From: Anton Blanchard <anton@samba.org>
To: Amit Shah <amit.shah@redhat.com>
Cc: Sachin Sant <sachinp@in.ibm.com>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Greg Kroah-Hartman <gregkh@suse.de>,
a.p.zijlstra@chello.nl, Rusty Russell <rusty@rustcorp.com.au>,
linux-kernel@vger.kernel.org, linuxppc-dev@ozlabs.org,
tglx@linutronix.de,
Linus Torvalds <torvalds@linux-foundation.org>,
mingo@elte.hu, Alan Cox <alan@lxorguk.ukuu.org.uk>
Subject: Re: [PATCH 4/7] hvc_console: Fix race between hvc_close and hvc_remove
Date: Tue, 6 Apr 2010 21:42:38 +1000 [thread overview]
Message-ID: <20100406114238.GN5594@kryten> (raw)
In-Reply-To: <20100326124340.GB7039@amit-x200.redhat.com>
Hi,
> > Looking at the commit e74d098c66543d0731de62eb747ccd5b636a6f4c,
> > i see that for every tty_kref_get() there is a corresponding
> > tty_kref_put() except maybe for the one in the following patch snippet
> >
> > spin_lock_irqsave(&hp->lock, flags);
> > /* Check and then increment for fast path open. */
> > if (hp->count++ > 0) {
> > + tty_kref_get(tty);
> > spin_unlock_irqrestore(&hp->lock, flags);
> > hvc_kick();
> > return 0;
> >
> > I don't know this code very well but we might be missing a
> > corresponding tty_kref_put() some place ?
>
> See hvc_hangup:
>
> temp_open_count = hp->count;
> ...
> while(temp_open_count) {
> --temp_open_count;
> tty_kref_put(tty);
> kref_put(&hp->kref, destroy_hvc_struct);
> }
I don't claim to understand the tty layer, but it seems like hvc_open and
hvc_close should be balanced in their kref reference counting.
Right now we get a kref every call to hvc_open:
if (hp->count++ > 0) {
tty_kref_get(tty); <----- here
spin_unlock_irqrestore(&hp->lock, flags);
hvc_kick();
return 0;
} /* else count == 0 */
tty->driver_data = hp;
hp->tty = tty_kref_get(tty); <------ or here if hp->count was 0
But hvc_close has:
tty_kref_get(tty);
if (--hp->count == 0) {
...
/* Put the ref obtained in hvc_open() */
tty_kref_put(tty);
...
}
tty_kref_put(tty);
Since the outside kref get/put balance we only do a single kref_put when
count reaches 0.
The patch below changes things to call tty_kref_put once for every
hvc_close call, and with that my machine boots fine.
Signed-off-by: Anton Blanchard <anton@samba.org>
---
diff --git a/drivers/char/hvc_console.c b/drivers/char/hvc_console.c
index d3890e8..35cca4c 100644
--- a/drivers/char/hvc_console.c
+++ b/drivers/char/hvc_console.c
@@ -368,16 +368,12 @@ static void hvc_close(struct tty_struct *tty, struct file * filp)
hp = tty->driver_data;
spin_lock_irqsave(&hp->lock, flags);
- tty_kref_get(tty);
if (--hp->count == 0) {
/* We are done with the tty pointer now. */
hp->tty = NULL;
spin_unlock_irqrestore(&hp->lock, flags);
- /* Put the ref obtained in hvc_open() */
- tty_kref_put(tty);
-
if (hp->ops->notifier_del)
hp->ops->notifier_del(hp, hp->data);
WARNING: multiple messages have this Message-ID (diff)
From: Anton Blanchard <anton@samba.org>
To: Amit Shah <amit.shah@redhat.com>
Cc: Greg Kroah-Hartman <gregkh@suse.de>,
a.p.zijlstra@chello.nl, Rusty Russell <rusty@rustcorp.com.au>,
linux-kernel@vger.kernel.org, linuxppc-dev@ozlabs.org,
tglx@linutronix.de,
Linus Torvalds <torvalds@linux-foundation.org>,
mingo@elte.hu, Alan Cox <alan@lxorguk.ukuu.org.uk>
Subject: Re: [PATCH 4/7] hvc_console: Fix race between hvc_close and hvc_remove
Date: Tue, 6 Apr 2010 21:42:38 +1000 [thread overview]
Message-ID: <20100406114238.GN5594@kryten> (raw)
In-Reply-To: <20100326124340.GB7039@amit-x200.redhat.com>
Hi,
> > Looking at the commit e74d098c66543d0731de62eb747ccd5b636a6f4c,
> > i see that for every tty_kref_get() there is a corresponding
> > tty_kref_put() except maybe for the one in the following patch snippet
> >
> > spin_lock_irqsave(&hp->lock, flags);
> > /* Check and then increment for fast path open. */
> > if (hp->count++ > 0) {
> > + tty_kref_get(tty);
> > spin_unlock_irqrestore(&hp->lock, flags);
> > hvc_kick();
> > return 0;
> >
> > I don't know this code very well but we might be missing a
> > corresponding tty_kref_put() some place ?
>
> See hvc_hangup:
>
> temp_open_count = hp->count;
> ...
> while(temp_open_count) {
> --temp_open_count;
> tty_kref_put(tty);
> kref_put(&hp->kref, destroy_hvc_struct);
> }
I don't claim to understand the tty layer, but it seems like hvc_open and
hvc_close should be balanced in their kref reference counting.
