From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Dirkjan Bussink <dirkjan.bussink@nedap.com>
Subject: [ 16/58] tty: Prevent deadlock in n_gsm driver
Date: Mon, 25 Feb 2013 14:19:12 -0800 [thread overview]
Message-ID: <20130225221639.518423325@linuxfoundation.org> (raw)
In-Reply-To: <20130225221636.018756060@linuxfoundation.org>
3.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dirkjan Bussink <d.bussink@gmail.com>
commit 4d9b109060f690f5c835130ff54165ae157b3087 upstream.
This change fixes a deadlock when the multiplexer is closed while there
are still client side ports open.
When the multiplexer is closed and there are active tty's it tries to
close them with tty_vhangup. This has a problem though, because
tty_vhangup needs the tty_lock. This patch changes it to unlock the
tty_lock before attempting the hangup and relocks afterwards. The
additional call to tty_port_tty_set is needed because otherwise the
port stays active because of the reference counter.
This change also exposed another problem that other code paths don't
expect that the multiplexer could have been closed. This patch also adds
checks for these cases in the gsmtty_ class of function that could be
called.
The documentation explicitly states that "first close all virtual ports
before closing the physical port" but we've found this to not always
reality in our field situations. The GPRS / UTMS modem sometimes crashes
and needs a power cycle in that case which means cleanly shutting down
everything is not always possible. This change makes it much more robust
for our situation where at least the system is recoverable with this patch
and doesn't hang in a deadlock situation inside the kernel.
The patch is against the long term support kernel (3.4.27) and should
apply cleanly to more recent branches. Tested with a Telit GE864-QUADV2
and Telit HE910 modem.
Signed-off-by: Dirkjan Bussink <dirkjan.bussink@nedap.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/n_gsm.c | 42 +++++++++++++++++++++++++++++++++++++++++-
1 file changed, 41 insertions(+), 1 deletion(-)
--- a/drivers/tty/n_gsm.c
+++ b/drivers/tty/n_gsm.c
@@ -1691,6 +1691,8 @@ static inline void dlci_put(struct gsm_d
kref_put(&dlci->ref, gsm_dlci_free);
}
+static void gsm_destroy_network(struct gsm_dlci *dlci);
+
/**
* gsm_dlci_release - release DLCI
* @dlci: DLCI to destroy
@@ -1704,9 +1706,19 @@ static void gsm_dlci_release(struct gsm_
{
struct tty_struct *tty = tty_port_tty_get(&dlci->port);
if (tty) {
+ mutex_lock(&dlci->mutex);
+ gsm_destroy_network(dlci);
+ mutex_unlock(&dlci->mutex);
+
+ /* tty_vhangup needs the tty_lock, so unlock and
+ relock after doing the hangup. */
+ tty_unlock(tty);
tty_vhangup(tty);
+ tty_lock(tty);
+ tty_port_tty_set(&dlci->port, NULL);
tty_kref_put(tty);
}
+ dlci->state = DLCI_CLOSED;
dlci_put(dlci);
}
@@ -2948,6 +2960,8 @@ static void gsmtty_close(struct tty_stru
if (dlci == NULL)
return;
+ if (dlci->state == DLCI_CLOSED)
+ return;
mutex_lock(&dlci->mutex);
gsm_destroy_network(dlci);
mutex_unlock(&dlci->mutex);
@@ -2966,6 +2980,8 @@ out:
static void gsmtty_hangup(struct tty_struct *tty)
{
struct gsm_dlci *dlci = tty->driver_data;
+ if (dlci->state == DLCI_CLOSED)
+ return;
