From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
To: Russell King <rmk+lkml@arm.linux.org.uk>
Cc: Linux Kernel list <linux-kernel@vger.kernel.org>
Subject: serial driver / tty issues
Date: Fri, 05 Mar 2004 20:18:56 +1100 [thread overview]
Message-ID: <1078478335.5702.79.camel@gaston> (raw)
In-Reply-To: <1078477351.6327.65.camel@gaston>
Hi Russell !
So, I was tracking down some problems with that pmac_zilog() driver
of mine, some were my fault, but some others are still quite
interesting as they seem to affect other drivers as well.
The basic issue was an interesting HW situation that resulted in the
SCC flooding me with 0 chars + framing errors like mad (faster than
the serial port speed, more like a stuck irq actually) when the port
is connected to an unplug keyspan adapter (so the input line is
probably getting noise or whatever crap).
That triggered extreme situation both in the driver and the tty layer
due to the fast flood of incoming shit.
- most/all serial drivers, when the flip buffer is full, will
call tty->flip.work.func() directly with the spinlock held. This is
asking for trouble. I have reproduceable cases where that cause the
tty layer to try to echo, thus calling back the serial_core
uart_put_char() which will try to ... take the spinlock. Dead.
- what about the call to tty_flip_buffer_push() done by all
drivers with the lock held too ? It's fine as long as we don't
have this low_latency thing set. I suppose nothing but the driver
itself will set it but I got a bit lost in the serial_core, can
you just confirm that is ok ?
- I had a couple of times a crash in n_tty_receive_buf() called
from keventd (from ldisc flip workqueue), apparently racing with
a close of the port. The scenario is that the close happens, i
get out of my driver back to serial core which goes back to
tty_release afaik. At that point (I'm not sure exactly when, maybe
in the flush of the pending work queues that is done there, maybe
just on the other CPU), the pending work queue is triggered since
our input buffer is still full of crap.
It reliably oopses trying to derefence 0 (writing a byte, it's not
a memcpy, without a spinlocked region, I haven't spotted exactly
where in n_tty_receive_buf(), this function is shit to disassemble
as it seems to get a ton of things inlined).
Ben.
next prev parent reply other threads:[~2004-03-05 9:19 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-03-05 7:54 [PATCH] For test only: pmac_zilog fixes (cups lockup at boot): Benjamin Herrenschmidt
2004-03-05 8:58 ` Russell King
2004-03-05 9:02 ` Benjamin Herrenschmidt
2004-03-05 9:18 ` Benjamin Herrenschmidt [this message]
2004-03-05 9:41 ` serial driver / tty issues Russell King
2004-03-05 11:13 ` Benjamin Herrenschmidt
2004-03-05 9:05 ` [PATCH] For test only: pmac_zilog fixes (cups lockup at boot): Benjamin Herrenschmidt
2004-03-05 9:24 ` Russell King
2004-03-05 9:29 ` Benjamin Herrenschmidt
2004-03-05 9:48 ` Russell King
2004-03-05 11:14 ` Benjamin Herrenschmidt
2004-03-05 17:52 ` Matthias Urlichs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1078478335.5702.79.camel@gaston \
--to=benh@kernel.crashing.org \
--cc=linux-kernel@vger.kernel.org \
--cc=rmk+lkml@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox