From: Alexander Holler <holler@ahsoftware.de>
To: linux-kernel@vger.kernel.org
Cc: Jiri Slaby <jslaby@suse.cz>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Marcel Holtmann <marcel@holtmann.org>,
Gustavo Padovan <gustavo@padovan.org>,
Johan Hedberg <johan.hedberg@gmail.com>,
linux-bluetooth@vger.kernel.org
Subject: Re: BUG: tty: memory corruption through tty_release/tty_ldisc_release
Date: Thu, 16 May 2013 15:15:30 +0200 [thread overview]
Message-ID: <5194DBF2.60209@ahsoftware.de> (raw)
In-Reply-To: <519480A1.6030909@ahsoftware.de>
Am 16.05.2013 08:45, schrieb Alexander Holler:
> tty_port is self-destructing, that means it destroys itself in
> tty_port.c:tty_port_destructor() when the last reference is gone. E.g.
> in case of rfcomm this happens with the call to tty->ops->close() in
> tty_io.c:tty_release().
>
> The problem here is that tty_io.c:tty_release() calls
> tty_ldisc.c:tty_ldisc_release() which uses the tty_port to flush the
> ldisc work queues.
As I've got a bit nervous if ptys are affected, I've played a bit around
using the following patch:
--------------
diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
index 84ec4ca..340440b 100644
--- a/drivers/tty/tty_io.c
+++ b/drivers/tty/tty_io.c
@@ -1790,6 +1790,7 @@ int tty_release(struct inode *inode, struct file
*filp)
if (!tty_closing || (o_tty && !o_tty_closing))
return 0;
+pr_info("AHO: tty_release tty_port 0x%p\n", tty->port);
#ifdef TTY_DEBUG_HANGUP
printk(KERN_DEBUG "%s: freeing tty structure...\n", __func__);
#endif
diff --git a/drivers/tty/tty_port.c b/drivers/tty/tty_port.c
index b7ff59d..346e30b 100644
--- a/drivers/tty/tty_port.c
+++ b/drivers/tty/tty_port.c
@@ -139,6 +139,7 @@ EXPORT_SYMBOL(tty_port_destroy);
static void tty_port_destructor(struct kref *kref)
{
struct tty_port *port = container_of(kref, struct tty_port, kref);
+pr_info("AHO: tty_port_destructor 0x%p\n", port);
if (port->xmit_buf)
free_page((unsigned long)port->xmit_buf);
tty_port_destroy(port);
--------------
Happily it looks like ptys are not affected, the destructor seems to be
always called after tty_release() and not before. But I'm not sure if I
tried all possible ways (from userland).
Regards,
Alexander Holler
next prev parent reply other threads:[~2013-05-16 13:15 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-05-16 6:45 BUG: tty: memory corruption through tty_release/tty_ldisc_release Alexander Holler
2013-05-16 13:15 ` Alexander Holler [this message]
2013-05-16 13:47 ` Peter Hurley
2013-05-16 13:59 ` Alexander Holler
2013-05-16 21:53 ` Peter Hurley
2013-05-17 4:43 ` Alexander Holler
2013-05-17 7:12 ` [PATCH] tty: make sure a BUG is hit if tty_port will be destroyed before tty Alexander Holler
2013-05-17 15:31 ` Greg Kroah-Hartman
2013-05-17 16:41 ` Alexander Holler
2013-05-17 18:06 ` Peter Hurley
2013-05-17 19:22 ` Alexander Holler
2013-05-17 19:43 ` Alexander Holler
2013-05-17 22:51 ` Peter Hurley
2013-05-17 23:41 ` Alexander Holler
2013-06-25 14:18 ` BUG: tty: memory corruption through tty_release/tty_ldisc_release Dean Jenkins
2013-06-26 7:23 ` Alexander Holler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5194DBF2.60209@ahsoftware.de \
--to=holler@ahsoftware.de \
--cc=gregkh@linuxfoundation.org \
--cc=gustavo@padovan.org \
--cc=johan.hedberg@gmail.com \
--cc=jslaby@suse.cz \
--cc=linux-bluetooth@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=marcel@holtmann.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.