tty_port_hangup(&dlci->port);
gsm_dlci_begin_close(dlci);
}
@@ -2973,9 +2989,12 @@ static void gsmtty_hangup(struct tty_str
static int gsmtty_write(struct tty_struct *tty, const unsigned char *buf,
int len)
{
+ int sent;
struct gsm_dlci *dlci = tty->driver_data;
+ if (dlci->state == DLCI_CLOSED)
+ return -EINVAL;
/* Stuff the bytes into the fifo queue */
- int sent = kfifo_in_locked(dlci->fifo, buf, len, &dlci->lock);
+ sent = kfifo_in_locked(dlci->fifo, buf, len, &dlci->lock);
/* Need to kick the channel */
gsm_dlci_data_kick(dlci);
return sent;
@@ -2984,18 +3003,24 @@ static int gsmtty_write(struct tty_struc
static int gsmtty_write_room(struct tty_struct *tty)
{
struct gsm_dlci *dlci = tty->driver_data;
+ if (dlci->state == DLCI_CLOSED)
+ return -EINVAL;
return TX_SIZE - kfifo_len(dlci->fifo);
}
static int gsmtty_chars_in_buffer(struct tty_struct *tty)
{
struct gsm_dlci *dlci = tty->driver_data;
+ if (dlci->state == DLCI_CLOSED)
+ return -EINVAL;
return kfifo_len(dlci->fifo);
}
static void gsmtty_flush_buffer(struct tty_struct *tty)
{
struct gsm_dlci *dlci = tty->driver_data;
+ if (dlci->state == DLCI_CLOSED)
+ return;
/* Caution needed: If we implement reliable transport classes
then the data being transmitted can't simply be junked once
it has first hit the stack. Until then we can just blow it
@@ -3014,6 +3039,8 @@ static void gsmtty_wait_until_sent(struc
static int gsmtty_tiocmget(struct tty_struct *tty)
{
struct gsm_dlci *dlci = tty->driver_data;
+ if (dlci->state == DLCI_CLOSED)
+ return -EINVAL;
return dlci->modem_rx;
}
@@ -3023,6 +3050,8 @@ static int gsmtty_tiocmset(struct tty_st
struct gsm_dlci *dlci = tty->driver_data;
unsigned int modem_tx = dlci->modem_tx;
+ if (dlci->state == DLCI_CLOSED)
+ return -EINVAL;
modem_tx &= ~clear;
modem_tx |= set;
@@ -3041,6 +3070,8 @@ static int gsmtty_ioctl(struct tty_struc
struct gsm_netconfig nc;
int index;
+ if (dlci->state == DLCI_CLOSED)
+ return -EINVAL;
switch (cmd) {
case GSMIOC_ENABLE_NET:
if (copy_from_user(&nc, (void __user *)arg, sizeof(nc)))
@@ -3067,6 +3098,9 @@ static int gsmtty_ioctl(struct tty_struc
static void gsmtty_set_termios(struct tty_struct *tty, struct ktermios *old)
{
+ struct gsm_dlci *dlci = tty->driver_data;
+ if (dlci->state == DLCI_CLOSED)
+ return;
/* For the moment its fixed. In actual fact the speed information
for the virtual channel can be propogated in both directions by
the RPN control message. This however rapidly gets nasty as we
@@ -3078,6 +3112,8 @@ static void gsmtty_set_termios(struct tt
static void gsmtty_throttle(struct tty_struct *tty)
{
struct gsm_dlci *dlci = tty->driver_data;
+ if (dlci->state == DLCI_CLOSED)
+ return;
if (tty->termios.c_cflag & CRTSCTS)
dlci->modem_tx &= ~TIOCM_DTR;
dlci->throttled = 1;
@@ -3088,6 +3124,8 @@ static void gsmtty_throttle(struct tty_s
static void gsmtty_unthrottle(struct tty_struct *tty)
{
struct gsm_dlci *dlci = tty->driver_data;
+ if (dlci->state == DLCI_CLOSED)
+ return;
if (tty->termios.c_cflag & CRTSCTS)
dlci->modem_tx |= TIOCM_DTR;
dlci->throttled = 0;
@@ -3099,6 +3137,8 @@ static int gsmtty_break_ctl(struct tty_s
{
struct gsm_dlci *dlci = tty->driver_data;
int encode = 0; /* Off */
+ if (dlci->state == DLCI_CLOSED)
+ return -EINVAL;
