[30/49] hvc_console: Fix race between hvc_close and hvc_remove

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: stable-review@kernel.org, torvalds@linux-foundation.org,
	akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
	Amit Shah <amit.shah@redhat.com>,
	linuxppc-dev@ozlabs.org, Rusty Russell <rusty@rustcorp.com.au>
Subject: [30/49] hvc_console: Fix race between hvc_close and hvc_remove
Date: Wed, 05 Jan 2011 15:00:48 -0800	[thread overview]
Message-ID: <20110105230326.477177117@clark.site> (raw)
In-Reply-To: <20110105230438.GA26241@kroah.com>

2.6.32-longterm review patch.  If anyone has any objections, please let us know.

------------------

From: Amit Shah <amit.shah@redhat.com>

commit e74d098c66543d0731de62eb747ccd5b636a6f4c upstream.

Alan pointed out a race in the code where hvc_remove is invoked. The
recent virtio_console work is the first user of hvc_remove().

Alan describes it thus:

The hvc_console assumes that a close and remove call can't occur at the
same time.

In addition tty_hangup(tty) is problematic as tty_hangup is asynchronous
itself....

So this can happen

        hvc_close                               hvc_remove
        hung up ? - no
                                                lock
                                                tty = hp->tty
                                                unlock
        lock
        hp->tty = NULL
        unlock
        notify del
        kref_put the hvc struct
        close completes
        tty is destroyed
                                                tty_hangup dead tty
                                                tty->ops will be NULL
                                                NULL->...

This patch adds some tty krefs and also converts to using tty_vhangup().

Reported-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: Amit Shah <amit.shah@redhat.com>
CC: Alan Cox <alan@lxorguk.ukuu.org.uk>
CC: linuxppc-dev@ozlabs.org
CC: Rusty Russell <rusty@rustcorp.com.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 drivers/char/hvc_console.c |   31 +++++++++++++++++++++----------
 1 file changed, 21 insertions(+), 10 deletions(-)

--- a/drivers/char/hvc_console.c
+++ b/drivers/char/hvc_console.c
@@ -312,6 +312,7 @@ static int hvc_open(struct tty_struct *t
 	spin_lock_irqsave(&hp->lock, flags);
 	/* Check and then increment for fast path open. */
 	if (hp->count++ > 0) {
+		tty_kref_get(tty);
 		spin_unlock_irqrestore(&hp->lock, flags);
 		hvc_kick();
 		return 0;
@@ -319,7 +320,7 @@ static int hvc_open(struct tty_struct *t
 
 	tty->driver_data = hp;
 
-	hp->tty = tty;
+	hp->tty = tty_kref_get(tty);
 
 	spin_unlock_irqrestore(&hp->lock, flags);
 
@@ -336,6 +337,7 @@ static int hvc_open(struct tty_struct *t
 		spin_lock_irqsave(&hp->lock, flags);
 		hp->tty = NULL;
 		spin_unlock_irqrestore(&hp->lock, flags);
+		tty_kref_put(tty);
 		tty->driver_data = NULL;
 		kref_put(&hp->kref, destroy_hvc_struct);
 		printk(KERN_ERR "hvc_open: request_irq failed with rc %d.\n", rc);
@@ -363,13 +365,18 @@ static void hvc_close(struct tty_struct
 		return;
 
 	hp = tty->driver_data;
+
 	spin_lock_irqsave(&hp->lock, flags);
+	tty_kref_get(tty);
 
 	if (--hp->count == 0) {
 		/* We are done with the tty pointer now. */
 		hp->tty = NULL;
 		spin_unlock_irqrestore(&hp->lock, flags);
 
+		/* Put the ref obtained in hvc_open() */
+		tty_kref_put(tty);
+
 		if (hp->ops->notifier_del)
 			hp->ops->notifier_del(hp, hp->data);
 
@@ -389,6 +396,7 @@ static void hvc_close(struct tty_struct
 		spin_unlock_irqrestore(&hp->lock, flags);
 	}
 
+	tty_kref_put(tty);
 	kref_put(&hp->kref, destroy_hvc_struct);
 }
 
@@ -424,10 +432,11 @@ static void hvc_hangup(struct tty_struct
 	spin_unlock_irqrestore(&hp->lock, flags);
 
 	if (hp->ops->notifier_hangup)
-			hp->ops->notifier_hangup(hp, hp->data);
+		hp->ops->notifier_hangup(hp, hp->data);
 
 	while(temp_open_count) {
 		--temp_open_count;
+		tty_kref_put(tty);
 		kref_put(&hp->kref, destroy_hvc_struct);
 	}
 }
@@ -592,7 +601,7 @@ int hvc_poll(struct hvc_struct *hp)
 	}
 
 	/* No tty attached, just skip */
-	tty = hp->tty;
+	tty = tty_kref_get(hp->tty);
 	if (tty == NULL)
 		goto bail;
 
@@ -672,6 +681,8 @@ int hvc_poll(struct hvc_struct *hp)
 
 		tty_flip_buffer_push(tty);
 	}
+	if (tty)
+		tty_kref_put(tty);
 
 	return poll_mask;
 }
@@ -806,7 +817,7 @@ int hvc_remove(struct hvc_struct *hp)
 	struct tty_struct *tty;
 
 	spin_lock_irqsave(&hp->lock, flags);
-	tty = hp->tty;
+	tty = tty_kref_get(hp->tty);
 
 	if (hp->index < MAX_NR_HVC_CONSOLES)
 		vtermnos[hp->index] = -1;
@@ -818,18 +829,18 @@ int hvc_remove(struct hvc_struct *hp)
 	/*
 	 * We 'put' the instance that was grabbed when the kref instance
 	 * was initialized using kref_init().  Let the last holder of this
-	 * kref cause it to be removed, which will probably be the tty_hangup
+	 * kref cause it to be removed, which will probably be the tty_vhangup
 	 * below.
 	 */
 	kref_put(&hp->kref, destroy_hvc_struct);
 
