From 8d2ead743dd54dff1fe3d0f4933e5da8bfe07472 Mon Sep 17 00:00:00 2001 From: Alan Cox Date: Tue, 16 Jun 2009 17:00:26 +0100 Subject: [PATCH 1/9] tty: Fix leaks introduced by the shift to separate ldisc objects Gold star for the kmemleak detector. Signed-off-by: Alan Cox Signed-off-by: Linus Torvalds --- drivers/char/tty_ldisc.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/char/tty_ldisc.c b/drivers/char/tty_ldisc.c index 39c8f86dedd4..94b3e06d73ec 100644 --- a/drivers/char/tty_ldisc.c +++ b/drivers/char/tty_ldisc.c @@ -148,8 +148,10 @@ static struct tty_ldisc *tty_ldisc_try_get(int disc) } } spin_unlock_irqrestore(&tty_ldisc_lock, flags); - if (err) + if (err) { + kfree(ld); return ERR_PTR(err); + } return ld; } @@ -262,7 +264,7 @@ const struct file_operations tty_ldiscs_proc_fops = { * @ld: line discipline * * Install an instance of a line discipline into a tty structure. The - * ldisc must have a reference count above zero to ensure it remains/ + * ldisc must have a reference count above zero to ensure it remains. * The tty instance refcount starts at zero. * * Locking: From 52856ed732aeab5e8e0b7c9e2a7a3d31736218ab Mon Sep 17 00:00:00 2001 From: Alan Cox Date: Tue, 16 Jun 2009 17:00:40 +0100 Subject: [PATCH 2/9] ldisc: Make sure the ldisc isn't active when we close it Signed-off-by: Alan Cox Signed-off-by: Linus Torvalds --- drivers/char/tty_ldisc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/char/tty_ldisc.c b/drivers/char/tty_ldisc.c index 94b3e06d73ec..874c2486c034 100644 --- a/drivers/char/tty_ldisc.c +++ b/drivers/char/tty_ldisc.c @@ -793,6 +793,8 @@ void tty_ldisc_hangup(struct tty_struct *tty) /* Avoid racing set_ldisc */ mutex_lock(&tty->ldisc_mutex); /* Switch back to N_TTY */ + tty_ldisc_halt(tty); + tty_ldisc_wait_idle(tty); tty_ldisc_reinit(tty); /* At this point we have a closed ldisc and we want to reopen it. We could defer this to the next open but From 677ca3060c474d7d89941948e32493d9c18c52d2 Mon Sep 17 00:00:00 2001 From: Alan Cox Date: Tue, 16 Jun 2009 17:00:53 +0100 Subject: [PATCH 3/9] ldisc: debug aids Signed-off-by: Linus Torvalds --- drivers/char/tty_ldisc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/char/tty_ldisc.c b/drivers/char/tty_ldisc.c index 874c2486c034..a19e935847b0 100644 --- a/drivers/char/tty_ldisc.c +++ b/drivers/char/tty_ldisc.c @@ -207,6 +207,7 @@ static void tty_ldisc_put(struct tty_ldisc *ld) ldo->refcount--; module_put(ldo->owner); spin_unlock_irqrestore(&tty_ldisc_lock, flags); + WARN_ON(ld->refcount); kfree(ld); } From 5dca607bcf10d3f08d07ffeac664c6769c336145 Mon Sep 17 00:00:00 2001 From: Mike Frysinger Date: Tue, 16 Jun 2009 17:01:02 +0100 Subject: [PATCH 4/9] tty: fix unused warning when TCGETX is not defined MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If TCGETX is not defined, we end up with this warning: drivers/char/tty_ioctl.c: In function ‘tty_mode_ioctl’: drivers/char/tty_ioctl.c:950: warning: unused variable ‘ktermx’ Since the variable is only used in one case statement, push it down to the local case scope. Signed-off-by: Mike Frysinger Signed-off-by: Alan Cox Signed-off-by: Linus Torvalds --- drivers/char/tty_ioctl.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/char/tty_ioctl.c b/drivers/char/tty_ioctl.c index 8116bb1c8f80..b24f6c6a1ea3 100644 --- a/drivers/char/tty_ioctl.c +++ b/drivers/char/tty_ioctl.c @@ -947,7 +947,6 @@ int tty_mode_ioctl(struct tty_struct *tty, struct file *file, void __user *p = (void __user *)arg; int ret = 0; struct ktermios kterm; - struct termiox ktermx; if (tty->driver->type == TTY_DRIVER_TYPE_PTY && tty->driver->subtype == PTY_TYPE_MASTER) @@ -1049,7 +1048,8 @@ int tty_mode_ioctl(struct tty_struct *tty, struct file *file, return ret; #endif #ifdef TCGETX - case TCGETX: + case TCGETX: { + struct termiox ktermx; if (real_tty->termiox == NULL) return -EINVAL; mutex_lock(&real_tty->termios_mutex); @@ -1058,6 +1058,7 @@ int tty_mode_ioctl(struct tty_struct *tty, struct file *file, if (copy_to_user(p, &ktermx, sizeof(struct termiox))) ret = -EFAULT; return ret; + } case TCSETX: return set_termiox(real_tty, p, 0); case TCSETXW: