* tty: fix a possible hang on tty device
@ 2022-05-24 2:21 cael
2022-05-24 9:11 ` Ilpo Järvinen
2022-06-01 9:38 ` Greg KH
0 siblings, 2 replies; 33+ messages in thread
From: cael @ 2022-05-24 2:21 UTC (permalink / raw)
To: gregkh, jirislaby; +Cc: linux-serial
We have met a hang on pty device, the reader was blocking at
epoll on master side, the writer was sleeping at wait_woken inside
n_tty_write on slave side ,and the write buffer on tty_port was full, we
found that the reader and writer would never be woken again and block
forever.
We thought the problem was caused as a race between reader and
kworker as follows:
n_tty_read(reader)| n_tty_receive_buf_common(kworker)
|room = N_TTY_BUF_SIZE - (ldata->read_head - tail)
|room <= 0
copy_from_read_buf|
n_tty_kick_worker |
|ldata->no_room = true
After writing to slave device, writer wakes up kworker to flush
data on tty_port to reader, and the kworker finds that reader
has no room to store data so room <= 0 is met. At this moment,
reader consumes all the data on reader buffer and call
n_tty_kick_worker to check ldata->no_room and finds that there
is no need to call tty_buffer_restart_work to flush data to reader
and reader quits reading. Then kworker sets ldata->no_room=true
and quits too.
If write buffer is not full, writer will wake kworker to flush data
again after following writes, but if writer buffer is full and writer
goes to sleep, kworker will never be woken again and tty device is
blocked.
We think this problem can be solved with a check for read buffer
inside function n_tty_receive_buf_common, if read buffer is empty and
ldata->no_room is true, this means that kworker has more data to flush
to read buffer, so a call to n_tty_kick_worker is necessary.
Signed-off-by: cael <juanfengpy@gmail.com>
---
diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
index efc72104c840..36c7bc033c78 100644
--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -1663,6 +1663,9 @@ n_tty_receive_buf_common(struct tty_struct *tty,
const unsigned char *cp,
} else
n_tty_check_throttle(tty);
+ if (!chars_in_buffer(tty))
+ n_tty_kick_worker(tty);
+
up_read(&tty->termios_rwsem);
return rcvd;
--
2.27.0
^ permalink raw reply related [flat|nested] 33+ messages in thread
* Re: tty: fix a possible hang on tty device
2022-05-24 2:21 tty: fix a possible hang on tty device cael
@ 2022-05-24 9:11 ` Ilpo Järvinen
2022-05-24 11:09 ` cael
2022-06-01 9:38 ` Greg KH
1 sibling, 1 reply; 33+ messages in thread
From: Ilpo Järvinen @ 2022-05-24 9:11 UTC (permalink / raw)
To: cael; +Cc: Greg Kroah-Hartman, Jiri Slaby, linux-serial
On Tue, 24 May 2022, cael wrote:
> We have met a hang on pty device, the reader was blocking at
> epoll on master side, the writer was sleeping at wait_woken inside
> n_tty_write on slave side ,and the write buffer on tty_port was full, we
Space after comma. It would be also useful to tone down usage of "we" in
the changelog.
> found that the reader and writer would never be woken again and block
> forever.
>
> We thought the problem was caused as a race between reader and
> kworker as follows:
> n_tty_read(reader)| n_tty_receive_buf_common(kworker)
> |room = N_TTY_BUF_SIZE - (ldata->read_head - tail)
> |room <= 0
> copy_from_read_buf|
> n_tty_kick_worker |
> |ldata->no_room = true
>
> After writing to slave device, writer wakes up kworker to flush
> data on tty_port to reader, and the kworker finds that reader
> has no room to store data so room <= 0 is met. At this moment,
> reader consumes all the data on reader buffer and call
> n_tty_kick_worker to check ldata->no_room and finds that there
> is no need to call tty_buffer_restart_work to flush data to reader
> and reader quits reading. Then kworker sets ldata->no_room=true
> and quits too.
>
> If write buffer is not full, writer will wake kworker to flush data
> again after following writes, but if writer buffer is full and writer
> goes to sleep, kworker will never be woken again and tty device is
> blocked.
>
> We think this problem can be solved with a check for read buffer
> inside function n_tty_receive_buf_common, if read buffer is empty and
> ldata->no_room is true, this means that kworker has more data to flush
> to read buffer, so a call to n_tty_kick_worker is necessary.
>
> Signed-off-by: cael <juanfengpy@gmail.com>
> ---
> diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
> index efc72104c840..36c7bc033c78 100644
> --- a/drivers/tty/n_tty.c
> +++ b/drivers/tty/n_tty.c
> @@ -1663,6 +1663,9 @@ n_tty_receive_buf_common(struct tty_struct *tty,
> const unsigned char *cp,
> } else
> n_tty_check_throttle(tty);
>
> + if (!chars_in_buffer(tty))
> + n_tty_kick_worker(tty);
> +
chars_in_buffer() accesses ldata->read_tail in producer context so this
probably just moves the race there?
--
i.
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: tty: fix a possible hang on tty device
2022-05-24 9:11 ` Ilpo Järvinen
@ 2022-05-24 11:09 ` cael
2022-05-24 11:40 ` Ilpo Järvinen
0 siblings, 1 reply; 33+ messages in thread
From: cael @ 2022-05-24 11:09 UTC (permalink / raw)
To: Ilpo Järvinen; +Cc: Greg Kroah-Hartman, Jiri Slaby, linux-serial
Thanks for the answer, yes, there exists a race between reader and kworker,
but it's OK. Before checking chars_in_buffer in kworker,
ldata->no_room is set true,
if reader changes ldata->read_tail in n_tty_read when kworker checks this value
which makes the check fail, then when reader reaches end of n_tty_read,
n_tty_kick_worker will also be called. Besides, kworker and reader may
call n_tty_kick_worker at the same time, this function only queues work
on workqueue, so it's harmless.
Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> 于2022年5月24日周二 17:11写道:
>
> On Tue, 24 May 2022, cael wrote:
>
> > We have met a hang on pty device, the reader was blocking at
> > epoll on master side, the writer was sleeping at wait_woken inside
> > n_tty_write on slave side ,and the write buffer on tty_port was full, we
>
> Space after comma. It would be also useful to tone down usage of "we" in
> the changelog.
>
> > found that the reader and writer would never be woken again and block
> > forever.
> >
> > We thought the problem was caused as a race between reader and
> > kworker as follows:
> > n_tty_read(reader)| n_tty_receive_buf_common(kworker)
> > |room = N_TTY_BUF_SIZE - (ldata->read_head - tail)
> > |room <= 0
> > copy_from_read_buf|
> > n_tty_kick_worker |
> > |ldata->no_room = true
> >
> > After writing to slave device, writer wakes up kworker to flush
> > data on tty_port to reader, and the kworker finds that reader
> > has no room to store data so room <= 0 is met. At this moment,
> > reader consumes all the data on reader buffer and call
> > n_tty_kick_worker to check ldata->no_room and finds that there
> > is no need to call tty_buffer_restart_work to flush data to reader
> > and reader quits reading. Then kworker sets ldata->no_room=true
> > and quits too.
> >
> > If write buffer is not full, writer will wake kworker to flush data
> > again after following writes, but if writer buffer is full and writer
> > goes to sleep, kworker will never be woken again and tty device is
> > blocked.
> >
> > We think this problem can be solved with a check for read buffer
> > inside function n_tty_receive_buf_common, if read buffer is empty and
> > ldata->no_room is true, this means that kworker has more data to flush
> > to read buffer, so a call to n_tty_kick_worker is necessary.
> >
> > Signed-off-by: cael <juanfengpy@gmail.com>
> > ---
> > diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
> > index efc72104c840..36c7bc033c78 100644
> > --- a/drivers/tty/n_tty.c
> > +++ b/drivers/tty/n_tty.c
> > @@ -1663,6 +1663,9 @@ n_tty_receive_buf_common(struct tty_struct *tty,
> > const unsigned char *cp,
> > } else
> > n_tty_check_throttle(tty);
> >
> > + if (!chars_in_buffer(tty))
> > + n_tty_kick_worker(tty);
> > +
>
> chars_in_buffer() accesses ldata->read_tail in producer context so this
> probably just moves the race there?
