From: Anton Blanchard <anton@samba.org>
To: Willy Tarreau <w@1wt.eu>
Cc: Rusty Russell <rusty@rustcorp.com.au>,
Greg Kroah-Hartman <gregkh@suse.de>,
linux-kernel@vger.kernel.org, stable@kernel.org,
linuxppc-dev@ozlabs.org, Amit Shah <amit.shah@redhat.com>,
stable-review@kernel.org, Alan Cox <alan@lxorguk.ukuu.org.uk>
Subject: Re: [PATCH 21/23] hvc_console: Fix race between hvc_close and hvc_remove
Date: Tue, 8 Feb 2011 08:16:00 +1100 [thread overview]
Message-ID: <20110208081600.1a816af5@kryten> (raw)
In-Reply-To: <20110206232253.421321729@pcw.home.local>
Hi,
> From: Amit Shah <amit.shah@redhat.com>
>
> commit e74d098c66543d0731de62eb747ccd5b636a6f4c upstream.
>
> Alan pointed out a race in the code where hvc_remove is invoked. The
> recent virtio_console work is the first user of hvc_remove().
I faintly remember this bug caused boot issues and the following patch
must be applied to fix it.
Anton
--
commit 320718ee074acce5ffced6506cb51af1388942aa
Author: Anton Blanchard <anton@samba.org>
Date: Tue Apr 6 21:42:38 2010 +1000
hvc_console: Fix race between hvc_close and hvc_remove
I don't claim to understand the tty layer, but it seems like hvc_open and
hvc_close should be balanced in their kref reference counting.
Right now we get a kref every call to hvc_open:
if (hp->count++ > 0) {
tty_kref_get(tty); <----- here
spin_unlock_irqrestore(&hp->lock, flags);
hvc_kick();
return 0;
} /* else count == 0 */
tty->driver_data = hp;
hp->tty = tty_kref_get(tty); <------ or here if hp->count was 0
But hvc_close has:
tty_kref_get(tty);
if (--hp->count == 0) {
...
/* Put the ref obtained in hvc_open() */
tty_kref_put(tty);
...
}
tty_kref_put(tty);
Since the outside kref get/put balance we only do a single kref_put when
count reaches 0.
The patch below changes things to call tty_kref_put once for every
hvc_close call, and with that my machine boots fine.
Signed-off-by: Anton Blanchard <anton@samba.org>
Acked-by: Amit Shah <amit.shah@redhat.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
diff --git a/drivers/char/hvc_console.c b/drivers/char/hvc_console.c
index d3890e8..35cca4c 100644
--- a/drivers/char/hvc_console.c
+++ b/drivers/char/hvc_console.c
@@ -368,16 +368,12 @@ static void hvc_close(struct tty_struct *tty, struct file * filp)
hp = tty->driver_data;
spin_lock_irqsave(&hp->lock, flags);
- tty_kref_get(tty);
if (--hp->count == 0) {
/* We are done with the tty pointer now. */
hp->tty = NULL;
spin_unlock_irqrestore(&hp->lock, flags);
- /* Put the ref obtained in hvc_open() */
- tty_kref_put(tty);
-
if (hp->ops->notifier_del)
hp->ops->notifier_del(hp, hp->data);
WARNING: multiple messages have this Message-ID (diff)
From: Anton Blanchard <anton@samba.org>
To: Willy Tarreau <w@1wt.eu>
Cc: linux-kernel@vger.kernel.org, stable@kernel.org,
stable-review@kernel.org, Greg Kroah-Hartman <gregkh@suse.de>,
Rusty Russell <rusty@rustcorp.com.au>,
linuxppc-dev@ozlabs.org, Amit Shah <amit.shah@redhat.com>,
Alan Cox <alan@lxorguk.ukuu.org.uk>
Subject: Re: [PATCH 21/23] hvc_console: Fix race between hvc_close and hvc_remove
Date: Tue, 8 Feb 2011 08:16:00 +1100 [thread overview]
Message-ID: <20110208081600.1a816af5@kryten> (raw)
In-Reply-To: <20110206232253.421321729@pcw.home.local>
Hi,
> From: Amit Shah <amit.shah@redhat.com>
>
> commit e74d098c66543d0731de62eb747ccd5b636a6f4c upstream.
>
> Alan pointed out a race in the code where hvc_remove is invoked. The
> recent virtio_console work is the first user of hvc_remove().
I faintly remember this bug caused boot issues and the following patch
must be applied to fix it.
Anton
--
commit 320718ee074acce5ffced6506cb51af1388942aa
Author: Anton Blanchard <anton@samba.org>
Date: Tue Apr 6 21:42:38 2010 +1000
hvc_console: Fix race between hvc_close and hvc_remove
I don't claim to understand the tty layer, but it seems like hvc_open and
hvc_close should be balanced in their kref reference counting.
Right now we get a kref every call to hvc_open:
if (hp->count++ > 0) {
tty_kref_get(tty); <----- here
spin_unlock_irqrestore(&hp->lock, flags);
hvc_kick();
return 0;
} /* else count == 0 */
tty->driver_data = hp;
hp->tty = tty_kref_get(tty); <------ or here if hp->count was 0
But hvc_close has:
tty_kref_get(tty);
if (--hp->count == 0) {
...
/* Put the ref obtained in hvc_open() */
tty_kref_put(tty);
...
}
tty_kref_put(tty);
Since the outside kref get/put balance we only do a single kref_put when
count reaches 0.
