[PATCH 00/19] Fix driver crashes on hangup

[Peter Hurley <peter@hurleysoftware.com>]

Hi Greg,

This series fixes the underlying design problem that leads to driver crashes
during hangup (eg., Andi Kleen's report https://lkml.org/lkml/2015/11/9/786).

Quoting from patch 17/19:

    Currently, when the tty is hungup, the ldisc is re-instanced; ie., the
    current instance is destroyed and a new instance is created. The purpose
    of this design was to guarantee a valid, open ldisc for the lifetime of
    the tty.

    However, now that tty buffers are owned by and have lifetime equivalent
    to the tty_port (since v3.10), any data received immediately after the
    ldisc is re-instanced may cause continued driver i/o operations
    concurrently with the driver's hangup() operation. For drivers that
    shutdown h/w on hangup, this is unexpected and usually bad. For example,
    the serial core may free the xmit buffer page concurrently with an
    in-progress write() operation (triggered by echo).

    With the existing stable and robust ldisc reference handling, the
    cleaned-up tty_reopen(), the straggling unsafe ldisc use cleaned up, and
    the preparation to properly handle a NULL tty->ldisc, the ldisc instance
    can be destroyed and only re-instanced when the tty is re-opened.

With this patch series, the tty core now guarantees no further driver/ldisc
interactions after hangup.

Patch 1-4 remove direct tty->ldisc access outside the tty core.
Patch 5 removes the defunct chars_in_buffer() ldisc method (which has been
        deprecated since 3.12)
Patch 6 & 7 fix unsafe ldisc uses which coincidentally have been discovered
        to cause crashes (https://lkml.org/lkml/2015/11/26/173 and
	https://lkml.org/lkml/2015/11/26/253). These have been tagged for
	-stable.
Patch 8-16 are preparations; documenting existing functions and refactoring.
        Patch 12 adds handling for the possibility of NULL ldisc references
	after tty_ldisc_ref_wait(); that commit log details the logic of
	why/how that works.
Patch 17 implements the fix: the ldisc instance is killed and left dead.
        At tty_reopen() if the tty->ldisc is NULL, a new ldisc is instanced.
Patch 18-19 are minor add-ons.


REQUIRES: tty: Simplify tty_set_ldisc() exit handling
	  "tty core printk cleanup" 14-patch series

Regards,

Peter Hurley (19):
  staging: digi: Replace open-coded tty_wakeup()
  serial: 68328: Remove bogus ldisc reset
  bluetooth: hci_ldisc: Remove dead code
  NFC: nci: Remove dead code
  tty: Remove chars_in_buffer() line discipline method
  tty: Fix unsafe ldisc reference via ioctl(TIOCGETD)
  n_tty: Fix unsafe reference to "other" ldisc
  tty: Reset c_line from driver's init_termios
  staging/speakup: Use tty_ldisc_ref() for paste kworker
  tty: Fix comments for tty_ldisc_get()
  tty: Fix comments for tty_ldisc_release()
  tty: Prepare for destroying line discipline on hangup
  tty: Handle NULL tty->ldisc
  tty: Move tty_ldisc_kill()
  tty: Use 'disc' for line discipline index name
  tty: Refactor tty_ldisc_reinit() for reuse
  tty: Destroy ldisc instance on hangup
  tty: Document c_line == N_TTY initial condition
  tty: Touch up style issues in ldisc core

 Documentation/serial/tty.txt        |   3 -
 drivers/bluetooth/hci_ldisc.c       |   8 +-
 drivers/staging/dgap/dgap.c         |  28 ++----
 drivers/staging/dgnc/dgnc_tty.c     |  18 +---
 drivers/staging/speakup/selection.c |   4 +-
 drivers/tty/amiserial.c             |   6 +-
 drivers/tty/cyclades.c              |   8 +-
 drivers/tty/n_gsm.c                 |  16 ----
 drivers/tty/n_tty.c                 |  30 +------
 drivers/tty/rocket.c                |   6 +-
 drivers/tty/serial/68328serial.c    |  12 +--
 drivers/tty/serial/crisv10.c        |  12 ++-
 drivers/tty/tty_io.c                |  57 ++++++++++--
 drivers/tty/tty_ldisc.c             | 175 +++++++++++++++++++-----------------
 drivers/tty/vt/selection.c          |   2 +
 include/linux/tty.h                 |   5 +-
 include/linux/tty_ldisc.h           |   7 --
 net/nfc/nci/uart.c                  |   9 +-
 18 files changed, 176 insertions(+), 230 deletions(-)

-- 
2.6.3