>
>
> --
> i.
>
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: tty: fix a possible hang on tty device
2022-05-24 11:09 ` cael
@ 2022-05-24 11:40 ` Ilpo Järvinen
2022-05-24 12:47 ` cael
0 siblings, 1 reply; 33+ messages in thread
From: Ilpo Järvinen @ 2022-05-24 11:40 UTC (permalink / raw)
To: cael; +Cc: Greg Kroah-Hartman, Jiri Slaby, linux-serial
[-- Attachment #1: Type: text/plain, Size: 3377 bytes --]
On Tue, 24 May 2022, cael wrote:
> Thanks for the answer, yes, there exists a race between reader and kworker,
> but it's OK. Before checking chars_in_buffer in kworker,
> ldata->no_room is set true,
Nothing seems to guarantee this.
> if reader changes ldata->read_tail in n_tty_read when kworker checks this value
> which makes the check fail, then when reader reaches end of n_tty_read,
> n_tty_kick_worker will also be called. Besides, kworker and reader may
> call n_tty_kick_worker at the same time, this function only queues work
> on workqueue, so it's harmless.
I'm not worried about the case where both cpus call n_tty_kick_worker but
the case where producer cpu sees chars_in_buffer() > 0 and consumer cpu
!no_room.
--
i.
> Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> 于2022年5月24日周二 17:11写道:
> >
> > On Tue, 24 May 2022, cael wrote:
> >
> > > We have met a hang on pty device, the reader was blocking at
> > > epoll on master side, the writer was sleeping at wait_woken inside
> > > n_tty_write on slave side ,and the write buffer on tty_port was full, we
> >
> > Space after comma. It would be also useful to tone down usage of "we" in
> > the changelog.
> >
> > > found that the reader and writer would never be woken again and block
> > > forever.
> > >
> > > We thought the problem was caused as a race between reader and
> > > kworker as follows:
> > > n_tty_read(reader)| n_tty_receive_buf_common(kworker)
> > > |room = N_TTY_BUF_SIZE - (ldata->read_head - tail)
> > > |room <= 0
> > > copy_from_read_buf|
> > > n_tty_kick_worker |
> > > |ldata->no_room = true
> > >
> > > After writing to slave device, writer wakes up kworker to flush
> > > data on tty_port to reader, and the kworker finds that reader
> > > has no room to store data so room <= 0 is met. At this moment,
> > > reader consumes all the data on reader buffer and call
> > > n_tty_kick_worker to check ldata->no_room and finds that there
> > > is no need to call tty_buffer_restart_work to flush data to reader
> > > and reader quits reading. Then kworker sets ldata->no_room=true
> > > and quits too.
> > >
> > > If write buffer is not full, writer will wake kworker to flush data
> > > again after following writes, but if writer buffer is full and writer
> > > goes to sleep, kworker will never be woken again and tty device is
> > > blocked.
> > >
> > > We think this problem can be solved with a check for read buffer
> > > inside function n_tty_receive_buf_common, if read buffer is empty and
> > > ldata->no_room is true, this means that kworker has more data to flush
> > > to read buffer, so a call to n_tty_kick_worker is necessary.
> > >
> > > Signed-off-by: cael <juanfengpy@gmail.com>
> > > ---
> > > diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
> > > index efc72104c840..36c7bc033c78 100644
> > > --- a/drivers/tty/n_tty.c
> > > +++ b/drivers/tty/n_tty.c
> > > @@ -1663,6 +1663,9 @@ n_tty_receive_buf_common(struct tty_struct *tty,
> > > const unsigned char *cp,
> > > } else
> > > n_tty_check_throttle(tty);
> > >
> > > + if (!chars_in_buffer(tty))
> > > + n_tty_kick_worker(tty);
> > > +
> >
> > chars_in_buffer() accesses ldata->read_tail in producer context so this
> > probably just moves the race there?
> >
> >
> > --
> > i.
> >
>
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: tty: fix a possible hang on tty device
2022-05-24 11:40 ` Ilpo Järvinen
@ 2022-05-24 12:47 ` cael
2022-05-24 13:25 ` Ilpo Järvinen
0 siblings, 1 reply; 33+ messages in thread
From: cael @ 2022-05-24 12:47 UTC (permalink / raw)
To: Ilpo Järvinen; +Cc: Greg Kroah-Hartman, Jiri Slaby, linux-serial
if ldata->no_room is not true, that means kworker has flushed
at least n characters to break the while loop, so return value of
n_tty_receive_buf_common is not zero, flush_to_ldisc will
continue to call this function to flush data to reader if write buffer
is not empty.
Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> 于2022年5月24日周二 19:40写道:
>
> On Tue, 24 May 2022, cael wrote:
>
> > Thanks for the answer, yes, there exists a race between reader and kworker,
> > but it's OK. Before checking chars_in_buffer in kworker,
> > ldata->no_room is set true,
>
> Nothing seems to guarantee this.
>
> > if reader changes ldata->read_tail in n_tty_read when kworker checks this value
> > which makes the check fail, then when reader reaches end of n_tty_read,
> > n_tty_kick_worker will also be called. Besides, kworker and reader may
> > call n_tty_kick_worker at the same time, this function only queues work
> > on workqueue, so it's harmless.
>
> I'm not worried about the case where both cpus call n_tty_kick_worker but
> the case where producer cpu sees chars_in_buffer() > 0 and consumer cpu
> !no_room.
>
> --
> i.
>
> > Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> 于2022年5月24日周二 17:11写道:
> > >
> > > On Tue, 24 May 2022, cael wrote:
> > >
> > > > We have met a hang on pty device, the reader was blocking at
> > > > epoll on master side, the writer was sleeping at wait_woken inside
> > > > n_tty_write on slave side ,and the write buffer on tty_port was full, we
> > >
> > > Space after comma. It would be also useful to tone down usage of "we" in
> > > the changelog.
> > >
> > > > found that the reader and writer would never be woken again and block
> > > > forever.
> > > >
> > > > We thought the problem was caused as a race between reader and
> > > > kworker as follows:
> > > > n_tty_read(reader)| n_tty_receive_buf_common(kworker)
> > > > |room = N_TTY_BUF_SIZE - (ldata->read_head - tail)
> > > > |room <= 0
> > > > copy_from_read_buf|
> > > > n_tty_kick_worker |
> > > > |ldata->no_room = true
> > > >
> > > > After writing to slave device, writer wakes up kworker to flush
> > > > data on tty_port to reader, and the kworker finds that reader
> > > > has no room to store data so room <= 0 is met. At this moment,
> > > > reader consumes all the data on reader buffer and call
> > > > n_tty_kick_worker to check ldata->no_room and finds that there
> > > > is no need to call tty_buffer_restart_work to flush data to reader
> > > > and reader quits reading. Then kworker sets ldata->no_room=true
> > > > and quits too.
> > > >
> > > > If write buffer is not full, writer will wake kworker to flush data
> > > > again after following writes, but if writer buffer is full and writer
> > > > goes to sleep, kworker will never be woken again and tty device is
> > > > blocked.
> > > >
> > > > We think this problem can be solved with a check for read buffer
> > > > inside function n_tty_receive_buf_common, if read buffer is empty and
> > > > ldata->no_room is true, this means that kworker has more data to flush
> > > > to read buffer, so a call to n_tty_kick_worker is necessary.
> > > >
> > > > Signed-off-by: cael <juanfengpy@gmail.com>
> > > > ---
> > > > diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
> > > > index efc72104c840..36c7bc033c78 100644
> > > > --- a/drivers/tty/n_tty.c
> > > > +++ b/drivers/tty/n_tty.c
> > > > @@ -1663,6 +1663,9 @@ n_tty_receive_buf_common(struct tty_struct *tty,
> > > > const unsigned char *cp,
> > > > } else
> > > > n_tty_check_throttle(tty);
> > > >
> > > > + if (!chars_in_buffer(tty))
> > > > + n_tty_kick_worker(tty);
> > > > +
> > >
> > > chars_in_buffer() accesses ldata->read_tail in producer context so this
> > > probably just moves the race there?
> > >
> > >
> > > --
> > > i.