The patch below changes things to call tty_kref_put once for every
hvc_close call, and with that my machine boots fine.
Signed-off-by: Anton Blanchard <anton@samba.org>
Acked-by: Amit Shah <amit.shah@redhat.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
diff --git a/drivers/char/hvc_console.c b/drivers/char/hvc_console.c
index d3890e8..35cca4c 100644
--- a/drivers/char/hvc_console.c
+++ b/drivers/char/hvc_console.c
@@ -368,16 +368,12 @@ static void hvc_close(struct tty_struct *tty, struct file * filp)
hp = tty->driver_data;
spin_lock_irqsave(&hp->lock, flags);
- tty_kref_get(tty);
if (--hp->count == 0) {
/* We are done with the tty pointer now. */
hp->tty = NULL;
spin_unlock_irqrestore(&hp->lock, flags);
- /* Put the ref obtained in hvc_open() */
- tty_kref_put(tty);
-
if (hp->ops->notifier_del)
hp->ops->notifier_del(hp, hp->data);
next prev parent reply other threads:[~2011-02-07 21:16 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-02-06 23:22 [PATCH 00/23] 2.6.27.58-longterm review Willy Tarreau
2011-02-06 23:22 ` Willy Tarreau
2011-02-06 23:22 ` [PATCH 01/23] ALSA: hda: Use model=lg quirk for LG P1 Express to enable playback and capture Willy Tarreau
2011-02-06 23:22 ` [PATCH 02/23] ALSA: hda: Use LPIB for Dell Latitude 131L Willy Tarreau
2011-02-06 23:22 ` [PATCH 03/23] ALSA: hda: Use LPIB quirk for Dell Inspiron m101z/1120 Willy Tarreau
2011-02-06 23:22 ` [PATCH 04/23] USB: usb-storage: unusual_devs entry for the Samsung YP-CP3 Willy Tarreau
2011-02-06 23:22 ` [PATCH 05/23] USB: misc: uss720.c: add another vendor/product ID Willy Tarreau
2011-02-06 23:22 ` [PATCH 06/23] HID: hidraw: fix window in hidraw_release Willy Tarreau
2011-02-06 23:22 ` [PATCH 07/23] hwmon: (adm1026) Allow 1 as a valid divider value Willy Tarreau
2011-02-06 23:23 ` [PATCH 08/23] hwmon: (adm1026) Fix setting fan_div Willy Tarreau
2011-02-06 23:23 ` [PATCH 09/23] IB/uverbs: Handle large number of entries in poll CQ Willy Tarreau
2011-02-06 23:23 ` [PATCH 10/23] mv_xor: fix race in tasklet function Willy Tarreau
2011-02-06 23:23 ` [PATCH 11/23] md: fix bug with re-adding of partially recovered device Willy Tarreau
2011-02-06 23:23 ` [PATCH 12/23] NFS: Fix fcntl F_GETLK not reporting some conflicts Willy Tarreau
2011-02-06 23:23 ` [PATCH 13/23] nfsd: Fix possible BUG_ON firing in set_change_info Willy Tarreau
2011-02-06 23:23 ` [PATCH 14/23] PM / Hibernate: Fix PM_POST_* notification with user-space suspend Willy Tarreau
2011-02-06 23:23 ` [PATCH 15/23] posix-cpu-timers: workaround to suppress the problems with mt exec Willy Tarreau
2011-02-06 23:23 ` [PATCH 16/23] sctp: Fix a race between ICMP protocol unreachable and connect() Willy Tarreau
2011-02-06 23:23 ` [PATCH 17/23] sound: Prevent buffer overflow in OSS load_mixer_volumes Willy Tarreau
2011-02-06 23:23 ` [PATCH 18/23] sunrpc: prevent use-after-free on clearing XPT_BUSY Willy Tarreau
2011-02-06 23:23 ` [PATCH 19/23] x86, gcc-4.6: Use gcc -m options when building vdso Willy Tarreau
2011-02-06 23:23 ` [PATCH 20/23] tracing: Fix panic when lseek() called on "trace" opened for writing Willy Tarreau
2011-02-14 23:14 ` [Stable-review] " Ben Hutchings
2011-02-15 1:33 ` Steven Rostedt
2011-02-15 1:38 ` Ben Hutchings
2011-02-15 2:01 ` Steven Rostedt
2011-02-15 5:39 ` Willy Tarreau
2011-02-06 23:23 ` [PATCH 21/23] hvc_console: Fix race between hvc_close and hvc_remove Willy Tarreau
2011-02-06 23:23 ` Willy Tarreau
2011-02-07 21:16 ` Anton Blanchard [this message]
2011-02-07 21:16 ` Anton Blanchard
2011-02-07 22:11 ` Willy Tarreau
2011-02-07 22:11 ` Willy Tarreau
2011-02-06 23:23 ` [PATCH 22/23] hvc_console: Fix race between hvc_close and hvc_remove, again Willy Tarreau
2011-02-06 23:23 ` [PATCH 23/23] install_special_mapping skips security_file_mmap check Willy Tarreau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110208081600.1a816af5@kryten \
--to=anton@samba.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=amit.shah@redhat.com \
--cc=gregkh@suse.de \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@ozlabs.org \
--cc=rusty@rustcorp.com.au \
--cc=stable-review@kernel.org \
--cc=stable@kernel.org \
--cc=w@1wt.eu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.