From 762faaed91e4ea4a3c34bc58f3221d9487acb470 Mon Sep 17 00:00:00 2001 From: Alan Cox Date: Tue, 16 Jun 2009 17:01:13 +0100 Subject: [PATCH 5/9] pty: Narrow the race on ldisc locking The pty code has always been buggy on its ldisc handling. The recent changes made the window for the race much bigger. Pending fixing it properly which is not at all trivial, at least make the race small again so we don't disrupt other dev work. Signed-off-by: Alan Cox Signed-off-by: Linus Torvalds --- drivers/char/pty.c | 51 +++++++++++++++++++++++++++++++++++----------- 1 file changed, 39 insertions(+), 12 deletions(-) diff --git a/drivers/char/pty.c b/drivers/char/pty.c index 5acd29e6e043..daebe1ba43d4 100644 --- a/drivers/char/pty.c +++ b/drivers/char/pty.c @@ -95,23 +95,34 @@ static void pty_unthrottle(struct tty_struct *tty) * a count. * * FIXME: Our pty_write method is called with our ldisc lock held but - * not our partners. We can't just take the other one blindly without - * risking deadlocks. + * not our partners. We can't just wait on the other one blindly without + * risking deadlocks. At some point when everything has settled down we need + * to look into making pty_write at least able to sleep over an ldisc change. + * + * The return on no ldisc is a bit counter intuitive but the logic works + * like this. During an ldisc change the other end will flush its buffers. We + * thus return the full length which is identical to the case where we had + * proper locking and happened to queue the bytes just before the flush during + * the ldisc change. */ static int pty_write(struct tty_struct *tty, const unsigned char *buf, int count) { struct tty_struct *to = tty->link; - int c; + struct tty_ldisc *ld; + int c = count; if (!to || tty->stopped) return 0; + ld = tty_ldisc_ref(to); - c = to->receive_room; - if (c > count) - c = count; - to->ldisc->ops->receive_buf(to, buf, NULL, c); - + if (ld) { + c = to->receive_room; + if (c > count) + c = count; + ld->ops->receive_buf(to, buf, NULL, c); + tty_ldisc_deref(ld); + } return c; } @@ -145,14 +156,23 @@ static int pty_write_room(struct tty_struct *tty) static int pty_chars_in_buffer(struct tty_struct *tty) { struct tty_struct *to = tty->link; - int count; + struct tty_ldisc *ld; + int count = 0; /* We should get the line discipline lock for "tty->link" */ - if (!to || !to->ldisc->ops->chars_in_buffer) + if (!to) + return 0; + /* We cannot take a sleeping reference here without deadlocking with + an ldisc change - but it doesn't really matter */ + ld = tty_ldisc_ref(to); + if (ld == NULL) return 0; /* The ldisc must report 0 if no characters available to be read */ - count = to->ldisc->ops->chars_in_buffer(to); + if (ld->ops->chars_in_buffer) + count = ld->ops->chars_in_buffer(to); + + tty_ldisc_deref(ld); if (tty->driver->subtype == PTY_TYPE_SLAVE) return count; @@ -182,12 +202,19 @@ static void pty_flush_buffer(struct tty_struct *tty) { struct tty_struct *to = tty->link; unsigned long flags; + struct tty_ldisc *ld; if (!to) return; + ld = tty_ldisc_ref(to); - if (to->ldisc->ops->flush_buffer) + /* The other end is changing discipline */ + if (!ld) + return; + + if (ld->ops->flush_buffer) to->ldisc->ops->flush_buffer(to); + tty_ldisc_deref(ld); if (to->packet) { spin_lock_irqsave(&tty->ctrl_lock, flags); From 1aa4bed82a684308f54bf782cffaecd4b1dc3cf4 Mon Sep 17 00:00:00 2001 From: Alan Cox Date: Tue, 16 Jun 2009 17:01:33 +0100 Subject: [PATCH 6/9] tty: fix sanity check The WARN_ON() that was added to tty_reopen can be triggered in the specific case of a hangup occurring during a re-open of a tty which is not in the middle of being otherwise closed. In that case however the WARN() is bogus as we don't hold the neccessary locks to make a correct decision. The case we should be checking is "if the ldisc is not changing and reopen is occuring". We could drop the WARN_ON but for the moment the debug is more valuable even if it means taking a mutex as it will find any other cases. Signed-off-by: Alan Cox Signed-off-by: Linus Torvalds --- drivers/char/tty_io.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/char/tty_io.c b/drivers/char/tty_io.c index 939e198d7670..a3afa0c387cd 100644 --- a/drivers/char/tty_io.c +++ b/drivers/char/tty_io.c @@ -1263,7 +1263,9 @@ static int tty_reopen(struct tty_struct *tty) tty->count++; tty->driver = driver; /* N.B. why do this every time?? */ + mutex_lock(&tty->ldisc_mutex); WARN_ON(!test_bit(TTY_LDISC, &tty->flags)); + mutex_unlock(&tty->ldisc_mutex); return 0; } From dc9879291be479e096c5cfac33effc2ade74309b Mon Sep 17 00:00:00 2001 From: Joe Perches Date: Tue, 16 Jun 2009 17:01:52 +0100 Subject: [PATCH 7/9] MAINTAINERS: update 8250 section, give Alan Cox a name Signed-off-by: Joe Perches Signed-off-by: Andrew Morton Signed-off-by: Alan Cox Signed-off-by: Linus Torvalds --- MAINTAINERS | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/MAINTAINERS b/MAINTAINERS index 2cb7566904b1..09f6b3e5708a 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -157,9 +157,10 @@ S: Maintained F: drivers/net/r8169.c 8250/16?50 (AND CLONE UARTS) SERIAL DRIVER +P: Alan Cox +M: alan@lxorguk.ukuu.org.uk L: linux-serial@vger.kernel.org W: http://serial.sourceforge.net -M: alan@lxorguk.ukuu.org.uk S: Odd Fixes F: drivers/serial/8250* F: include/linux/serial_8250.h From 0ccad87012c6c2e7446e4dc0f0894cf182a5270a Mon Sep 17 00:00:00 2001 From: Haavard Skinnemoen Date: Tue, 16 Jun 2009 17:02:03 +0100 Subject: [PATCH 8/9] atmel_serial: fix hang in set_termios when crtscts is enabled After enabling hardware flow control, any subsequent termios call may hang waiting for the transmitter to drain. This appears to be caused by a busy-loop in set_termios() waiting for the transmitter to become empty, which may take a very long time (or hang indefinitely) if the device at the other end is blocking us. A quick look through the tty and serial_core code indicates that any necessary flushing (which is optional) has already been done at this point, so there's no need for the driver to flush the transmitter on its own. Fix it by removing the busy-loop altogether. Tested-by: Eirik Aanonsen Signed-off-by: Haavard Skinnemoen Signed-off-by: Andrew Morton Signed-off-by: Alan Cox Signed-off-by: Linus Torvalds --- drivers/serial/atmel_serial.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/drivers/serial/atmel_serial.c b/drivers/serial/atmel_serial.c index b3497d7e5354..338b15c0a548 100644 --- a/drivers/serial/atmel_serial.c +++ b/drivers/serial/atmel_serial.c @@ -1104,11 +1104,13 @@ static void atmel_set_termios(struct uart_port *port, struct ktermios *termios, /* update the per-port timeout */ uart_update_timeout(port, termios->c_cflag, baud); - /* save/disable interrupts and drain transmitter */ + /* + * save/disable interrupts. The tty layer will ensure that the + * transmitter is empty if requested by the caller, so there's + * no need to wait for it here. + */ imr = UART_GET_IMR(port); UART_PUT_IDR(port, -1); - while (!(UART_GET_CSR(port) & ATMEL_US_TXEMPTY)) - cpu_relax(); /* disable receiver and transmitter */ UART_PUT_CR(port, ATMEL_US_TXDIS | ATMEL_US_RXDIS); From 1a2c4b3147ac0645605d6def2855478861d9361b Mon Sep 17 00:00:00 2001 From: Sascha Hauer Date: Tue, 16 Jun 2009 17:02:15 +0100 Subject: [PATCH 9/9] imx: Check for NULL pointer deref before calling tty_encode_baud_rate Signed-off-by: Sascha Hauer Signed-off-by: Alan Cox Signed-off-by: Linus Torvalds --- drivers/serial/imx.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/drivers/serial/imx.c b/drivers/serial/imx.c index 285b414f3054..5d7b58f1fe42 100644 --- a/drivers/serial/imx.c +++ b/drivers/serial/imx.c @@ -924,11 +924,13 @@ imx_set_termios(struct uart_port *port, struct ktermios *termios, rational_best_approximation(16 * div * baud, sport->port.uartclk, 1 << 16, 1 << 16, &num, &denom); - tdiv64 = sport->port.uartclk; - tdiv64 *= num; - do_div(tdiv64, denom * 16 * div); - tty_encode_baud_rate(sport->port.info->port.tty, - (speed_t)tdiv64, (speed_t)tdiv64); + if (port->info && port->info->port.tty) { + tdiv64 = sport->port.uartclk; + tdiv64 *= num; + do_div(tdiv64, denom * 16 * div); + tty_encode_baud_rate(sport->port.info->port.tty, + (speed_t)tdiv64, (speed_t)tdiv64); + } num -= 1; denom -= 1;