> > >
> >
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: tty: fix a possible hang on tty device
2022-05-24 12:47 ` cael
@ 2022-05-24 13:25 ` Ilpo Järvinen
2022-05-25 10:36 ` cael
0 siblings, 1 reply; 33+ messages in thread
From: Ilpo Järvinen @ 2022-05-24 13:25 UTC (permalink / raw)
To: cael; +Cc: Greg Kroah-Hartman, Jiri Slaby, linux-serial
[-- Attachment #1: Type: text/plain, Size: 4239 bytes --]
On Tue, 24 May 2022, cael wrote:
> if ldata->no_room is not true, that means kworker has flushed
> at least n characters to break the while loop, so return value of
> n_tty_receive_buf_common is not zero, flush_to_ldisc will
> continue to call this function to flush data to reader if write buffer
> is not empty.
Now you switched to an entirely different case, not the one we were
talking about. ...There is no ldisc->no_room = true race in the case
you now described.
--
i.
> Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> 于2022年5月24日周二 19:40写道:
> >
> > On Tue, 24 May 2022, cael wrote:
> >
> > > Thanks for the answer, yes, there exists a race between reader and kworker,
> > > but it's OK. Before checking chars_in_buffer in kworker,
> > > ldata->no_room is set true,
> >
> > Nothing seems to guarantee this.
> >
> > > if reader changes ldata->read_tail in n_tty_read when kworker checks this value
> > > which makes the check fail, then when reader reaches end of n_tty_read,
> > > n_tty_kick_worker will also be called. Besides, kworker and reader may
> > > call n_tty_kick_worker at the same time, this function only queues work
> > > on workqueue, so it's harmless.
> >
> > I'm not worried about the case where both cpus call n_tty_kick_worker but
> > the case where producer cpu sees chars_in_buffer() > 0 and consumer cpu
> > !no_room.
> >
> > --
> > i.
> >
> > > Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> 于2022年5月24日周二 17:11写道:
> > > >
> > > > On Tue, 24 May 2022, cael wrote:
> > > >
> > > > > We have met a hang on pty device, the reader was blocking at
> > > > > epoll on master side, the writer was sleeping at wait_woken inside
> > > > > n_tty_write on slave side ,and the write buffer on tty_port was full, we
> > > >
> > > > Space after comma. It would be also useful to tone down usage of "we" in
> > > > the changelog.
> > > >
> > > > > found that the reader and writer would never be woken again and block
> > > > > forever.
> > > > >
> > > > > We thought the problem was caused as a race between reader and
> > > > > kworker as follows:
> > > > > n_tty_read(reader)| n_tty_receive_buf_common(kworker)
> > > > > |room = N_TTY_BUF_SIZE - (ldata->read_head - tail)
> > > > > |room <= 0
> > > > > copy_from_read_buf|
> > > > > n_tty_kick_worker |
> > > > > |ldata->no_room = true
> > > > >
> > > > > After writing to slave device, writer wakes up kworker to flush
> > > > > data on tty_port to reader, and the kworker finds that reader
> > > > > has no room to store data so room <= 0 is met. At this moment,
> > > > > reader consumes all the data on reader buffer and call
> > > > > n_tty_kick_worker to check ldata->no_room and finds that there
> > > > > is no need to call tty_buffer_restart_work to flush data to reader
> > > > > and reader quits reading. Then kworker sets ldata->no_room=true
> > > > > and quits too.
> > > > >
> > > > > If write buffer is not full, writer will wake kworker to flush data
> > > > > again after following writes, but if writer buffer is full and writer
> > > > > goes to sleep, kworker will never be woken again and tty device is
> > > > > blocked.
> > > > >
> > > > > We think this problem can be solved with a check for read buffer
> > > > > inside function n_tty_receive_buf_common, if read buffer is empty and
> > > > > ldata->no_room is true, this means that kworker has more data to flush
> > > > > to read buffer, so a call to n_tty_kick_worker is necessary.
> > > > >
> > > > > Signed-off-by: cael <juanfengpy@gmail.com>
> > > > > ---
> > > > > diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
> > > > > index efc72104c840..36c7bc033c78 100644
> > > > > --- a/drivers/tty/n_tty.c
> > > > > +++ b/drivers/tty/n_tty.c
> > > > > @@ -1663,6 +1663,9 @@ n_tty_receive_buf_common(struct tty_struct *tty,
> > > > > const unsigned char *cp,
> > > > > } else
> > > > > n_tty_check_throttle(tty);
> > > > >
> > > > > + if (!chars_in_buffer(tty))
> > > > > + n_tty_kick_worker(tty);
> > > > > +
> > > >
> > > > chars_in_buffer() accesses ldata->read_tail in producer context so this
> > > > probably just moves the race there?
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: tty: fix a possible hang on tty device
2022-05-24 13:25 ` Ilpo Järvinen
@ 2022-05-25 10:36 ` cael
2022-05-25 11:21 ` Ilpo Järvinen
0 siblings, 1 reply; 33+ messages in thread
From: cael @ 2022-05-25 10:36 UTC (permalink / raw)
To: Ilpo Järvinen; +Cc: Greg Kroah-Hartman, Jiri Slaby, linux-serial
>Now you switched to an entirely different case, not the one we were
>talking about. ...There is no ldisc->no_room = true race in the case
>you now described.
So, I think we should back to the case ldata->no_room=true as
ldata->no_room=false seems harmless.
>I'm not worried about the case where both cpus call n_tty_kick_worker but
>the case where producer cpu sees chars_in_buffer() > 0 and consumer cpu
>!no_room.
As ldata->no_room=true is set before checking chars_in_buffer(), if producer
finds chars_in_buffer() > 0, then if reader is currently in n_tty_read,
when reader quits n_tty_read, n_tty_kick_worker will be called. If reader
has already exited n_tty_read, which means that reader still has data to read,
next time reader will call n_tty_kick_worker inside n_tty_read too.
Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> 于2022年5月24日周二 21:25写道:
>
> On Tue, 24 May 2022, cael wrote:
>
> > if ldata->no_room is not true, that means kworker has flushed
> > at least n characters to break the while loop, so return value of
> > n_tty_receive_buf_common is not zero, flush_to_ldisc will
> > continue to call this function to flush data to reader if write buffer
> > is not empty.
>
> Now you switched to an entirely different case, not the one we were
> talking about. ...There is no ldisc->no_room = true race in the case
> you now described.
>
> --
> i.
>
> > Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> 于2022年5月24日周二 19:40写道:
> > >
> > > On Tue, 24 May 2022, cael wrote:
> > >
> > > > Thanks for the answer, yes, there exists a race between reader and kworker,
> > > > but it's OK. Before checking chars_in_buffer in kworker,
> > > > ldata->no_room is set true,
> > >
> > > Nothing seems to guarantee this.
> > >
> > > > if reader changes ldata->read_tail in n_tty_read when kworker checks this value
> > > > which makes the check fail, then when reader reaches end of n_tty_read,
> > > > n_tty_kick_worker will also be called. Besides, kworker and reader may
> > > > call n_tty_kick_worker at the same time, this function only queues work
> > > > on workqueue, so it's harmless.
> > >
> > > I'm not worried about the case where both cpus call n_tty_kick_worker but
> > > the case where producer cpu sees chars_in_buffer() > 0 and consumer cpu
> > > !no_room.
> > >
> > > --
> > > i.
> > >
> > > > Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> 于2022年5月24日周二 17:11写道:
> > > > >
> > > > > On Tue, 24 May 2022, cael wrote:
> > > > >
> > > > > > We have met a hang on pty device, the reader was blocking at
> > > > > > epoll on master side, the writer was sleeping at wait_woken inside
> > > > > > n_tty_write on slave side ,and the write buffer on tty_port was full, we
> > > > >
> > > > > Space after comma. It would be also useful to tone down usage of "we" in
> > > > > the changelog.
> > > > >
> > > > > > found that the reader and writer would never be woken again and block
> > > > > > forever.
