From: "Frédéric L. W. Meunier" <fredlwm@gmail.com>
To: "Justin P. Mattock" <justinmattock@gmail.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Nix <nix@esperi.org.uk>, Alan Cox <alan@lxorguk.ukuu.org.uk>,
Paul Fulghum <paulkf@microgate.com>,
"Rafael J. Wysocki" <rjw@sisk.pl>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Kernel Testers List <kernel-testers@vger.kernel.org>,
Boyan <btanastasov@yahoo.co.uk>,
Dmitry Torokhov <dmitry.torokhov@gmail.com>,
Ed Tomlinson <edt@aei.ca>,
OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Subject: Re: [Bug #14388] keyboard under X with 2.6.31
Date: Tue, 13 Oct 2009 04:13:34 -0300 (BRST) [thread overview]
Message-ID: <alpine.LNX.2.01.0910130405200.9297@dyndns.pervalidus.net> (raw)
In-Reply-To: <4AD3F769.5080405@gmail.com>
On Mon, 12 Oct 2009, Justin P. Mattock wrote:
> Linus Torvalds wrote:
>> [ Alan, Paulkf - the tty buffering and locking is originally your code,
>> although from about three years ago, when it used to be in tty_io.c..
>> Any comment? ]
>>
>> On Mon, 12 Oct 2009, Linus Torvalds wrote:
>>
>>> Alan, Ogawa-san, do either of you see some problem in tty_buffer.c,
>>> perhaps?
>>>
>>
>> Hmm. I see one, at least.
>>
>> The "tty_insert_flip_string()" locking seems totally bogus.
>>
>> It does that "tty_buffer_request_room()" call and subsequent copying with
>> no locking at all - sure, the tty_buffer_request_room() function itself
>> locks the buffers, but then unlocks it when returning, so when we actually
>> do the memcpy() etc, we can race with anybody.
>>
>> I don't really see who would care, but it does look totally broken.
>>
>> I dunno, this patch seems to make sense to me. Am I missing something?
>>
>> [ NOTE! The patch is totally untested. It compiled for me on x86-64, and
>> apart from that I'm just going to say that it looks obvious, and the old
>> code looks obviously buggy. Also, any remaining users of
>>
>> tty_prepare_flip_string
>> tty_prepare_flip_string_flags
>>
>> are still fundamentally broken and buggy, while users of
>>
>> tty_buffer_request_room
>>
>> are pretty damn odd and suspect (but a lot of them seem to be just
>> pointless: they then call tty_insert_flip_string(), which means that the
>> tty_buffer_request_room() call was totally redundant ]
>>
>> Comments? Does this work? Does it make any difference? It seems fairly
>> unlikely, but it's the only obvious problem I've seen in the tty buffering
>> code so far.
>>
>> And that code is literally 3 years old, and it seems unlikely that a
>> regular _keyboard_ buffer would be able to hit the (rather small) race
>> condition. But other serialization may have hidden it, and timing
>> differences could certainly have caused it to trigger much more easily.
>>
>> Linus
>>
>> ---
>> drivers/char/tty_buffer.c | 33 +++++++++++++++++++++++++--------
>> 1 files changed, 25 insertions(+), 8 deletions(-)
>>
>> diff --git a/drivers/char/tty_buffer.c b/drivers/char/tty_buffer.c
>> index 3108991..25ab538 100644
>> --- a/drivers/char/tty_buffer.c
>> +++ b/drivers/char/tty_buffer.c
>> @@ -196,13 +196,10 @@ static struct tty_buffer *tty_buffer_find(struct
>> tty_struct *tty, size_t size)
>> *
>> * Locking: Takes tty->buf.lock
>> */
>> -int tty_buffer_request_room(struct tty_struct *tty, size_t size)
>> +static int locked_tty_buffer_request_room(struct tty_struct *tty, size_t
>> size)
>> {
>> struct tty_buffer *b, *n;
>> int left;
>> - unsigned long flags;
>> -
>> - spin_lock_irqsave(&tty->buf.lock, flags);
>>
>> /* OPTIMISATION: We could keep a per tty "zero" sized buffer to
>> remove this conditional if its worth it. This would be invisible
>> @@ -225,9 +222,20 @@ int tty_buffer_request_room(struct tty_struct *tty,
>> size_t size)
>> size = left;
>> }
>>
>> - spin_unlock_irqrestore(&tty->buf.lock, flags);
>> return size;
>> }
>> +
>> +int tty_buffer_request_room(struct tty_struct *tty, size_t size)
>> +{
>> + int retval;
>> + unsigned long flags;
>> +
>> + spin_lock_irqsave(&tty->buf.lock, flags);
>> + retval = locked_tty_buffer_request_room(tty, size);
>> + spin_unlock_irqrestore(&tty->buf.lock, flags);
>> + return retval;
>> +}
>> +
>> EXPORT_SYMBOL_GPL(tty_buffer_request_room);
>>
>> /**
>> @@ -239,16 +247,20 @@ EXPORT_SYMBOL_GPL(tty_buffer_request_room);
>> * Queue a series of bytes to the tty buffering. All the characters
>> * passed are marked as without error. Returns the number added.
>> *
>> - * Locking: Called functions may take tty->buf.lock
>> + * Locking: We take tty->buf.lock
>> */
>>
>> int tty_insert_flip_string(struct tty_struct *tty, const unsigned char
>> *chars,
>> size_t size)
>> {
>> int copied = 0;
>> + unsigned long flags;
>> +
>> + spin_lock_irqsave(&tty->buf.lock, flags);
>> do {
>> - int space = tty_buffer_request_room(tty, size - copied);
>> + int space = locked_tty_buffer_request_room(tty, size -
>> copied);
>> struct tty_buffer *tb = tty->buf.tail;
>> +
>> /* If there is no space then tb may be NULL */
>> if (unlikely(space == 0))
>> break;
>> @@ -260,6 +272,7 @@ int tty_insert_flip_string(struct tty_struct *tty,
>> const unsigned char *chars,
>> /* There is a small chance that we need to split the data
>> over
>> several buffers. If this is the case we must loop */
>> } while (unlikely(size> copied));
>> + spin_unlock_irqrestore(&tty->buf.lock, flags);
>> return copied;
>> }
>> EXPORT_SYMBOL(tty_insert_flip_string);
>> @@ -282,8 +295,11 @@ int tty_insert_flip_string_flags(struct tty_struct
>> *tty,
>> const unsigned char *chars, const char *flags, size_t size)
>> {
>> int copied = 0;
>> + unsigned long irqflags;
>> +
>> + spin_lock_irqsave(&tty->buf.lock, irqflags);
>> do {
>> - int space = tty_buffer_request_room(tty, size - copied);
>> + int space = locked_tty_buffer_request_room(tty, size -
>> copied);
>> struct tty_buffer *tb = tty->buf.tail;
>> /* If there is no space then tb may be NULL */
>> if (unlikely(space == 0))
>> @@ -297,6 +313,7 @@ int tty_insert_flip_string_flags(struct tty_struct
>> *tty,
>> /* There is a small chance that we need to split the data
>> over
>> several buffers. If this is the case we must loop */
>> } while (unlikely(size> copied));
>> + spin_unlock_irqrestore(&tty->buf.lock, irqflags);
>> return copied;
>> }
>> EXPORT_SYMBOL(tty_insert_flip_string_flags);
>>
>>
> I can throw your patch in over here for the heck of it.
> If there's somebody who's really hitting this bug
> then the results would be better if this is the area that causing
> this bug.(from here the only issue I'm seeing is spinning
> history commands in the terminal from time to time,
> nothing of any unusable keys like others are reporting).
I tested it on top of 2.6.31.4 (after putting back
e043e42bdb66885b3ac10d27a01ccb9972e2b0a3), and the keyboard is
fine after almost 3h. Before that, the problems would appear in
less than 1h. Maybe I spoke too soon, but...
Boyan, does it work for you ?
next prev parent reply other threads:[~2009-10-13 7:14 UTC|newest]
Thread overview: 165+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-10-11 22:41 2.6.32-rc4: Reported regressions 2.6.30 -> 2.6.31 Rafael J. Wysocki
2009-10-11 22:41 ` [Bug #13645] NULL pointer dereference at (null) (level2_spare_pgt) Rafael J. Wysocki
2009-10-11 22:49 ` [Bug #13733] 2.6.31-rc2: irq 16: nobody cared Rafael J. Wysocki
2009-10-11 23:01 ` [Bug #13906] Huawei E169 GPRS connection causes Ooops Rafael J. Wysocki
2009-10-11 23:01 ` [Bug #13940] 2.6.31-rc1 - iwlagn and sky2 stopped working when ACPI enabled - Toshiba U400-17b, Acer Aspire 8935G Rafael J. Wysocki
2009-10-11 23:01 ` [Bug #13809] oprofile: possible circular locking dependency detected Rafael J. Wysocki
2009-10-11 23:01 ` [Bug #13836] suspend script fails, related to stdout? Rafael J. Wysocki
2009-10-11 23:01 ` [Bug #13941] x86 Geode issue Rafael J. Wysocki
2009-10-11 23:01 ` [Bug #13943] WARNING: at net/mac80211/mlme.c:2292 with ath5k Rafael J. Wysocki
2009-10-12 7:24 ` Fabio Comolli
2009-10-12 21:23 ` Rafael J. Wysocki
2009-10-13 8:46 ` Fabio Comolli
2009-10-11 23:01 ` [Bug #13948] ath5k broken after suspend-to-ram Rafael J. Wysocki
2009-10-12 0:19 ` Bob Copeland
2009-10-12 21:24 ` Rafael J. Wysocki
2009-10-15 21:38 ` Johannes Stezenbach
2009-10-11 23:01 ` [Bug #13987] Received NMI interrupt at resume Rafael J. Wysocki
2009-10-11 23:01 ` [Bug #14070] lockdep warning triggered by dup_fd Rafael J. Wysocki
2009-10-12 17:10 ` Bart Van Assche
2009-10-12 21:26 ` Rafael J. Wysocki
2009-10-11 23:01 ` [Bug #14017] _end symbol missing from Symbol.map Rafael J. Wysocki
2009-10-11 23:01 ` [Bug #14058] Oops in fsnotify Rafael J. Wysocki
2009-10-11 23:01 ` [Bug #14013] hd don't show up Rafael J. Wysocki
2009-10-11 23:01 ` [Bug #14090] WARNING: at fs/notify/inotify/inotify_user.c:394 Rafael J. Wysocki
2009-10-11 23:01 ` [Bug #14137] usb console regressions Rafael J. Wysocki
2009-10-11 23:01 ` [Bug #14114] Tuning a saa7134 based card is broken in kernel 2.6.31-rc7 Rafael J. Wysocki
2009-10-11 23:01 ` [Bug #14129] 2.6.31 regression - pci_get_slot oops, udev boot hang - toshiba X200 Rafael J. Wysocki
2009-10-11 23:01 ` [Bug #14141] order 2 page allocation failures in iwlagn Rafael J. Wysocki
2009-10-11 23:57 ` Frans Pop
2009-10-12 21:29 ` Rafael J. Wysocki
2009-10-11 23:01 ` [Bug #14181] b43 causes panic at ifconfig down / shutdown Rafael J. Wysocki
2009-10-11 23:01 ` [Bug #14143] OOPS when setting nr_requests for md devices Rafael J. Wysocki
2009-10-12 14:21 ` Chuck Ebbert
2009-10-12 21:30 ` Rafael J. Wysocki
2009-10-11 23:01 ` [Bug #14157] end_request: I/O error, dev cciss/cXdX, sector 0 Rafael J. Wysocki
2009-10-11 23:01 ` [Bug #14204] MCE prevent booting on my computer(pentium iii @500Mhz) Rafael J. Wysocki
2009-10-11 23:01 ` [Bug #14248] 2.6.31 wireless: WARNING: at net/wireless/ibss.c:34 Rafael J. Wysocki
2009-10-11 23:01 ` [Bug #14185] Oops in driversbasefirmware_class Rafael J. Wysocki
2009-10-11 23:01 ` [Bug #14249] BUG: oops in gss_validate on 2.6.31 Rafael J. Wysocki