if (state == -1) /* "On indefinitely" - we can't encode this
properly */
next prev parent reply other threads:[~2013-02-25 22:20 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-02-25 22:18 [ 00/58] 3.7.10-stable review Greg Kroah-Hartman
2013-02-25 22:18 ` [ 01/58] drm/nouveau/vm: fix memory corruption when pgt allocation fails Greg Kroah-Hartman
2013-02-25 22:18 ` [ 02/58] x86-32, mm: Rip out x86_32 NUMA remapping code Greg Kroah-Hartman
2013-02-25 22:18 ` [ 03/58] x86-32, mm: Remove reference to resume_map_numa_kva() Greg Kroah-Hartman
2013-02-25 22:19 ` [ 04/58] x86-32, mm: Remove reference to alloc_remap() Greg Kroah-Hartman
2013-02-25 22:19 ` [ 05/58] perf tools: Fix build with bison 2.3 and older Greg Kroah-Hartman
2013-02-25 22:19 ` [ 06/58] perf hists: Fix period symbol_conf.field_sep display Greg Kroah-Hartman
2013-02-25 22:19 ` [ 07/58] mm: fix pageblock bitmap allocation Greg Kroah-Hartman
2013-02-25 22:19 ` [ 08/58] timeconst.pl: Eliminate Perl warning Greg Kroah-Hartman
2013-02-25 22:19 ` [ 09/58] genirq: Avoid deadlock in spurious handling Greg Kroah-Hartman
2013-02-25 22:19 ` [ 10/58] posix-cpu-timers: Fix nanosleep task_struct leak Greg Kroah-Hartman
2013-02-25 22:19 ` [ 11/58] hrtimer: Prevent hrtimer_enqueue_reprogram race Greg Kroah-Hartman
2013-02-25 22:19 ` [ 12/58] x86: Hyper-V: register clocksource only if its advertised Greg Kroah-Hartman
2013-02-25 22:19 ` [ 13/58] workqueue: un-GPL function delayed_work_timer_fn() Greg Kroah-Hartman
2013-02-25 22:19 ` [ 14/58] ALSA: ali5451: remove irq enabling in pointer callback Greg Kroah-Hartman
2013-02-25 22:19 ` [ 15/58] ALSA: rme32.c irq enabling after spin_lock_irq Greg Kroah-Hartman
2013-02-25 22:19 ` Greg Kroah-Hartman [this message]
2013-02-25 22:19 ` [ 17/58] tty: set_termios/set_termiox should not return -EINTR Greg Kroah-Hartman
2013-02-25 22:19 ` [ 18/58] USB: serial: fix null-pointer dereferences on disconnect Greg Kroah-Hartman
2013-02-25 22:19 ` [ 19/58] serial: imx: Fix recursive locking bug Greg Kroah-Hartman
2013-02-25 22:19 ` [ 20/58] serial_core: Fix type definition for PORT_BRCM_TRUMANAGE Greg Kroah-Hartman
2013-02-25 22:19 ` [ 21/58] b43: Increase number of RX DMA slots Greg Kroah-Hartman
2013-02-25 22:19 ` [ 22/58] rtlwifi: rtl8192cu: Add new USB ID Greg Kroah-Hartman
2013-02-25 22:19 ` [ 23/58] rtlwifi: usb: allocate URB control message setup_packet and data buffer separately Greg Kroah-Hartman
2013-02-25 22:19 ` [ 24/58] tty vt: fix character insertion overflow Greg Kroah-Hartman
2013-02-25 22:19 ` [ 25/58] xen: Send spinlock IPI to all waiters Greg Kroah-Hartman
2013-02-25 22:19 ` [ 26/58] xen: close evtchn port if binding to irq fails Greg Kroah-Hartman
2013-02-25 22:19 ` [ 27/58] zram: Fix deadlock bug in partial read/write Greg Kroah-Hartman
2013-02-25 22:19 ` [ 28/58] Driver core: treat unregistered bus_types as having no devices Greg Kroah-Hartman
2013-02-25 22:19 ` [ 29/58] mmu_notifier_unregister NULL Pointer deref and multiple ->release() callouts Greg Kroah-Hartman
2013-02-25 22:19 ` [ 30/58] KVM: s390: Handle hosts not supporting s390-virtio Greg Kroah-Hartman
2013-02-25 22:19 ` [ 31/58] s390/kvm: Fix store status for ACRS/FPRS Greg Kroah-Hartman