Right now we get a kref every call to hvc_open:
if (hp->count++ > 0) {
tty_kref_get(tty); <----- here
spin_unlock_irqrestore(&hp->lock, flags);
hvc_kick();
return 0;
} /* else count == 0 */
tty->driver_data = hp;
hp->tty = tty_kref_get(tty); <------ or here if hp->count was 0
But hvc_close has:
tty_kref_get(tty);
if (--hp->count == 0) {
...
/* Put the ref obtained in hvc_open() */
tty_kref_put(tty);
...
}
tty_kref_put(tty);
Since the outside kref get/put balance we only do a single kref_put when
count reaches 0.
The patch below changes things to call tty_kref_put once for every
hvc_close call, and with that my machine boots fine.
Signed-off-by: Anton Blanchard <anton@samba.org>
---
diff --git a/drivers/char/hvc_console.c b/drivers/char/hvc_console.c
index d3890e8..35cca4c 100644
--- a/drivers/char/hvc_console.c
+++ b/drivers/char/hvc_console.c
@@ -368,16 +368,12 @@ static void hvc_close(struct tty_struct *tty, struct file * filp)
hp = tty->driver_data;
spin_lock_irqsave(&hp->lock, flags);
- tty_kref_get(tty);
if (--hp->count == 0) {
/* We are done with the tty pointer now. */
hp->tty = NULL;
spin_unlock_irqrestore(&hp->lock, flags);
- /* Put the ref obtained in hvc_open() */
- tty_kref_put(tty);
-
if (hp->ops->notifier_del)
hp->ops->notifier_del(hp, hp->data);
next prev parent reply other threads:[~2010-04-06 11:44 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-03-19 15:13 [GIT PATCH] TTY fixes for 2.6.34-git Greg KH
2010-03-19 15:18 ` [PATCH 1/7] Revert "tty: Add a new VT mode which is like VT_PROCESS but doesn't require a VT_RELDISP ioctl call" Greg Kroah-Hartman
2010-03-19 15:18 ` [PATCH 2/7] tty: Take a 256 byte padding into account when buffering below sub-page units Greg Kroah-Hartman
2010-03-19 15:18 ` [PATCH 3/7] uartlite: Fix build on sparc Greg Kroah-Hartman
2010-03-19 16:15 ` Grant Likely
2010-03-19 16:26 ` Grant Likely
2010-03-26 14:31 ` Michal Simek
2010-03-19 15:18 ` [PATCH 4/7] hvc_console: Fix race between hvc_close and hvc_remove Greg Kroah-Hartman
2010-03-19 15:18 ` Greg Kroah-Hartman
2010-03-20 21:04 ` Benjamin Herrenschmidt
2010-03-20 21:04 ` Benjamin Herrenschmidt
2010-03-21 4:37 ` Amit Shah
2010-03-21 4:37 ` Amit Shah
2010-03-24 12:19 ` Amit Shah
2010-03-24 12:19 ` Amit Shah
2010-03-25 23:30 ` Anton Blanchard
2010-03-25 23:30 ` Anton Blanchard
2010-03-26 2:01 ` Amit Shah
2010-03-26 2:01 ` Amit Shah
2010-03-26 9:13 ` Sachin Sant
2010-03-26 9:13 ` Sachin Sant
2010-03-26 9:58 ` Amit Shah
2010-03-26 9:58 ` Amit Shah
2010-03-26 10:54 ` Stephen Rothwell
2010-03-26 10:54 ` Stephen Rothwell
2010-03-26 11:42 ` Sachin Sant
2010-03-26 11:42 ` Sachin Sant
2010-03-26 11:52 ` Alan Cox
2010-03-26 11:52 ` Alan Cox
2010-03-26 12:49 ` Amit Shah
2010-03-26 12:49 ` Amit Shah
2010-03-26 12:43 ` Amit Shah
2010-03-26 12:43 ` Amit Shah
2010-04-06 11:42 ` Anton Blanchard [this message]
2010-04-06 11:42 ` Anton Blanchard
2010-04-06 12:09 ` Amit Shah
2010-04-06 12:09 ` Amit Shah
2010-04-06 12:27 ` Sachin Sant
2010-04-06 12:27 ` Sachin Sant
2010-04-06 12:32 ` Alan Cox
2010-04-06 12:32 ` Alan Cox
2010-04-08 0:26 ` Rusty Russell
2010-04-08 0:26 ` Rusty Russell
2010-03-24 10:45 ` Benjamin Herrenschmidt
2010-03-24 10:45 ` Benjamin Herrenschmidt
2010-03-24 10:57 ` Amit Shah
2010-03-24 10:57 ` Amit Shah
2010-03-24 11:37 ` Alan Cox
2010-03-24 11:37 ` Alan Cox
2010-03-24 15:05 ` Amit Shah
2010-03-24 15:05 ` Amit Shah
2010-03-19 15:18 ` [PATCH 5/7] tty_buffer: Fix distinct type warning Greg Kroah-Hartman
2010-03-19 15:18 ` [PATCH 6/7] tty: cpm_uart: use resource_size() Greg Kroah-Hartman
2010-03-19 15:18 ` [PATCH 7/7] tty_port,usb-console: Fix usb serial console open/close regression Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100406114238.GN5594@kryten \
--to=anton@samba.org \
--cc=a.p.zijlstra@chello.nl \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=amit.shah@redhat.com \
--cc=benh@kernel.crashing.org \
--cc=gregkh@suse.de \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@ozlabs.org \
--cc=mingo@elte.hu \
--cc=rusty@rustcorp.com.au \
--cc=sachinp@in.ibm.com \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.