 	/*
-	 * This function call will auto chain call hvc_hangup.  The tty should
-	 * always be valid at this time unless a simultaneous tty close already
-	 * cleaned up the hvc_struct.
+	 * This function call will auto chain call hvc_hangup.
 	 */
-	if (tty)
-		tty_hangup(tty);
+	if (tty) {
+		tty_vhangup(tty);
+		tty_kref_put(tty);
+	}
 	return 0;
 }

next prev parent reply	other threads:[~2011-01-05 23:08 UTC|newest]

Thread overview: 38+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-01-05 23:04 [00/49] 2.6.32.28-longterm review Greg KH
2011-01-05 23:00 ` Greg KH
2011-01-05 23:00 ` [01/49] TTY: Fix error return from tty_ldisc_open() Greg KH
2011-01-05 23:00 ` [02/49] x86, hotplug: Use mwait to offline a processor, fix the legacy case Greg KH
2011-01-05 23:00 ` [03/49] fuse: verify ioctl retries Greg KH
2011-01-05 23:00 ` [04/49] fuse: fix ioctl when server is 32bit Greg KH
2011-01-05 23:00 ` [05/49] ALSA: hda: Use model=lg quirk for LG P1 Express to enable playback and capture Greg KH
2011-01-05 23:00 ` [06/49] drm/kms: remove spaces from connector names (v2) Greg KH
2011-01-05 23:49   ` [Stable-review] " Ben Hutchings
2011-01-05 23:56     ` Greg KH
2011-01-06  0:04       ` Ben Hutchings
2011-01-06  0:32         ` Alex Deucher
2011-01-05 23:00 ` [07/49] nohz: Fix printk_needs_cpu() return value on offline cpus Greg KH
2011-01-05 23:00 ` [08/49] nohz: Fix get_next_timer_interrupt() vs cpu hotplug Greg KH
2011-01-05 23:00 ` [09/49] NFS: Fix panic after nfs_umount() Greg KH
2011-01-05 23:00 ` [10/49] nfsd: Fix possible BUG_ON firing in set_change_info Greg KH
2011-01-05 23:00 ` [11/49] NFS: Fix fcntl F_GETLK not reporting some conflicts Greg KH
2011-01-05 23:00 ` [12/49] sunrpc: prevent use-after-free on clearing XPT_BUSY Greg KH
2011-01-05 23:00 ` [13/49] hwmon: (adm1026) Allow 1 as a valid divider value Greg KH
2011-01-05 23:00 ` [14/49] hwmon: (adm1026) Fix setting fan_div Greg KH
2011-01-05 23:00 ` [15/49] amd64_edac: Fix interleaving check Greg KH
2011-01-05 23:00 ` [16/49] IB/uverbs: Handle large number of entries in poll CQ Greg KH
2011-01-05 23:00 ` [17/49] PM / Hibernate: Fix PM_POST_* notification with user-space suspend Greg KH
2011-01-05 23:00 ` [18/49] ACPICA: Fix Scope() op in module level code Greg KH
2011-01-05 23:00 ` [19/49] ACPI: EC: Add another dmi match entry for MSI hardware Greg KH
2011-01-05 23:00 ` [20/49] orinoco: fix TKIP countermeasure behaviour Greg KH
2011-01-05 23:00 ` [21/49] orinoco: clear countermeasure setting on commit Greg KH
2011-01-05 23:00 ` [22/49] x86, amd: Fix panic on AMD CPU family 0x15 Greg KH
2011-01-05 23:00 ` [23/49] md: fix bug with re-adding of partially recovered device Greg KH
2011-01-05 23:00 ` [24/49] tracing: Fix panic when lseek() called on "trace" opened for writing Greg KH
2011-01-05 23:00 ` [25/49] x86, gcc-4.6: Use gcc -m options when building vdso Greg KH
2011-01-05 23:00 ` [26/49] x86: Enable the intr-remap fault handling after local APIC setup Greg KH
2011-01-05 23:00 ` [27/49] x86, vt-d: Handle previous faults after enabling fault handling Greg KH
2011-01-05 23:00 ` [28/49] x86, vt-d: Fix the vt-d fault handling irq migration in the x2apic mode Greg KH
2011-01-05 23:00 ` [29/49] x86, vt-d: Quirk for masking vtd spec errors to platform error handling logic Greg KH
2011-01-05 23:00 ` Greg KH [this message]
2011-01-05 23:00 ` [31/49] hvc_console: Fix race between hvc_close and hvc_remove, again Greg KH
2011-01-05 23:00 ` [32/49] HID: hidraw: fix window in hidraw_release Greg KH

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20110105230326.477177117@clark.site \
    --to=gregkh@suse.de \
    --cc=akpm@linux-foundation.org \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=amit.shah@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linuxppc-dev@ozlabs.org \
    --cc=rusty@rustcorp.com.au \
    --cc=stable-review@kernel.org \
    --cc=stable@kernel.org \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox