[thirdparty/kernel/stable-queue.git] / releases / 2.6.36.2 / tty-don-t-allow-reopen-when-ldisc-is-changing.patch

From e2efafbf139d2bfdfe96f2901f03189fecd172e4 Mon Sep 17 00:00:00 2001
From: Jiri Slaby <jslaby@suse.cz>
Date: Mon, 29 Nov 2010 10:16:53 +0100
Subject: TTY: don't allow reopen when ldisc is changing

From: Jiri Slaby <jslaby@suse.cz>

commit e2efafbf139d2bfdfe96f2901f03189fecd172e4 upstream.

There are many WARNINGs like the following reported nowadays:
WARNING: at drivers/tty/tty_io.c:1331 tty_open+0x2a2/0x49a()
Hardware name: Latitude E6500
Modules linked in:
Pid: 1207, comm: plymouthd Not tainted 2.6.37-rc3-mmotm1123 #3
Call Trace:
 [<ffffffff8103b189>] warn_slowpath_common+0x80/0x98
 [<ffffffff8103b1b6>] warn_slowpath_null+0x15/0x17
 [<ffffffff8128a3ab>] tty_open+0x2a2/0x49a
 [<ffffffff810fd53f>] chrdev_open+0x11d/0x146
...

This means tty_reopen is called without TTY_LDISC set. For further
considerations, note tty_lock is held in tty_open. TTY_LDISC is cleared in:
1) __tty_hangup from tty_ldisc_hangup to tty_ldisc_enable. During this
section tty_lock is held. However tty_lock is temporarily dropped in
the middle of the function by tty_ldisc_hangup.

2) tty_release via tty_ldisc_release till the end of tty existence. If
tty->count <= 1, tty_lock is taken, TTY_CLOSING bit set and then
tty_ldisc_release called. tty_reopen checks TTY_CLOSING before checking
TTY_LDISC.

3) tty_set_ldisc from tty_ldisc_halt to tty_ldisc_enable. We:
   * take tty_lock, set TTY_LDISC_CHANGING, put tty_lock
   * call tty_ldisc_halt (clear TTY_LDISC), tty_lock is _not_ held
   * do some other work
   * take tty_lock, call tty_ldisc_enable (set TTY_LDISC), put
     tty_lock

I cannot see how 2) can be a problem, as there I see no race. OTOH, 1)
and 3) can happen without problems. This patch the case 3) by checking
TTY_LDISC_CHANGING along with TTY_CLOSING in tty_reopen. 1) will be
fixed in the following patch.

Nicely reproducible with two processes:
while (1) {
	fd = open("/dev/ttyS1", O_RDWR);
	if (fd < 0) {
		warn("open");
		continue;
	}
	close(fd);
}
--------
while (1) {
        fd = open("/dev/ttyS1", O_RDWR);
        ld1 = 0; ld2 = 2;
        while (1) {
                ioctl(fd, TIOCSETD, &ld1);
                ioctl(fd, TIOCSETD, &ld2);
        }
        close(fd);
}

Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Reported-by: <Valdis.Kletnieks@vt.edu>
Cc: Kyle McMartin <kyle@mcmartin.ca>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 drivers/char/tty_io.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/char/tty_io.c
+++ b/drivers/char/tty_io.c
@@ -1304,7 +1304,8 @@ static int tty_reopen(struct tty_struct
 {
 	struct tty_driver *driver = tty->driver;
 
-	if (test_bit(TTY_CLOSING, &tty->flags))
+	if (test_bit(TTY_CLOSING, &tty->flags) ||
+			test_bit(TTY_LDISC_CHANGING, &tty->flags))
 		return -EIO;
 
 	if (driver->type == TTY_DRIVER_TYPE_PTY &&
Commit	Line	Data
53c49429 GKH	1	From e2efafbf139d2bfdfe96f2901f03189fecd172e4 Mon Sep 17 00:00:00 2001
	2	From: Jiri Slaby <jslaby@suse.cz>
	3	Date: Mon, 29 Nov 2010 10:16:53 +0100
	4	Subject: TTY: don't allow reopen when ldisc is changing
	5
	6	From: Jiri Slaby <jslaby@suse.cz>
	7
	8	commit e2efafbf139d2bfdfe96f2901f03189fecd172e4 upstream.
	9
	10	There are many WARNINGs like the following reported nowadays:
	11	WARNING: at drivers/tty/tty_io.c:1331 tty_open+0x2a2/0x49a()
	12	Hardware name: Latitude E6500
	13	Modules linked in:
	14	Pid: 1207, comm: plymouthd Not tainted 2.6.37-rc3-mmotm1123 #3
	15	Call Trace:
	16	[<ffffffff8103b189>] warn_slowpath_common+0x80/0x98
	17	[<ffffffff8103b1b6>] warn_slowpath_null+0x15/0x17
	18	[<ffffffff8128a3ab>] tty_open+0x2a2/0x49a
	19	[<ffffffff810fd53f>] chrdev_open+0x11d/0x146
	20	...
	21
	22	This means tty_reopen is called without TTY_LDISC set. For further
	23	considerations, note tty_lock is held in tty_open. TTY_LDISC is cleared in:
	24	1) __tty_hangup from tty_ldisc_hangup to tty_ldisc_enable. During this
	25	section tty_lock is held. However tty_lock is temporarily dropped in
	26	the middle of the function by tty_ldisc_hangup.
	27
	28	2) tty_release via tty_ldisc_release till the end of tty existence. If
	29	tty->count <= 1, tty_lock is taken, TTY_CLOSING bit set and then
	30	tty_ldisc_release called. tty_reopen checks TTY_CLOSING before checking
	31	TTY_LDISC.
	32
	33	3) tty_set_ldisc from tty_ldisc_halt to tty_ldisc_enable. We:
	34	* take tty_lock, set TTY_LDISC_CHANGING, put tty_lock
	35	* call tty_ldisc_halt (clear TTY_LDISC), tty_lock is _not_ held
	36	* do some other work
	37	* take tty_lock, call tty_ldisc_enable (set TTY_LDISC), put
	38	tty_lock
	39
	40	I cannot see how 2) can be a problem, as there I see no race. OTOH, 1)
	41	and 3) can happen without problems. This patch the case 3) by checking
	42	TTY_LDISC_CHANGING along with TTY_CLOSING in tty_reopen. 1) will be
	43	fixed in the following patch.
	44
	45	Nicely reproducible with two processes:
	46	while (1) {
	47	fd = open("/dev/ttyS1", O_RDWR);
	48	if (fd < 0) {
	49	warn("open");
	50	continue;
	51	}
	52	close(fd);
	53	}
	54	--------
	55	while (1) {
	56	fd = open("/dev/ttyS1", O_RDWR);
	57	ld1 = 0; ld2 = 2;
	58	while (1) {
	59	ioctl(fd, TIOCSETD, &ld1);
	60	ioctl(fd, TIOCSETD, &ld2);
	61	}
	62	close(fd);
	63	}
	64
65	Signed-off-by: Jiri Slaby <jslaby@suse.cz>
66	Reported-by: <Valdis.Kletnieks@vt.edu>
67	Cc: Kyle McMartin <kyle@mcmartin.ca>
68	Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
69	Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
70
71	---
72	drivers/char/tty_io.c \| 3 ++-
73	1 file changed, 2 insertions(+), 1 deletion(-)
74
75	--- a/drivers/char/tty_io.c
76	+++ b/drivers/char/tty_io.c
77	@@ -1304,7 +1304,8 @@ static int tty_reopen(struct tty_struct
78	{
79	struct tty_driver *driver = tty->driver;
80
81	- if (test_bit(TTY_CLOSING, &tty->flags))
82	+ if (test_bit(TTY_CLOSING, &tty->flags) \|\|
83	+ test_bit(TTY_LDISC_CHANGING, &tty->flags))
84	return -EIO;
85
86	if (driver->type == TTY_DRIVER_TYPE_PTY &&