possible locking bug in tty_open

possible locking bug in tty_open

[Arnd Bergmann]

While playing some more with my TTY BKL patches, I stumbled over
what looks like a bug in tty_open, introduced in e8c6210 
"tty: push the BKL down into the handlers a bit":

After the "retry_open:" label, we first get the tty_mutex
and then the BKL. However a the end of tty_open, we jump
back to retry_open with the BKL still held. If we run into
this case, the tty_open function will be left with the BKL
still held.

It may be impossible to actually trigger this bug, because
the path is only taken if a tty driver open function returns
-ERESTARTSYS without setting signal_pending().

	Arnd

Re: possible locking bug in tty_open

[Alan Cox]

On Sun, 2 May 2010 22:47:33 +0200
Arnd Bergmann <arnd@arndb.de> wrote:

> While playing some more with my TTY BKL patches, I stumbled over
> what looks like a bug in tty_open, introduced in e8c6210 
> "tty: push the BKL down into the handlers a bit":
> 
> After the "retry_open:" label, we first get the tty_mutex
> and then the BKL. However a the end of tty_open, we jump
> back to retry_open with the BKL still held. If we run into
> this case, the tty_open function will be left with the BKL
> still held.
> 
> It may be impossible to actually trigger this bug, because
> the path is only taken if a tty driver open function returns
> -ERESTARTSYS without setting signal_pending().

It looks pretty much impossible to trigger but it's definitely a bug.
I'll send Greg a patch

Re: possible locking bug in tty_open

[Alan Cox]

On Sun, 2 May 2010 22:47:33 +0200
Arnd Bergmann <arnd@arndb.de> wrote:

> While playing some more with my TTY BKL patches, I stumbled over
> what looks like a bug in tty_open, introduced in e8c6210 
> "tty: push the BKL down into the handlers a bit":
> 
> After the "retry_open:" label, we first get the tty_mutex
> and then the BKL. However a the end of tty_open, we jump
> back to retry_open with the BKL still held. If we run into
> this case, the tty_open function will be left with the BKL
> still held.
> 
> It may be impossible to actually trigger this bug, because
> the path is only taken if a tty driver open function returns
> -ERESTARTSYS without setting signal_pending().
> 
> 	Arnd

I think all we need is probably this

tty: Fix unbalanced BKL handling in error path
    
Arnd noted:
    
After the "retry_open:" label, we first get the tty_mutex
and then the BKL. However a the end of tty_open, we jump
back to retry_open with the BKL still held. If we run into
this case, the tty_open function will be left with the BKL
still held.
    
Signed-off-by: Alan Cox <alan@linux.intel.com>

diff --git a/drivers/char/tty_io.c b/drivers/char/tty_io.c
index 6da962c..fe810a7 100644
--- a/drivers/char/tty_io.c
+++ b/drivers/char/tty_io.c
@@ -1875,6 +1875,7 @@ got_driver:
 		 */
 		if (filp->f_op == &hung_up_tty_fops)
 			filp->f_op = &tty_fops;
+		unlock_kernel();
 		goto retry_open;
 	}
 	unlock_kernel();

Re: possible locking bug in tty_open

[Arnd Bergmann]

On Tuesday 04 May 2010 21:42:36 Alan Cox wrote:
> On Sun, 2 May 2010 22:47:33 +0200
> Arnd Bergmann <arnd@arndb.de> wrote:

> > After the "retry_open:" label, we first get the tty_mutex
> > and then the BKL. However a the end of tty_open, we jump
> > back to retry_open with the BKL still held. If we run into
> > this case, the tty_open function will be left with the BKL
> > still held.

> I think all we need is probably this
> 
> tty: Fix unbalanced BKL handling in error path
>     
> Arnd noted:
>     
> After the "retry_open:" label, we first get the tty_mutex
> and then the BKL. However a the end of tty_open, we jump
> back to retry_open with the BKL still held. If we run into
> this case, the tty_open function will be left with the BKL
> still held.

Yes, looks good.

>     
> Signed-off-by: Alan Cox <alan@linux.intel.com>

Acked-by: Arnd Bergmann <arnd@arndb.de>