2013-02-25 22:19 ` [ 32/58] futex: Revert "futex: Mark get_robust_list as deprecated" Greg Kroah-Hartman
2013-02-25 22:19 ` [ 33/58] inotify: remove broken mask checks causing unmount to be EINVAL Greg Kroah-Hartman
2013-02-25 22:19 ` [ 34/58] fs/block_dev.c: page cache wrongly left invalidated after revalidate_disk() Greg Kroah-Hartman
2013-02-25 22:19 ` [ 35/58] ocfs2: unlock super lock if lockres refresh failed Greg Kroah-Hartman
2013-02-25 22:19 ` [ 36/58] drivers/video/backlight/adp88?0_bl.c: fix resume Greg Kroah-Hartman
2013-02-25 22:19 ` [ 37/58] tmpfs: fix use-after-free of mempolicy object Greg Kroah-Hartman
2013-02-25 22:19 ` [ 38/58] mm/fadvise.c: drain all pagevecs if POSIX_FADV_DONTNEED fails to discard all pages Greg Kroah-Hartman
2013-02-25 22:19 ` [ 39/58] xen-pciback: rate limit error messages from xen_pcibk_enable_msi{,x}() Greg Kroah-Hartman
2013-02-25 22:19 ` [ 40/58] drivercore: Fix ordering between deferred_probe and exiting initcalls Greg Kroah-Hartman
2013-02-25 22:19 ` [ 41/58] umount oops when remove blocklayoutdriver first Greg Kroah-Hartman
2013-02-25 22:19 ` [ 42/58] NLM: Ensure that we resend all pending blocking locks after a reclaim Greg Kroah-Hartman
2013-02-25 22:19 ` [ 43/58] NFSv4.1: Dont decode skipped layoutgets Greg Kroah-Hartman
2013-02-25 22:19 ` [ 44/58] p54usb: corrected USB ID for T-Com Sinus 154 data II Greg Kroah-Hartman
2013-02-25 22:19 ` [ 45/58] ALSA: usb-audio: fix Roland A-PRO support Greg Kroah-Hartman
2013-02-25 22:19 ` [ 46/58] ALSA: usb: Fix Processing Unit Descriptor parsers Greg Kroah-Hartman
2013-02-25 22:19 ` [ 47/58] ALSA: hda - Release assigned pin/cvt at error path of hdmi_pcm_open() Greg Kroah-Hartman
2013-02-25 22:19 ` [ 48/58] ALSA: hda - Fix default multichannel HDMI mapping regression Greg Kroah-Hartman
2013-02-25 22:19 ` [ 49/58] ALSA: hda - Workaround for silent output on Sony Vaio VGC-LN51JGB with ALC889 Greg Kroah-Hartman
2013-02-25 22:19 ` [ 50/58] ALSA: hda - hdmi: ELD shouldnt be valid after unplug Greg Kroah-Hartman
2013-02-25 22:19 ` [ 51/58] GFS2: Get a block reservation before resizing a file Greg Kroah-Hartman
2013-02-25 22:34 ` Bob Peterson
2013-02-25 22:19 ` [ 52/58] sunvdc: Fix off-by-one in generic_request() Greg Kroah-Hartman
2013-02-25 22:19 ` [ 53/58] sparc64: Add missing HAVE_ARCH_TRANSPARENT_HUGEPAGE Greg Kroah-Hartman
2013-02-25 22:19 ` [ 54/58] sparc64: Fix get_user_pages_fast() wrt. THP Greg Kroah-Hartman
2013-02-25 22:19 ` [ 55/58] sparc64: Fix gfp_flags setting in tsb_grow() Greg Kroah-Hartman
2013-02-25 22:19 ` [ 56/58] sparc64: Handle hugepage TSB being NULL Greg Kroah-Hartman
2013-02-25 22:19 ` [ 57/58] sparc64: Fix tsb_grow() in atomic context Greg Kroah-Hartman
2013-02-25 22:19 ` [ 58/58] sparc64: Fix huge PMD to PTE translation for sun4u in TLB miss handler Greg Kroah-Hartman
2013-02-26 0:47 ` [ 00/58] 3.7.10-stable review Shuah Khan
2013-02-26 1:02 ` Greg Kroah-Hartman
2013-02-26 17:37 ` Andre Tomt
2013-02-26 17:48 ` Josh Boyer
2013-02-26 17:52 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130225221639.518423325@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dirkjan.bussink@nedap.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox