linux/drivers/char
Linus Torvalds 5c58ceff10 tty: make sure to flush any pending work when halting the ldisc
When I rewrote tty ldisc code to use proper reference counts (commits
65b770468e and cbe9352fa0) in order to avoid a race with hangup, the
test-program that Eric Biederman used to trigger the original problem
seems to have exposed another long-standing bug: the hangup code did the
'tty_ldisc_halt()' to stop any buffer flushing activity, but unlike the
other call sites it never actually flushed any pending work.

As a result, if you get just the right timing, the pending work may be
just about to execute (ie the timer has already triggered and thus
cancel_delayed_work() was a no-op), when we then re-initialize the ldisc
from under it.

That, in turn, results in various random problems, usually seen as a
NULL pointer dereference in run_timer_softirq() or a BUG() in
worker_thread (but it can be almost anything).

Fix it by adding the required 'flush_scheduled_work()' after doing the
tty_ldisc_halt() (this also requires us to move the ldisc halt to before
taking the ldisc mutex in order to avoid a deadlock with the workqueue
executing do_tty_hangup, which requires the mutex).

The locking should be cleaned up one day (the requirement to do this
outside the ldisc_mutex is very annoying, and weakens the lock), but
that's a larger and separate undertaking.

Reported-by: Eric W. Biederman <ebiederm@xmission.com>
Tested-by: Xiaotian Feng <xtfeng@gmail.com>
Tested-by: Yanmin Zhang <yanmin_zhang@linux.intel.com>
Tested-by: Dave Young <hidave.darkstar@gmail.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Greg Kroah-Hartman <gregkh@suse.de>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-08-25 09:12:43 -07:00
..
agp parisc: parisc-agp.c - use correct page_mask function 2009-08-02 15:35:43 +02:00
hw_random Remove multiple KERN_ prefixes from printk formats 2009-07-08 10:30:03 -07:00
ip2 tty: rewrite the ldisc locking 2009-06-11 08:51:01 -07:00
ipmi ipmi: remove driver_data direct access of struct device 2009-06-15 21:30:27 -07:00
mwave
pcmcia tty: fix chars_in_buffers 2009-07-20 16:38:43 -07:00
rio headers: smp_lock.h redux 2009-07-12 12:22:34 -07:00
tpm headers: smp_lock.h redux 2009-07-12 12:22:34 -07:00
xilinx_hwicap
.gitignore
amiserial.c headers: smp_lock.h redux 2009-07-12 12:22:34 -07:00
apm-emulation.c
applicom.c applicom: Auto-load applicom module when device opened. 2009-04-06 14:36:30 -07:00
applicom.h
bfin_jtag_comm.c bfin_jtag_comm: clean up printk usage 2009-06-22 11:32:23 -07:00
bfin-otp.c
briq_panel.c
bsr.c powerpc/BSR: Fix BSR to allow mmap of small BSR on 64k kernel 2009-06-26 14:37:26 +10:00
cd1865.h
ChangeLog
consolemap.c
cp437.uni
cs5535_gpio.c
cyclades.c headers: smp_lock.h redux 2009-07-12 12:22:34 -07:00
defkeymap.c_shipped
defkeymap.map
digi1.h
digiFep1.h
digiPCI.h
ds1302.c
ds1620.c
dsp56k.c
dtlk.c dtlk: off by one in {read,write}_tts() 2009-06-19 16:46:06 -07:00
efirtc.c
epca.c headers: smp_lock.h redux 2009-07-12 12:22:34 -07:00
epca.h
epcaconfig.h
esp.c esp: fix section mismatch warning 2009-04-07 08:31:03 -07:00
generic_nvram.c
generic_serial.c
genrtc.c
hangcheck-timer.c
hpet.c irq: change ACPI GSI APIs to also take a device argument 2009-04-28 12:21:17 +02:00
hvc_beat.c
hvc_console.c tty: fix chars_in_buffers 2009-07-20 16:38:43 -07:00
hvc_console.h
hvc_irq.c hvc_console: Call free_irq() only if request_irq() was successful 2009-01-13 14:48:01 +11:00
hvc_iseries.c drivers/hvc: Add missing __devexit_p() 2009-06-16 14:15:44 +10:00
hvc_iucv.c [S390] pm: hvc_iucv power management callbacks 2009-06-16 10:31:19 +02:00
hvc_rtas.c
hvc_udbg.c
hvc_vio.c drivers/hvc: Add missing __devexit_p() 2009-06-16 14:15:44 +10:00
hvc_xen.c
hvcs.c Merge commit 'origin/master' into next 2009-06-18 11:16:55 +10:00
hvsi.c hvc_console: Remove tty->low_latency on pseries backends 2009-03-11 10:44:26 +11:00
i8k.c
isicom.c headers: smp_lock.h redux 2009-07-12 12:22:34 -07:00
istallion.c headers: smp_lock.h redux 2009-07-12 12:22:34 -07:00
Kconfig MIPS: Update VR41xx GPIO driver to use gpiolib 2009-07-03 15:45:25 +01:00
keyboard.c Input: keyboard - remove warning about raw mode not supported 2009-04-20 21:21:24 -07:00
lp.c
Makefile MIPS: Update VR41xx GPIO driver to use gpiolib 2009-07-03 15:45:25 +01:00
mbcs.c
mbcs.h
mem.c drivers/char/mem.c: memory_open() cleanup: lookup minor device number from devlist 2009-06-18 13:03:54 -07:00
misc.c Driver Core: misc: add nodename support for misc devices. 2009-06-15 21:30:25 -07:00
mmtimer.c
moxa.c headers: smp_lock.h redux 2009-07-12 12:22:34 -07:00
moxa.h
mspec.c
mxser.c headers: smp_lock.h redux 2009-07-12 12:22:34 -07:00
mxser.h
n_hdlc.c headers: smp_lock.h redux 2009-07-12 12:22:34 -07:00
n_r3964.c headers: smp_lock.h redux 2009-07-12 12:22:34 -07:00
n_tty.c pty: avoid forcing 'low_latency' tty flag 2009-07-29 12:15:56 -07:00
nozomi.c tty: fix chars_in_buffers 2009-07-20 16:38:43 -07:00
nsc_gpio.c
nvram.c
nwbutton.c
nwbutton.h
nwflash.c
pc8736x_gpio.c
ppdev.c ppdev: reduce kernel log spam 2009-06-18 13:03:54 -07:00
ps3flash.c ps3flash: Always read chunks of 256 KiB, and cache them 2009-06-15 16:47:27 +10:00
pty.c pty: fix data loss when stopped (^S/^Q) 2009-08-10 13:31:18 -07:00
random.c Avoid ICE in get_random_int() with gcc-3.4.5 2009-05-19 11:25:35 -07:00
raw.c Driver Core: raw: add nodename for raw devices 2009-06-15 21:30:26 -07:00
riscom8_reg.h
riscom8.c headers: smp_lock.h redux 2009-07-12 12:22:34 -07:00
riscom8.h
rocket_int.h
rocket.c headers: smp_lock.h redux 2009-07-12 12:22:34 -07:00
rocket.h
rtc.c
scc.h m68k: atari - Rename "mfp" to "st_mfp" 2009-02-22 09:23:02 -08:00
scx200_gpio.c
selection.c tty: rewrite the ldisc locking 2009-06-11 08:51:01 -07:00
ser_a2232.c m68k: ser_a2232 - Kill warn_unused_result warnings 2009-01-12 20:56:39 +01:00
ser_a2232.h
ser_a2232fw.ax
ser_a2232fw.h
serial167.c headers: smp_lock.h redux 2009-07-12 12:22:34 -07:00
snsc_event.c
snsc.c
snsc.h
sonypi.c Rationalize fasync return values 2009-03-16 08:34:35 -06:00
specialix_io8.h
specialix.c specialix.c: convert nested spin_lock_irqsave to spin_lock 2009-07-20 16:38:43 -07:00
stallion.c tty: Add carrier processing on close to the tty_port core 2009-06-11 08:50:56 -07:00
sx.c headers: smp_lock.h redux 2009-07-12 12:22:34 -07:00
sx.h
sxboards.h
sxwindow.h
synclink_gt.c headers: smp_lock.h redux 2009-07-12 12:22:34 -07:00
synclink.c headers: smp_lock.h redux 2009-07-12 12:22:34 -07:00
synclinkmp.c headers: smp_lock.h redux 2009-07-12 12:22:34 -07:00
sysrq.c sysrq, kdump: make sysrq-c consistent 2009-07-29 19:10:36 -07:00
tb0219.c Update Yoichi Yuasa's e-mail address 2009-07-03 15:45:29 +01:00
tlclk.c
toshiba.c
tty_audit.c tty: remove buffer special casing 2009-06-11 08:51:02 -07:00
tty_buffer.c pty: avoid forcing 'low_latency' tty flag 2009-07-29 12:15:56 -07:00
tty_io.c tty: fix sanity check 2009-06-16 12:01:16 -07:00
tty_ioctl.c headers: smp_lock.h redux 2009-07-12 12:22:34 -07:00
tty_ldisc.c tty: make sure to flush any pending work when halting the ldisc 2009-08-25 09:12:43 -07:00
tty_port.c tty_port: Fix return on interrupted use 2009-07-17 08:50:43 -07:00
vc_screen.c vc: create vcs(a) devices for consoles 2009-07-20 16:38:43 -07:00
viotape.c tape: beyond ARRAY_SIZE of viocd_diskinfo 2009-06-02 10:32:34 +10:00
virtio_console.c virtio: find_vqs/del_vqs virtio operations 2009-06-12 22:16:36 +09:30
vme_scc.c m68k: vme_scc - Kill warn_unused_result warnings 2009-01-12 20:56:38 +01:00
vt_ioctl.c headers: smp_lock.h redux 2009-07-12 12:22:34 -07:00
vt.c vt: drop bootmem/slab memory distinction 2009-07-16 09:19:16 -07:00