static int tiocsetd(struct tty_struct *tty, int __user *p)
 
 static int send_break(struct tty_struct *tty, unsigned int duration)
 {
-        if (mutex_lock_interruptible(&tty->atomic_write_lock))
+        if (tty_write_lock(tty, 0) < 0)
                 return -EINTR;
         tty->driver->break_ctl(tty, -1);
-        if (!signal_pending(current)) {
+        if (!signal_pending(current))
                 msleep_interruptible(duration);
-        }
         tty->driver->break_ctl(tty, 0);
-        mutex_unlock(&tty->atomic_write_lock);
+        tty_write_unlock(tty);
         if (signal_pending(current))
                 return -EINTR;
         return 0;
diff --git a/drivers/char/tty_ioctl.c b/drivers/char/tty_ioctl.c
index fd471cb3338f..918e24c885f1 100644
--- a/drivers/char/tty_ioctl.c
+++ b/drivers/char/tty_ioctl.c
@@ -667,7 +667,7 @@ static int send_prio_char(struct tty_struct *tty, char ch)
                 return 0;
         }
 
-        if (mutex_lock_interruptible(&tty->atomic_write_lock))
+        if (tty_write_lock(tty, 0) < 0)
                 return -ERESTARTSYS;
 
         if (was_stopped)
@@ -675,7 +675,7 @@ static int send_prio_char(struct tty_struct *tty, char ch)
         tty->driver->write(tty, &ch, 1);
         if (was_stopped)
                 stop_tty(tty);
-        mutex_unlock(&tty->atomic_write_lock);
+        tty_write_unlock(tty);
         return 0;
 }