2009-10-11 23:01 ` [Bug #14252] WARNING: at include/linux/skbuff.h:1382 w/ e1000 Rafael J. Wysocki
2009-10-12 10:49 ` David Miller
2009-10-12 11:44 ` Stephan von Krawczynski
2009-10-11 23:01 ` [Bug #14257] Not able to boot on 32 bit System Rafael J. Wysocki
2009-10-11 23:01 ` [Bug #14256] kernel BUG at fs/ext3/super.c:435 Rafael J. Wysocki
2009-10-11 23:01 ` [Bug #14258] Memory leak in SCSI initialization Rafael J. Wysocki
2009-10-15 2:30 ` Tetsuo Handa
2009-10-11 23:01 ` [Bug #14253] Oops in driversbasefirmware_class Rafael J. Wysocki
2009-10-11 23:01 ` [Bug #14265] ifconfig: page allocation failure. order:5, mode:0x8020 w/ e100 Rafael J. Wysocki
2009-10-12 11:05 ` David Miller
2009-10-13 12:29 ` Karol Lewandowski
2009-10-11 23:01 ` [Bug #14264] ehci problem - mouse dead on scroll Rafael J. Wysocki
2009-10-13 15:35 ` Alan Stern
2009-10-13 15:55 ` Volker Armin Hemmann
2009-10-13 20:39 ` Rafael J. Wysocki
2009-10-11 23:01 ` [Bug #14261] e1000e jumbo frames no longer work: 'Unsupported MTU setting' Rafael J. Wysocki
2009-10-12 3:12 ` David Miller
2009-10-12 21:32 ` Rafael J. Wysocki
2009-10-11 23:01 ` [Bug #14267] Disassociating atheros wlan Rafael J. Wysocki
2009-10-11 23:11 ` Justin P. Mattock
2009-10-12 21:35 ` Rafael J. Wysocki
2009-10-11 23:01 ` [Bug #14266] regression in page writeback Rafael J. Wysocki
2009-10-12 1:02 ` Shaohua Li
2009-10-12 21:34 ` Rafael J. Wysocki
2009-10-11 23:01 ` [Bug #14275] kernel>=2.6.31: ahci.c: do not force unconditionally sb600 to 32bit dma any more? Rafael J. Wysocki
2009-10-12 14:39 ` Chuck Ebbert
2009-10-11 23:01 ` [Bug #14294] kernel BUG at drivers/ide/ide-disk.c:187 Rafael J. Wysocki
2009-10-12 10:51 ` David Miller
2009-10-12 12:09 ` Santiago Garcia Mantinan
2009-10-12 21:38 ` Rafael J. Wysocki
2009-10-12 23:21 ` David Miller
2009-10-11 23:01 ` [Bug #14377] "conservative" cpufreq governor broken Rafael J. Wysocki
2009-10-12 1:47 ` Steven Noonan
2009-10-12 21:39 ` Rafael J. Wysocki
2009-10-11 23:01 ` [Bug #14301] WARNING: at net/ipv4/af_inet.c:154 Rafael J. Wysocki
2009-10-11 23:01 ` [Bug #14329] Sata disk doesn't wake up after S3 suspend Rafael J. Wysocki
2009-10-11 23:01 ` [Bug #14385] DMAR regression in 2.6.31 leads to ext4 corruption? Rafael J. Wysocki
2009-10-11 23:01 ` [Bug #14309] MCA on hp rx8640 Rafael J. Wysocki
2009-10-11 23:01 ` [Bug #14388] keyboard under X with 2.6.31 Rafael J. Wysocki
2009-10-12 18:53 ` Justin P. Mattock
2009-10-12 21:41 ` Rafael J. Wysocki
2009-10-12 22:59 ` Nix
2009-10-12 23:38 ` Alan Cox
2009-10-12 23:46 ` Dmitry Torokhov
2009-10-13 0:14 ` Justin P. Mattock
2009-10-13 11:00 ` Alan Cox
2009-10-13 14:51 ` Jiri Kosina
2009-10-13 15:56 ` Andi Kleen
2009-10-13 2:00 ` Daniel Hazelton
2009-10-13 0:16 ` Linus Torvalds
2009-10-13 2:54 ` Frédéric L. W. Meunier
2009-10-13 19:32 ` Nix
2009-10-13 3:24 ` Linus Torvalds
2009-10-13 3:43 ` Justin P. Mattock
2009-10-13 7:13 ` Frédéric L. W. Meunier [this message]
2009-10-13 8:19 ` Boyan
2009-10-13 9:17 ` Dmitry Torokhov
2009-10-13 14:33 ` Frédéric L. W. Meunier
2009-10-13 15:05 ` Linus Torvalds
2009-10-13 20:08 ` Boyan
2009-10-13 20:53 ` Linus Torvalds
2009-10-13 21:02 ` Linus Torvalds
2009-10-13 21:13 ` Linus Torvalds
2009-10-14 0:55 ` Frédéric L. W. Meunier
2009-10-14 1:12 ` Linus Torvalds
2009-10-14 1:20 ` david
2009-10-14 7:45 ` Boyan
2009-10-13 21:32 ` Alan Cox
2009-10-13 22:54 ` Linus Torvalds
2009-10-13 23:11 ` Alan Cox
2009-10-13 23:16 ` Linus Torvalds
2009-10-13 21:46 ` Paul Fulghum
2009-10-13 22:42 ` Linus Torvalds
2009-10-13 23:01 ` Alan Cox
2009-10-14 0:08 ` Paul Fulghum
[not found] ` <4AD51D6B.7010509@microgate.com>
2009-10-14 1:03 ` Linus Torvalds
2009-10-14 1:05 ` Linus Torvalds
2009-10-14 1:34 ` Paul Fulghum
2009-10-14 11:58 ` Alan Cox
2009-10-14 15:07 ` Linus Torvalds
2009-10-14 16:34 ` Paul Fulghum
2009-10-14 16:38 ` Linus Torvalds
2009-10-14 18:20 ` Oleg Nesterov
2009-10-14 18:51 ` Linus Torvalds
2009-10-14 19:52 ` Oleg Nesterov
2009-10-14 20:55 ` Linus Torvalds
2009-10-15 12:47 ` Oleg Nesterov
2009-10-15 15:29 ` Oleg Nesterov
2009-10-15 16:04 ` Linus Torvalds
2009-10-15 15:53 ` Linus Torvalds
2009-10-14 21:16 ` Alan Cox
2009-10-14 21:51 ` David Miller
2009-10-14 19:59 ` Boyan
2009-10-14 21:02 ` Linus Torvalds
2009-10-14 21:39 ` Alan Cox
2009-10-15 7:24 ` Boyan
2009-10-15 17:38 ` OGAWA Hirofumi
2009-10-15 19:00 ` Oleg Nesterov
2009-10-15 21:49 ` Linus Torvalds
2009-10-15 22:29 ` OGAWA Hirofumi
2009-10-13 10:34 ` Alan Cox
2009-10-13 15:16 ` Justin P. Mattock
2009-10-13 10:32 ` Alan Cox
2009-10-13 13:25 ` Paul Fulghum
2009-10-13 14:39 ` Linus Torvalds
2009-10-13 15:02 ` Linus Torvalds
2009-10-13 15:08 ` Paul Fulghum
2009-10-13 15:33 ` Paul Fulghum
2009-10-13 15:41 ` Linus Torvalds
2009-10-13 15:59 ` Alan Cox
2009-10-13 16:42 ` Linus Torvalds
2009-10-13 17:28 ` Paul Fulghum
2009-10-17 16:40 ` Pavel Machek
2009-10-11 23:01 ` [Bug #14391] use after free of struct powernow_k8_data Rafael J. Wysocki
2009-10-11 23:24 ` 2.6.32-rc4: Reported regressions 2.6.30 -> 2.6.31 Larry Finger
2009-10-12 21:43 ` Rafael J. Wysocki
2009-10-12 12:22 ` Frederik Deweerdt
2009-10-12 21:46 ` Rafael J. Wysocki
2009-10-12 19:58 ` Andrew Patterson
2009-10-12 21:48 ` Rafael J. Wysocki
-- strict thread matches above, loose matches on Subject: below --
2009-10-26 19:26 2.6.32-rc5-git3: " Rafael J. Wysocki
2009-10-26 19:31 ` [Bug #14388] keyboard under X with 2.6.31 Rafael J. Wysocki
2009-10-26 22:25 ` Boyan
2009-10-26 22:45 ` Linus Torvalds
2009-10-26 23:45 ` Ed Tomlinson
2009-10-27 4:34 ` Justin P. Mattock
2009-10-27 8:23 ` Rafael J. Wysocki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.LNX.2.01.0910130405200.9297@dyndns.pervalidus.net \
--to=fredlwm@gmail.com \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=btanastasov@yahoo.co.uk \
--cc=dmitry.torokhov@gmail.com \
--cc=edt@aei.ca \
--cc=hirofumi@mail.parknet.co.jp \
--cc=justinmattock@gmail.com \
--cc=kernel-testers@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nix@esperi.org.uk \
--cc=paulkf@microgate.com \
--cc=rjw@sisk.pl \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).