Re: flush_to_ldisc accesses tty after free (was: [PATCH 21/21] TTY: move tty buffers to tty_port)

public inbox for linux-serial@vger.kernel.org
 help / color / mirror / Atom feed

From: Peter Hurley <peter@hurleysoftware.com>
To: Jiri Slaby <jslaby@suse.cz>, Jiri Slaby <jirislaby@gmail.com>,
	alan@linux.intel.com
Cc: gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org,
	Dave Jones <davej@redhat.com>,
	Sasha Levin <levinsasha928@gmail.com>,
	linux-serial <linux-serial@vger.kernel.org>
Subject: Re: flush_to_ldisc accesses tty after free  (was: [PATCH 21/21] TTY: move tty buffers to tty_port)
Date: Sun, 02 Dec 2012 14:57:34 -0500	[thread overview]
Message-ID: <1354478254.2531.161.camel@thor> (raw)
In-Reply-To: <1354392383.2531.118.camel@thor>

[whoops... cc: linux-serial]

On Sat, 2012-12-01 at 15:06 -0500, Peter Hurley wrote:
> On Sat, 2012-12-01 at 09:59 -0500, Peter Hurley wrote:
> ....
> > From instrumenting the tty_release() path, it's clear that tty_buffer
> > work is still scheduled even after tty_release_ldisc() has run. For
> > example, with this patch I get the warning below it.
> > 
> > [Further analysis to follow in subsequent mail...]
> 
> [ Please note: this analysis only refers to the pty driver. The
> situation with hardware drivers has further complications.]
> 
> Firstly, this problem predates Jiri's changes; only because he was
> cautious by checking the lifetime of the itty in flush_to_ldisc(), did
> he uncover this existing problem.
> 
> One example of how it is possible for buffer work to be scheduled even
> after tty_release_ldisc() stems from how tty_ldisc_halt() works (or
> rather doesn't). (I've snipped out the relevant code from tty_ldisc.c
> for annotation below.)

Naturally, I found the least obvious problem first.

The more obvious problem is that the pty driver doesn't have an ldisc
reference to the 'other' tty when pty_write() is called. So doing the
tty_flip_buffer_push() has scheduled buffer work for a potentially
halted ldisc.

static int pty_write(struct tty_struct *tty, const unsigned char *buf, int c)
{
	struct tty_struct *to = tty->link;	<==== this is the 'other' tty

	if (tty->stopped)
		return 0;

	if (c > 0) {
		/* Stuff the data into the input queue of the other end */
		c = tty_insert_flip_string(to, buf, c);
		/* And shovel */
		if (c) {
			tty_flip_buffer_push(to);
			tty_wakeup(tty);
		}
	}
	return c;
}

There are several possible ways to fix this:
1. Halt both ldiscs and ensure that both ldiscs have no outstanding
references before cancelling their work.
2. Claim an ldisc reference for the 'other' ldisc in things like
tty_write().
3. I'm sure there's other ways....

Regards,
Peter Hurley

next      parent reply	other threads:[~2012-12-02 19:57 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <1350592007-9216-1-git-send-email-jslaby@suse.cz>
     [not found] ` <1350592007-9216-22-git-send-email-jslaby@suse.cz>
     [not found]   ` <50897E98.5080502@gmail.com>
     [not found]     ` <50911F67.3040303@suse.cz>
     [not found]       ` <CA+1xoqfZ5DHVi44Y_a5EmXYeN6Eh=COSP4CiA6tM-aqJE1vBoQ@mail.gmail.com>
     [not found]         ` <5091448D.3@suse.cz>
     [not found]           ` <CA+1xoqdRBCQYBQdK-=KJohtua_wD_fp4akk6_jS0x3x82fRp5g@mail.gmail.com>
     [not found]             ` <5093EC1B.2050800@suse.cz>
     [not found]               ` <CA+1xoqdRV5LORTDM9iiTRQwCdGK9XqcW54zyh03M-c-mVU2YLQ@mail.gmail.com>
     [not found]                 ` <5093F262.6000301@suse.cz>
     [not found]                   ` <50947B7B.8080601@gmail.com>
     [not found]                     ` <50953E8D.9000504@suse.cz>
     [not found]                       ` <5095A384.5080205@gmail.com>
     [not found]                         ` <5095BC6E.2010505@gmail.com>
     [not found]                           ` <1354046255.2444.10.camel@thor>
     [not found]                             ` <50B946A9.9070306@gmail.com>
     [not found]                               ` <1354373995.2531.48.camel@thor>
     [not found]                                 ` <1354392383.2531.118.camel@thor>
2012-12-02 19:57                                   ` Peter Hurley [this message]
2012-12-04 19:21                                 ` flush_to_ldisc accesses tty after free (was: [PATCH 21/21] TTY: move tty buffers to tty_port) Ilya Zykov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1354478254.2531.161.camel@thor \
    --to=peter@hurleysoftware.com \
    --cc=alan@linux.intel.com \
    --cc=davej@redhat.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=jirislaby@gmail.com \
    --cc=jslaby@suse.cz \
    --cc=levinsasha928@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-serial@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox