From: Tycho Andersen <tycho@tycho.ws>
To: Andy Shevchenko <andy.shevchenko@gmail.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Jiri Slaby <jslaby@suse.com>,
"open list:SERIAL DRIVERS" <linux-serial@vger.kernel.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
"Serge E . Hallyn" <serge@hallyn.com>
Subject: Re: [PATCH v3] uart: fix race between uart_put_char() and uart_shutdown()
Date: Fri, 6 Jul 2018 12:39:28 -0600 [thread overview]
Message-ID: <20180706183928.GA3583@cisco.lan> (raw)
In-Reply-To: <CAHp75Vfbh5SzpqP=2LfeXteEGrBG46dPfeHsU0ac5SiJSjZOXw@mail.gmail.com>
On Fri, Jul 06, 2018 at 07:49:09PM +0300, Andy Shevchenko wrote:
> On Fri, Jul 6, 2018 at 7:24 PM, Tycho Andersen <tycho@tycho.ws> wrote:
>
> > Looking in uart_port_startup(), it seems that circ->buf (state->xmit.buf)
> > protected by the "per-port mutex", which based on uart_port_check() is
> > state->port.mutex. Indeed, the lock acquired in uart_put_char() is
> > uport->lock, i.e. not the same lock.
> >
> > Anyway, since the lock is not acquired, if uart_shutdown() is called, the
> > last chunk of that function may release state->xmit.buf before its assigned
> > to null, and cause the race above.
> >
> > To fix it, let's lock uport->lock when allocating/deallocating
> > state->xmit.buf in addition to the per-port mutex.
>
> Thanks for fixing this!
>
> Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
>
> Some nitpicks though.
>
> > + unsigned long page, flags = 0;
>
> I would rather put on separate lines and btw assignment is not needed.
> It all goes through macros.
Sure, I can split it up, but without the initialization I get,
CC drivers/tty/serial/serial_core.o
In file included from ./include/linux/seqlock.h:36:0,
from ./include/linux/time.h:6,
from ./include/linux/stat.h:19,
from ./include/linux/module.h:10,
from drivers/tty/serial/serial_core.c:10:
drivers/tty/serial/serial_core.c: In function ‘uart_startup.part.20’:
./include/linux/spinlock.h:260:3: warning: ‘flags’ may be used uninitialized in this function -Wmaybe-uninitialized]
_raw_spin_unlock_irqrestore(lock, flags); \
^~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/tty/serial/serial_core.c:184:22: note: ‘flags’ was declared here
unsigned long page, flags;
^~~~~
> > - if (!state->xmit.buf) {
> > - /* This is protected by the per port mutex */
> > - page = get_zeroed_page(GFP_KERNEL);
> > - if (!page)
> > - return -ENOMEM;
> > + page = get_zeroed_page(GFP_KERNEL);
> > + if (!page)
> > + return -ENOMEM;
> > + if (!state->xmit.buf) {
> > state->xmit.buf = (unsigned char *) page;
> > uart_circ_clear(&state->xmit);
> > + } else {
> > + free_page(page);
> > }
>
> I see original code, but since you are adding else, does it make sense
> to switch to positive condition?
Sure, I'll switch it.
> > + unsigned long flags = 0;
>
> Ditto about assignment.
And in this case too,
drivers/tty/serial/serial_core.c:184:22: note: ‘flags’ was declared here
unsigned long page, flags;
^~~~~
In file included from ./include/linux/seqlock.h:36:0,
from ./include/linux/time.h:6,
from ./include/linux/stat.h:19,
from ./include/linux/module.h:10,
from drivers/tty/serial/serial_core.c:10:
drivers/tty/serial/serial_core.c: In function ‘uart_shutdown’:
./include/linux/spinlock.h:260:3: warning: ‘flags’ may be used uninitialized in this function -Wmaybe-uninitialized]
_raw_spin_unlock_irqrestore(lock, flags); \
^~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/tty/serial/serial_core.c:269:16: note: ‘flags’ was declared here
unsigned long flags;
^~~~~
Tycho
next prev parent reply other threads:[~2018-07-06 18:39 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-05 0:01 [PATCH] uart: fix race between uart_put_char() and uart_shutdown() Tycho Andersen
2018-06-05 3:59 ` Serge E. Hallyn
2018-06-06 21:42 ` Tycho Andersen
2018-06-28 12:05 ` Greg Kroah-Hartman
2018-06-29 10:24 ` [PATCH v2] " Tycho Andersen
2018-06-29 16:43 ` Tycho Andersen
2018-07-06 14:39 ` Greg Kroah-Hartman
2018-07-06 16:24 ` [PATCH v3] " Tycho Andersen
2018-07-06 16:49 ` Andy Shevchenko
2018-07-06 18:39 ` Tycho Andersen [this message]
2018-07-06 20:48 ` Andy Shevchenko
2018-07-06 21:22 ` Tycho Andersen
2018-07-11 16:07 ` [PATCH v4] " Tycho Andersen
2018-07-11 19:24 ` Serge E. Hallyn
2018-07-11 19:49 ` Serge E. Hallyn
2018-07-11 20:00 ` Tycho Andersen
2018-07-12 15:05 ` Greg Kroah-Hartman
2018-07-12 9:03 ` Andy Shevchenko
2018-07-12 14:13 ` Tycho Andersen
2018-07-12 15:04 ` Greg Kroah-Hartman
2018-07-12 15:08 ` Tycho Andersen
2018-07-12 15:40 ` Greg Kroah-Hartman
2018-07-12 18:18 ` Tycho Andersen
2018-07-12 18:18 ` Tycho Andersen
2018-07-12 18:25 ` Greg Kroah-Hartman
2018-07-12 18:30 ` Tycho Andersen
2018-07-13 9:28 ` Greg Kroah-Hartman
2018-07-13 14:01 ` Tycho Andersen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180706183928.GA3583@cisco.lan \
--to=tycho@tycho.ws \
--cc=andy.shevchenko@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=jslaby@suse.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-serial@vger.kernel.org \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.