> > > > > >
> > > > > > We thought the problem was caused as a race between reader and
> > > > > > kworker as follows:
> > > > > > n_tty_read(reader)| n_tty_receive_buf_common(kworker)
> > > > > > |room = N_TTY_BUF_SIZE - (ldata->read_head - tail)
> > > > > > |room <= 0
> > > > > > copy_from_read_buf|
> > > > > > n_tty_kick_worker |
> > > > > > |ldata->no_room = true
> > > > > >
> > > > > > After writing to slave device, writer wakes up kworker to flush
> > > > > > data on tty_port to reader, and the kworker finds that reader
> > > > > > has no room to store data so room <= 0 is met. At this moment,
> > > > > > reader consumes all the data on reader buffer and call
> > > > > > n_tty_kick_worker to check ldata->no_room and finds that there
> > > > > > is no need to call tty_buffer_restart_work to flush data to reader
> > > > > > and reader quits reading. Then kworker sets ldata->no_room=true
> > > > > > and quits too.
> > > > > >
> > > > > > If write buffer is not full, writer will wake kworker to flush data
> > > > > > again after following writes, but if writer buffer is full and writer
> > > > > > goes to sleep, kworker will never be woken again and tty device is
> > > > > > blocked.
> > > > > >
> > > > > > We think this problem can be solved with a check for read buffer
> > > > > > inside function n_tty_receive_buf_common, if read buffer is empty and
> > > > > > ldata->no_room is true, this means that kworker has more data to flush
> > > > > > to read buffer, so a call to n_tty_kick_worker is necessary.
> > > > > >
> > > > > > Signed-off-by: cael <juanfengpy@gmail.com>
> > > > > > ---
> > > > > > diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
> > > > > > index efc72104c840..36c7bc033c78 100644
> > > > > > --- a/drivers/tty/n_tty.c
> > > > > > +++ b/drivers/tty/n_tty.c
> > > > > > @@ -1663,6 +1663,9 @@ n_tty_receive_buf_common(struct tty_struct *tty,
> > > > > > const unsigned char *cp,
> > > > > > } else
> > > > > > n_tty_check_throttle(tty);
> > > > > >
> > > > > > + if (!chars_in_buffer(tty))
> > > > > > + n_tty_kick_worker(tty);
> > > > > > +
> > > > >
> > > > > chars_in_buffer() accesses ldata->read_tail in producer context so this
> > > > > probably just moves the race there?
>
>
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: tty: fix a possible hang on tty device
2022-05-25 10:36 ` cael
@ 2022-05-25 11:21 ` Ilpo Järvinen
2022-05-30 13:13 ` cael
0 siblings, 1 reply; 33+ messages in thread
From: Ilpo Järvinen @ 2022-05-25 11:21 UTC (permalink / raw)
To: cael; +Cc: Greg Kroah-Hartman, Jiri Slaby, linux-serial
On Wed, 25 May 2022, cael wrote:
> >Now you switched to an entirely different case, not the one we were
> >talking about. ...There is no ldisc->no_room = true race in the case
> >you now described.
> So, I think we should back to the case ldata->no_room=true as
> ldata->no_room=false seems harmless.
>
> >I'm not worried about the case where both cpus call n_tty_kick_worker but
> >the case where producer cpu sees chars_in_buffer() > 0 and consumer cpu
> >!no_room.
>
> As ldata->no_room=true is set before checking chars_in_buffer()
Please take a brief look at Documentation/memory-barriers.txt and then
tell me if you still find this claim to be true.
> if producer
> finds chars_in_buffer() > 0, then if reader is currently in n_tty_read,
...Then please do a similar analysis for ldata->read_tail. What guarantees
its update is seen by the producer cpu when the reader is already past the
point you think it still must be in?
> when reader quits n_tty_read, n_tty_kick_worker will be called. If reader
> has already exited n_tty_read, which means that reader still has data to read,
> next time reader will call n_tty_kick_worker inside n_tty_read too.
C-level analysis alone is not going to be very useful here given you're
dealing with a concurrency challenge here.
--
i.
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: tty: fix a possible hang on tty device
2022-05-25 11:21 ` Ilpo Järvinen
@ 2022-05-30 13:13 ` cael
2022-05-31 12:37 ` Ilpo Järvinen
0 siblings, 1 reply; 33+ messages in thread
From: cael @ 2022-05-30 13:13 UTC (permalink / raw)
To: Ilpo Järvinen; +Cc: Greg Kroah-Hartman, Jiri Slaby, linux-serial
Thanks, You are right, barrier is needed here. I changed the patch as follows:
1) WRITE_ONCE and READ_ONCE is used to access ldata->no_room since
n_tty_kick_worker would be called in kworker and reader cpu;
2) smp_mb added in chars_in_buffer as this function will be called in
reader and kworker, accessing commit_head and read_tail; and to make
sure that read_tail is not read before setting no_room in
n_tty_receive_buf_common;
3) smp_mb added in n_tty_read to make sure that no_room is not read
before setting read_tail.
---
diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
index efc72104c840..3327687da0d3 100644
--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -201,8 +201,8 @@ static void n_tty_kick_worker(struct tty_struct *tty)
struct n_tty_data *ldata = tty->disc_data;
/* Did the input worker stop? Restart it */
- if (unlikely(ldata->no_room)) {
- ldata->no_room = 0;
+ if (unlikely(READ_ONCE(ldata->no_room))) {
+ WRITE_ONCE(ldata->no_room, 0);
WARN_RATELIMIT(tty->port->itty == NULL,
"scheduling with invalid itty\n");
@@ -221,6 +221,7 @@ static ssize_t chars_in_buffer(struct tty_struct *tty)
struct n_tty_data *ldata = tty->disc_data;
ssize_t n = 0;
+ smp_mb();
if (!ldata->icanon)
n = ldata->commit_head - ldata->read_tail;
else
@@ -1632,7 +1633,7 @@ n_tty_receive_buf_common(struct tty_struct *tty,
const unsigned char *cp,
if (overflow && room < 0)
ldata->read_head--;
room = overflow;
- ldata->no_room = flow && !room;
+ WRITE_ONCE(ldata->no_room, flow && !room);
} else
overflow = 0;
@@ -1663,6 +1664,9 @@ n_tty_receive_buf_common(struct tty_struct *tty,
const unsigned char *cp,
} else
n_tty_check_throttle(tty);
+ if (!chars_in_buffer(tty))
+ n_tty_kick_worker(tty);
+
up_read(&tty->termios_rwsem);
return rcvd;
@@ -2180,8 +2184,10 @@ static ssize_t n_tty_read(struct tty_struct
*tty, struct file *file,
if (time)
timeout = time;
}
- if (tail != ldata->read_tail)
+ if (tail != ldata->read_tail) {
+ smp_mb();
n_tty_kick_worker(tty);
+ }
up_read(&tty->termios_rwsem);
remove_wait_queue(&tty->read_wait, &wait);
--
2.27.0
Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> 于2022年5月25日周三 19:21写道:
>
> On Wed, 25 May 2022, cael wrote:
>
> > >Now you switched to an entirely different case, not the one we were
> > >talking about. ...There is no ldisc->no_room = true race in the case
> > >you now described.
> > So, I think we should back to the case ldata->no_room=true as
> > ldata->no_room=false seems harmless.
> >
> > >I'm not worried about the case where both cpus call n_tty_kick_worker but
> > >the case where producer cpu sees chars_in_buffer() > 0 and consumer cpu
> > >!no_room.
> >
> > As ldata->no_room=true is set before checking chars_in_buffer()
>
> Please take a brief look at Documentation/memory-barriers.txt and then
> tell me if you still find this claim to be true.
>
> > if producer
> > finds chars_in_buffer() > 0, then if reader is currently in n_tty_read,
>
> ...Then please do a similar analysis for ldata->read_tail. What guarantees
> its update is seen by the producer cpu when the reader is already past the
> point you think it still must be in?
>
> > when reader quits n_tty_read, n_tty_kick_worker will be called. If reader
> > has already exited n_tty_read, which means that reader still has data to read,
> > next time reader will call n_tty_kick_worker inside n_tty_read too.
>
> C-level analysis alone is not going to be very useful here given you're
> dealing with a concurrency challenge here.
>
>
> --
> i.
>
>
^ permalink raw reply related [flat|nested] 33+ messages in thread
* Re: tty: fix a possible hang on tty device
2022-05-30 13:13 ` cael
@ 2022-05-31 12:37 ` Ilpo Järvinen
0 siblings, 0 replies; 33+ messages in thread
From: Ilpo Järvinen @ 2022-05-31 12:37 UTC (permalink / raw)
To: cael; +Cc: Greg Kroah-Hartman, Jiri Slaby, linux-serial
[-- Attachment #1: Type: text/plain, Size: 4823 bytes --]
On Mon, 30 May 2022, cael wrote:
> Thanks, You are right, barrier is needed here. I changed the patch as follows:
> 1) WRITE_ONCE and READ_ONCE is used to access ldata->no_room since
> n_tty_kick_worker would be called in kworker and reader cpu;
> 2) smp_mb added in chars_in_buffer as this function will be called in
> reader and kworker, accessing commit_head and read_tail; and to make
> sure that read_tail is not read before setting no_room in
> n_tty_receive_buf_common;
> 3) smp_mb added in n_tty_read to make sure that no_room is not read
> before setting read_tail.
Please include proper changelog to all revised patch submissions, not
just list of changes you've made (and properly version the submissions
with [PATCH v2] etc. in the subject).
> ---
> diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
> index efc72104c840..3327687da0d3 100644
> --- a/drivers/tty/n_tty.c
> +++ b/drivers/tty/n_tty.c
> @@ -201,8 +201,8 @@ static void n_tty_kick_worker(struct tty_struct *tty)
> struct n_tty_data *ldata = tty->disc_data;
>
> /* Did the input worker stop? Restart it */
> - if (unlikely(ldata->no_room)) {
> - ldata->no_room = 0;
> + if (unlikely(READ_ONCE(ldata->no_room))) {
> + WRITE_ONCE(ldata->no_room, 0);
> WARN_RATELIMIT(tty->port->itty == NULL,
> "scheduling with invalid itty\n");
> @@ -221,6 +221,7 @@ static ssize_t chars_in_buffer(struct tty_struct *tty)
> struct n_tty_data *ldata = tty->disc_data;
> ssize_t n = 0;
>
> + smp_mb();
You should add the reason in comment for any barriers you add.
> if (!ldata->icanon)
> n = ldata->commit_head - ldata->read_tail;
> else
> @@ -1632,7 +1633,7 @@ n_tty_receive_buf_common(struct tty_struct *tty,
> const unsigned char *cp,
> if (overflow && room < 0)
> ldata->read_head--;
> room = overflow;
> - ldata->no_room = flow && !room;
> + WRITE_ONCE(ldata->no_room, flow && !room);
> } else
> overflow = 0;
>
> @@ -1663,6 +1664,9 @@ n_tty_receive_buf_common(struct tty_struct *tty,
> const unsigned char *cp,
> } else
> n_tty_check_throttle(tty);
>
> + if (!chars_in_buffer(tty))
> + n_tty_kick_worker(tty);
> +
Instead of having the barrier in chars_in_buffer() perhaps it would be
more obvious what's going on here and also scope down to the cases where
the barrier might be needed in the first place if you'd do:
if (ldata->no_room) {
/* ... */
smp_mb();
if (!chars_in_buffer(tty))
n_tty_kick_worker(tty);
}
--
i.
> up_read(&tty->termios_rwsem);
>
> return rcvd;
> @@ -2180,8 +2184,10 @@ static ssize_t n_tty_read(struct tty_struct
> *tty, struct file *file,
> if (time)
> timeout = time;
> }
> - if (tail != ldata->read_tail)
> + if (tail != ldata->read_tail) {
> + smp_mb();
> n_tty_kick_worker(tty);
> + }
> up_read(&tty->termios_rwsem);
>
> remove_wait_queue(&tty->read_wait, &wait);
> --
> 2.27.0
>
> Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> 于2022年5月25日周三 19:21写道:
> >
> > On Wed, 25 May 2022, cael wrote:
> >
> > > >Now you switched to an entirely different case, not the one we were
> > > >talking about. ...There is no ldisc->no_room = true race in the case
> > > >you now described.
> > > So, I think we should back to the case ldata->no_room=true as
> > > ldata->no_room=false seems harmless.
> > >
> > > >I'm not worried about the case where both cpus call n_tty_kick_worker but
> > > >the case where producer cpu sees chars_in_buffer() > 0 and consumer cpu
> > > >!no_room.
> > >
> > > As ldata->no_room=true is set before checking chars_in_buffer()
> >
> > Please take a brief look at Documentation/memory-barriers.txt and then
> > tell me if you still find this claim to be true.
> >
> > > if producer
> > > finds chars_in_buffer() > 0, then if reader is currently in n_tty_read,
> >
> > ...Then please do a similar analysis for ldata->read_tail. What guarantees
> > its update is seen by the producer cpu when the reader is already past the
> > point you think it still must be in?
> >
> > > when reader quits n_tty_read, n_tty_kick_worker will be called. If reader
> > > has already exited n_tty_read, which means that reader still has data to read,
> > > next time reader will call n_tty_kick_worker inside n_tty_read too.
> >
> > C-level analysis alone is not going to be very useful here given you're
> > dealing with a concurrency challenge here.
> >
> >
> > --
> > i.
> >
> >
>
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: tty: fix a possible hang on tty device
2022-05-24 2:21 tty: fix a possible hang on tty device cael
2022-05-24 9:11 ` Ilpo Järvinen
@ 2022-06-01 9:38 ` Greg KH
2022-06-01 13:39 ` cael
1 sibling, 1 reply; 33+ messages in thread
From: Greg KH @ 2022-06-01 9:38 UTC (permalink / raw)
To: cael; +Cc: jirislaby, linux-serial
On Tue, May 24, 2022 at 10:21:04AM +0800, cael wrote:
> We have met a hang on pty device, the reader was blocking at
> epoll on master side, the writer was sleeping at wait_woken inside
> n_tty_write on slave side ,and the write buffer on tty_port was full, we
> found that the reader and writer would never be woken again and block
> forever.
>
> We thought the problem was caused as a race between reader and
> kworker as follows:
> n_tty_read(reader)| n_tty_receive_buf_common(kworker)
> |room = N_TTY_BUF_SIZE - (ldata->read_head - tail)
> |room <= 0
> copy_from_read_buf|
> n_tty_kick_worker |
> |ldata->no_room = true
>
> After writing to slave device, writer wakes up kworker to flush
> data on tty_port to reader, and the kworker finds that reader
> has no room to store data so room <= 0 is met. At this moment,
> reader consumes all the data on reader buffer and call
> n_tty_kick_worker to check ldata->no_room and finds that there
> is no need to call tty_buffer_restart_work to flush data to reader
> and reader quits reading. Then kworker sets ldata->no_room=true
> and quits too.
>
> If write buffer is not full, writer will wake kworker to flush data
> again after following writes, but if writer buffer is full and writer
> goes to sleep, kworker will never be woken again and tty device is
> blocked.
>
> We think this problem can be solved with a check for read buffer
> inside function n_tty_receive_buf_common, if read buffer is empty and
> ldata->no_room is true, this means that kworker has more data to flush
> to read buffer, so a call to n_tty_kick_worker is necessary.
>
> Signed-off-by: cael <juanfengpy@gmail.com>
> ---
> diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
> index efc72104c840..36c7bc033c78 100644
> --- a/drivers/tty/n_tty.c
> +++ b/drivers/tty/n_tty.c
> @@ -1663,6 +1663,9 @@ n_tty_receive_buf_common(struct tty_struct *tty,
> const unsigned char *cp,
> } else
> n_tty_check_throttle(tty);
>
> + if (!chars_in_buffer(tty))
> + n_tty_kick_worker(tty);
> +
> up_read(&tty->termios_rwsem);
>
> return rcvd;
> --
> 2.27.0
Hi,
This is the friendly patch-bot of Greg Kroah-Hartman. You have sent him
a patch that has triggered this response. He used to manually respond
to these common problems, but in order to save his sanity (he kept
writing the same thing over and over, yet to different people), I was
created. Hopefully you will not take offence and will fix the problem
in your patch and resubmit it so that it can be accepted into the Linux
kernel tree.
You are receiving this message because of the following common error(s)
as indicated below:
- Your patch is malformed (tabs converted to spaces, linewrapped, etc.)
and can not be applied. Please read the file,
Documentation/email-clients.txt in order to fix this.
- You did not specify a description of why the patch is needed, or
possibly, any description at all, in the email body. Please read the
section entitled "The canonical patch format" in the kernel file,
Documentation/SubmittingPatches for what is needed in order to
properly describe the change.
- You did not write a descriptive Subject: for the patch, allowing Greg,
and everyone else, to know what this patch is all about. Please read
the section entitled "The canonical patch format" in the kernel file,
Documentation/SubmittingPatches for what a proper Subject: line should
look like.
- It looks like you did not use your "real" name for the patch on either
the Signed-off-by: line, or the From: line (both of which have to
match). Please read the kernel file, Documentation/SubmittingPatches
for how to do this correctly.
If you wish to discuss this problem further, or you have questions about
how to resolve this issue, please feel free to respond to this email and
Greg will reply once he has dug out from the pending patches received
from other developers.
thanks,
greg k-h's patch email bot
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: tty: fix a possible hang on tty device
2022-06-01 9:38 ` Greg KH
@ 2022-06-01 13:39 ` cael
2022-06-01 14:47 ` Greg KH
2022-06-01 15:28 ` Ilpo Järvinen
0 siblings, 2 replies; 33+ messages in thread
From: cael @ 2022-06-01 13:39 UTC (permalink / raw)
To: Greg KH; +Cc: Jiri Slaby, linux-serial
From: cael <juanfengpy@gmail.com>
Subject: [PATCH v2] tty: fix a possible hang on tty device
We have met a hang on pty device, the reader was blocking
at epoll on master side, the writer was sleeping at wait_woken
inside n_tty_write on slave side, and the write buffer on
tty_port was full, we found that the reader and writer would
never be woken again and block forever.
The problem was caused by a race between reader and kworker:
n_tty_read(reader): n_tty_receive_buf_common(kworker):
|room = N_TTY_BUF_SIZE - (ldata->read_head - tail)
|room <= 0
copy_from_read_buf()|
n_tty_kick_worker() |
|ldata->no_room = true
After writing to slave device, writer wakes up kworker to flush
data on tty_port to reader, and the kworker finds that reader
has no room to store data so room <= 0 is met. At this moment,
reader consumes all the data on reader buffer and call
n_tty_kick_worker to check ldata->no_room which is false and
reader quits reading. Then kworker sets ldata->no_room=true
and quits too.
If write buffer is not full, writer will wake kworker to flush data
again after following writes, but if writer buffer is full and writer
goes to sleep, kworker will never be woken again and tty device is
blocked.
This problem can be solved with a check for read buffer size inside
n_tty_receive_buf_common, if read buffer is empty and ldata->no_room
is true, a call to n_tty_kick_worker is necessary to keep flushing
data to reader.
Signed-off-by: cael <juanfengpy@gmail.com>
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
---
diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
index efc72104c840..21241ea7cdb9 100644
--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -201,8 +201,8 @@ static void n_tty_kick_worker(struct tty_struct *tty)
struct n_tty_data *ldata = tty->disc_data;
/* Did the input worker stop? Restart it */
- if (unlikely(ldata->no_room)) {
- ldata->no_room = 0;
+ if (unlikely(READ_ONCE(ldata->no_room))) {
+ WRITE_ONCE(ldata->no_room, 0);
WARN_RATELIMIT(tty->port->itty == NULL,
"scheduling with invalid itty\n");
@@ -1632,7 +1632,7 @@ n_tty_receive_buf_common(struct tty_struct *tty,
const unsigned char *cp,
if (overflow && room < 0)
ldata->read_head--;
room = overflow;
- ldata->no_room = flow && !room;
+ WRITE_ONCE(ldata->no_room, flow && !room);
} else
overflow = 0;
@@ -1663,6 +1663,21 @@ n_tty_receive_buf_common(struct tty_struct
*tty, const unsigned char *cp,
} else
n_tty_check_throttle(tty);
+ if (READ_ONCE(ldata->no_room)) {
+ /*
+ * Reader ensures that read_tail is updated before
checking no_room,
+ * make sure that no_room is set before reading read_tail here.
+ * Now no_room is visible by reader, the race needs to
be handled is
+ * that reader has passed checkpoint for no_room and
reader buffer
+ * is empty, if so n_tty_kick_worker will not be
called by reader,
+ * instead, this function is called here.
+ * barrier is paired with smp_mb() in n_tty_read()
+ */
+ smp_mb();
+ if (!chars_in_buffer(tty))
+ n_tty_kick_worker(tty);
+ }
+
up_read(&tty->termios_rwsem);
return rcvd;
@@ -2180,8 +2195,14 @@ static ssize_t n_tty_read(struct tty_struct
*tty, struct file *file,
if (time)
timeout = time;
}
- if (tail != ldata->read_tail)
+ if (tail != ldata->read_tail) {
+ /*
+ * Make sure no_room is not read before setting read_tail,
+ * paired with smp_mb() in n_tty_receive_buf_common()
+ */
+ smp_mb();
n_tty_kick_worker(tty);
+ }
up_read(&tty->termios_rwsem);
remove_wait_queue(&tty->read_wait, &wait);
--
2.27.0
^ permalink raw reply related [flat|nested] 33+ messages in thread
* Re: tty: fix a possible hang on tty device
2022-06-01 13:39 ` cael
@ 2022-06-01 14:47 ` Greg KH
2022-06-01 15:28 ` Ilpo Järvinen
1 sibling, 0 replies; 33+ messages in thread
From: Greg KH @ 2022-06-01 14:47 UTC (permalink / raw)
To: cael; +Cc: Jiri Slaby, linux-serial
On Wed, Jun 01, 2022 at 09:39:27PM +0800, cael wrote:
> From: cael <juanfengpy@gmail.com>
> Subject: [PATCH v2] tty: fix a possible hang on tty device
>
> We have met a hang on pty device, the reader was blocking
> at epoll on master side, the writer was sleeping at wait_woken
> inside n_tty_write on slave side, and the write buffer on
> tty_port was full, we found that the reader and writer would
> never be woken again and block forever.
>
> The problem was caused by a race between reader and kworker:
> n_tty_read(reader): n_tty_receive_buf_common(kworker):
> |room = N_TTY_BUF_SIZE - (ldata->read_head - tail)
> |room <= 0
> copy_from_read_buf()|
> n_tty_kick_worker() |
> |ldata->no_room = true
>
> After writing to slave device, writer wakes up kworker to flush
> data on tty_port to reader, and the kworker finds that reader
> has no room to store data so room <= 0 is met. At this moment,
> reader consumes all the data on reader buffer and call
> n_tty_kick_worker to check ldata->no_room which is false and
> reader quits reading. Then kworker sets ldata->no_room=true
> and quits too.
>
> If write buffer is not full, writer will wake kworker to flush data
> again after following writes, but if writer buffer is full and writer
> goes to sleep, kworker will never be woken again and tty device is
> blocked.
>
> This problem can be solved with a check for read buffer size inside
> n_tty_receive_buf_common, if read buffer is empty and ldata->no_room
> is true, a call to n_tty_kick_worker is necessary to keep flushing
> data to reader.
>
> Signed-off-by: cael <juanfengpy@gmail.com>
> Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
>
> ---
> diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
> index efc72104c840..21241ea7cdb9 100644
> --- a/drivers/tty/n_tty.c
> +++ b/drivers/tty/n_tty.c
> @@ -201,8 +201,8 @@ static void n_tty_kick_worker(struct tty_struct *tty)
> struct n_tty_data *ldata = tty->disc_data;
>
> /* Did the input worker stop? Restart it */
> - if (unlikely(ldata->no_room)) {
> - ldata->no_room = 0;
> + if (unlikely(READ_ONCE(ldata->no_room))) {
> + WRITE_ONCE(ldata->no_room, 0);
>
> WARN_RATELIMIT(tty->port->itty == NULL,
> "scheduling with invalid itty\n");
> @@ -1632,7 +1632,7 @@ n_tty_receive_buf_common(struct tty_struct *tty,
> const unsigned char *cp,
> if (overflow && room < 0)
> ldata->read_head--;
> room = overflow;
> - ldata->no_room = flow && !room;
> + WRITE_ONCE(ldata->no_room, flow && !room);
> } else
> overflow = 0;
>
> @@ -1663,6 +1663,21 @@ n_tty_receive_buf_common(struct tty_struct
> *tty, const unsigned char *cp,
> } else
> n_tty_check_throttle(tty);
>
> + if (READ_ONCE(ldata->no_room)) {
> + /*
> + * Reader ensures that read_tail is updated before
> checking no_room,
> + * make sure that no_room is set before reading read_tail here.
> + * Now no_room is visible by reader, the race needs to
> be handled is
> + * that reader has passed checkpoint for no_room and
> reader buffer
> + * is empty, if so n_tty_kick_worker will not be
> called by reader,
> + * instead, this function is called here.
> + * barrier is paired with smp_mb() in n_tty_read()
> + */
> + smp_mb();
> + if (!chars_in_buffer(tty))
> + n_tty_kick_worker(tty);
> + }
> +
> up_read(&tty->termios_rwsem);
>
> return rcvd;
> @@ -2180,8 +2195,14 @@ static ssize_t n_tty_read(struct tty_struct
> *tty, struct file *file,
> if (time)
> timeout = time;
> }
> - if (tail != ldata->read_tail)
> + if (tail != ldata->read_tail) {
> + /*
> + * Make sure no_room is not read before setting read_tail,
> + * paired with smp_mb() in n_tty_receive_buf_common()
> + */
>
> + smp_mb();
> n_tty_kick_worker(tty);
> + }
> up_read(&tty->termios_rwsem);
>
> remove_wait_queue(&tty->read_wait, &wait);
> --
> 2.27.0
Hi,
This is the friendly patch-bot of Greg Kroah-Hartman. You have sent him
a patch that has triggered this response. He used to manually respond
to these common problems, but in order to save his sanity (he kept
writing the same thing over and over, yet to different people), I was
created. Hopefully you will not take offence and will fix the problem
in your patch and resubmit it so that it can be accepted into the Linux
kernel tree.
You are receiving this message because of the following common error(s)
as indicated below:
- Your patch is malformed (tabs converted to spaces, linewrapped, etc.)
and can not be applied. Please read the file,
Documentation/email-clients.txt in order to fix this.
- You did not write a descriptive Subject: for the patch, allowing Greg,
and everyone else, to know what this patch is all about. Please read
the section entitled "The canonical patch format" in the kernel file,
Documentation/SubmittingPatches for what a proper Subject: line should
look like.
- It looks like you did not use your "real" name for the patch on either
the Signed-off-by: line, or the From: line (both of which have to
match). Please read the kernel file, Documentation/SubmittingPatches
for how to do this correctly.
- This looks like a new version of a previously submitted patch, but you
did not list below the --- line any changes from the previous version.
Please read the section entitled "The canonical patch format" in the
kernel file, Documentation/SubmittingPatches for what needs to be done
here to properly describe this.
If you wish to discuss this problem further, or you have questions about
how to resolve this issue, please feel free to respond to this email and
Greg will reply once he has dug out from the pending patches received
from other developers.
thanks,
greg k-h's patch email bot
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: tty: fix a possible hang on tty device
2022-06-01 13:39 ` cael
2022-06-01 14:47 ` Greg KH
@ 2022-06-01 15:28 ` Ilpo Järvinen
2022-06-06 13:40 ` cael
1 sibling, 1 reply; 33+ messages in thread
From: Ilpo Järvinen @ 2022-06-01 15:28 UTC (permalink / raw)
To: cael; +Cc: Greg KH, Jiri Slaby, linux-serial
[-- Attachment #1: Type: text/plain, Size: 4065 bytes --]
On Wed, 1 Jun 2022, cael wrote:
> From: cael <juanfengpy@gmail.com>
> Subject: [PATCH v2] tty: fix a possible hang on tty device
>
> We have met a hang on pty device, the reader was blocking
> at epoll on master side, the writer was sleeping at wait_woken
> inside n_tty_write on slave side, and the write buffer on
> tty_port was full, we found that the reader and writer would
> never be woken again and block forever.
>
> The problem was caused by a race between reader and kworker:
> n_tty_read(reader): n_tty_receive_buf_common(kworker):
> |room = N_TTY_BUF_SIZE - (ldata->read_head - tail)
> |room <= 0
> copy_from_read_buf()|
> n_tty_kick_worker() |
> |ldata->no_room = true
>
> After writing to slave device, writer wakes up kworker to flush
> data on tty_port to reader, and the kworker finds that reader
> has no room to store data so room <= 0 is met. At this moment,
> reader consumes all the data on reader buffer and call
> n_tty_kick_worker to check ldata->no_room which is false and
> reader quits reading. Then kworker sets ldata->no_room=true
> and quits too.
>
> If write buffer is not full, writer will wake kworker to flush data
> again after following writes, but if writer buffer is full and writer
> goes to sleep, kworker will never be woken again and tty device is
> blocked.
>
> This problem can be solved with a check for read buffer size inside
> n_tty_receive_buf_common, if read buffer is empty and ldata->no_room
> is true, a call to n_tty_kick_worker is necessary to keep flushing
> data to reader.
>
> Signed-off-by: cael <juanfengpy@gmail.com>
> Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
You should not add Reviewed-by on your own. Only after the person
himself/herself gives that tag for you, include it.
>
> ---
> diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
> index efc72104c840..21241ea7cdb9 100644
> --- a/drivers/tty/n_tty.c
> +++ b/drivers/tty/n_tty.c
> @@ -201,8 +201,8 @@ static void n_tty_kick_worker(struct tty_struct *tty)
> struct n_tty_data *ldata = tty->disc_data;
>
> /* Did the input worker stop? Restart it */
> - if (unlikely(ldata->no_room)) {
> - ldata->no_room = 0;
> + if (unlikely(READ_ONCE(ldata->no_room))) {
> + WRITE_ONCE(ldata->no_room, 0);
>
> WARN_RATELIMIT(tty->port->itty == NULL,
> "scheduling with invalid itty\n");
> @@ -1632,7 +1632,7 @@ n_tty_receive_buf_common(struct tty_struct *tty,
> const unsigned char *cp,
> if (overflow && room < 0)
> ldata->read_head--;
> room = overflow;
> - ldata->no_room = flow && !room;
> + WRITE_ONCE(ldata->no_room, flow && !room);
> } else
> overflow = 0;
>
> @@ -1663,6 +1663,21 @@ n_tty_receive_buf_common(struct tty_struct
> *tty, const unsigned char *cp,
> } else
> n_tty_check_throttle(tty);
>
> + if (READ_ONCE(ldata->no_room)) {
Hmm, since this function is only one setting it to non-zero value, perhaps
the information could be carried over here in a no_room local var (and
maybe unlikely() would be useful too similar to n_tty_kick_worker). After
all, this check is just an optimization for the common case where we know
no_room is definitely zero.
> + /*
> + * Reader ensures that read_tail is updated before
> checking no_room,
> + * make sure that no_room is set before reading read_tail here.
> + * Now no_room is visible by reader, the race needs to
> be handled is
> + * that reader has passed checkpoint for no_room and
> reader buffer
> + * is empty, if so n_tty_kick_worker will not be
> called by reader,
> + * instead, this function is called here.
This part is hard to parse/understand. Please try to rephrase.
--
i.
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: tty: fix a possible hang on tty device
2022-06-01 15:28 ` Ilpo Järvinen
@ 2022-06-06 13:40 ` cael
2022-06-06 14:43 ` Greg KH
0 siblings, 1 reply; 33+ messages in thread
From: cael @ 2022-06-06 13:40 UTC (permalink / raw)
To: Ilpo Järvinen; +Cc: Greg KH, Jiri Slaby, linux-serial
[-- Attachment #1: Type: text/plain, Size: 4903 bytes --]
From: cael <juanfengpy@gmail.com>
Subject:[PATCH v3] tty: fix a possible hang on tty device
We have met a hang on pty device, the reader was blocking
at epoll on master side, the writer was sleeping at wait_woken
inside n_tty_write on slave side, and the write buffer on
tty_port was full, we found that the reader and writer would
never be woken again and block forever.
The problem was caused by a race between reader and kworker:
n_tty_read(reader): n_tty_receive_buf_common(kworker):
|room = N_TTY_BUF_SIZE - (ldata->read_head - tail)
|room <= 0
copy_from_read_buf()|
n_tty_kick_worker() |
|ldata->no_room = true
After writing to slave device, writer wakes up kworker to flush
data on tty_port to reader, and the kworker finds that reader
has no room to store data so room <= 0 is met. At this moment,
reader consumes all the data on reader buffer and call
n_tty_kick_worker to check ldata->no_room which is false and
reader quits reading. Then kworker sets ldata->no_room=true
and quits too.
If write buffer is not full, writer will wake kworker to flush data
again after following writes, but if writer buffer is full and writer
goes to sleep, kworker will never be woken again and tty device is
blocked.
This problem can be solved with a check for read buffer size inside
n_tty_receive_buf_common, if read buffer is empty and ldata->no_room
is true, a call to n_tty_kick_worker is necessary to keep flushing
data to reader.
Signed-off-by: cael <juanfengpy@gmail.com>
diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
index efc72104c840..544f782b9a11 100644
--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -201,8 +201,8 @@ static void n_tty_kick_worker(struct tty_struct *tty)
struct n_tty_data *ldata = tty->disc_data;
/* Did the input worker stop? Restart it */
- if (unlikely(ldata->no_room)) {
- ldata->no_room = 0;
+ if (unlikely(READ_ONCE(ldata->no_room))) {
+ WRITE_ONCE(ldata->no_room, 0);
WARN_RATELIMIT(tty->port->itty == NULL,
"scheduling with invalid itty\n");
@@ -1632,7 +1632,7 @@ n_tty_receive_buf_common(struct tty_struct *tty,
const unsigned char *cp,
if (overflow && room < 0)
ldata->read_head--;
room = overflow;
- ldata->no_room = flow && !room;
+ WRITE_ONCE(ldata->no_room, flow && !room);
} else
overflow = 0;
@@ -1663,6 +1663,24 @@ n_tty_receive_buf_common(struct tty_struct
*tty, const unsigned char *cp,
} else
n_tty_check_throttle(tty);
+ if (unlikely(ldata->no_room)) {
+ /*
+ * Barrier here is to ensure to read the latest read_tail in
+ * chars_in_buffer() and to make sure that read_tail
is not loaded
+ * before ldata->no_room is set, otherwise, following
race may occur:
+ * n_tty_receive_buf_common() |n_tty_read()
+ * chars_in_buffer() > 0 |
+ *
|copy_from_read_buf()->chars_in_buffer()==0
+ * |if (ldata->no_room)
+ * ldata->no_room = 1 |
+ * Then both kworker and reader will fail to kick
n_tty_kick_worker(),
+ * smp_mb is paired with smp_mb() in n_tty_read().
+ */
+ smp_mb();
+ if (!chars_in_buffer(tty))
+ n_tty_kick_worker(tty);
+ }
+
up_read(&tty->termios_rwsem);
return rcvd;
@@ -2180,8 +2198,23 @@ static ssize_t n_tty_read(struct tty_struct
*tty, struct file *file,
if (time)
timeout = time;
}
- if (tail != ldata->read_tail)
+ if (tail != ldata->read_tail) {
+ /*
+ * Make sure no_room is not read before setting read_tail,
+ * otherwise, following race may occur:
+ * n_tty_read()
|n_tty_receive_buf_common()
+ * if(ldata->no_room)->false |
+ * |ldata->no_room = 1
+ * |char_in_buffer() > 0
+ * ldata->read_tail = ldata->commit_head|
+ * Then copy_from_read_buf() in reader consumes all the data
+ * in read buffer, both reader and kworker will fail to kick
+ * tty_buffer_restart_work().
+ * smp_mb is paired with smp_mb() in n_tty_receive_buf_common().
+ */
+ smp_mb();
n_tty_kick_worker(tty);
+ }
up_read(&tty->termios_rwsem);
remove_wait_queue(&tty->read_wait, &wait);
--
2.27.0
[-- Attachment #2: 0001-PATCH-v3-tty-fix-a-possible-hang-on-tty-device.patch --]
[-- Type: application/octet-stream, Size: 4314 bytes --]
From 6d213bd916fce9140557221a7eff0d65bd33df57 Mon Sep 17 00:00:00 2001
From: cael <juanfengpy@gmail.com>
Date: Mon, 23 May 2022 20:53:55 +0800
Subject: [PATCH] [PATCH v3] tty: fix a possible hang on tty device
We have met a hang on pty device, the reader was blocking
at epoll on master side, the writer was sleeping at wait_woken
inside n_tty_write on slave side, and the write buffer on
tty_port was full, we found that the reader and writer would
never be woken again and block forever.
The problem was caused by a race between reader and kworker:
n_tty_read(reader): n_tty_receive_buf_common(kworker):
|room = N_TTY_BUF_SIZE - (ldata->read_head - tail)
|room <= 0
copy_from_read_buf()|
n_tty_kick_worker() |
|ldata->no_room = true
After writing to slave device, writer wakes up kworker to flush
data on tty_port to reader, and the kworker finds that reader
has no room to store data so room <= 0 is met. At this moment,
reader consumes all the data on reader buffer and call
n_tty_kick_worker to check ldata->no_room which is false and
reader quits reading. Then kworker sets ldata->no_room=true
and quits too.
If write buffer is not full, writer will wake kworker to flush data
again after following writes, but if writer buffer is full and writer
goes to sleep, kworker will never be woken again and tty device is
blocked.
This problem can be solved with a check for read buffer size inside
n_tty_receive_buf_common, if read buffer is empty and ldata->no_room
is true, a call to n_tty_kick_worker is necessary to keep flushing
data to reader.
Signed-off-by: cael <juanfengpy@gmail.com>
diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
index efc72104c840..544f782b9a11 100644
--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -201,8 +201,8 @@ static void n_tty_kick_worker(struct tty_struct *tty)
struct n_tty_data *ldata = tty->disc_data;
/* Did the input worker stop? Restart it */
- if (unlikely(ldata->no_room)) {
- ldata->no_room = 0;
+ if (unlikely(READ_ONCE(ldata->no_room))) {
+ WRITE_ONCE(ldata->no_room, 0);
WARN_RATELIMIT(tty->port->itty == NULL,
"scheduling with invalid itty\n");
@@ -1632,7 +1632,7 @@ n_tty_receive_buf_common(struct tty_struct *tty, const unsigned char *cp,
if (overflow && room < 0)
ldata->read_head--;
room = overflow;
- ldata->no_room = flow && !room;
+ WRITE_ONCE(ldata->no_room, flow && !room);
} else
overflow = 0;
@@ -1663,6 +1663,24 @@ n_tty_receive_buf_common(struct tty_struct *tty, const unsigned char *cp,
} else
n_tty_check_throttle(tty);
+ if (unlikely(ldata->no_room)) {
+ /*
+ * Barrier here is to ensure to read the latest read_tail in
+ * chars_in_buffer() and to make sure that read_tail is not loaded
+ * before ldata->no_room is set, otherwise, following race may occur:
+ * n_tty_receive_buf_common() |n_tty_read()
+ * chars_in_buffer() > 0 |
+ * |copy_from_read_buf()->chars_in_buffer()==0
+ * |if (ldata->no_room)
+ * ldata->no_room = 1 |
+ * Then both kworker and reader will fail to kick n_tty_kick_worker(),
+ * smp_mb is paired with smp_mb() in n_tty_read().
+ */
+ smp_mb();
+ if (!chars_in_buffer(tty))
+ n_tty_kick_worker(tty);
+ }
+
up_read(&tty->termios_rwsem);
return rcvd;
@@ -2180,8 +2198,23 @@ static ssize_t n_tty_read(struct tty_struct *tty, struct file *file,
if (time)
timeout = time;
}
- if (tail != ldata->read_tail)
+ if (tail != ldata->read_tail) {
+ /*
+ * Make sure no_room is not read before setting read_tail,
+ * otherwise, following race may occur:
+ * n_tty_read() |n_tty_receive_buf_common()
+ * if(ldata->no_room)->false |
+ * |ldata->no_room = 1
+ * |char_in_buffer() > 0
+ * ldata->read_tail = ldata->commit_head|
+ * Then copy_from_read_buf() in reader consumes all the data
+ * in read buffer, both reader and kworker will fail to kick
+ * tty_buffer_restart_work().
+ * smp_mb is paired with smp_mb() in n_tty_receive_buf_common().
+ */
+ smp_mb();
n_tty_kick_worker(tty);
+ }
up_read(&tty->termios_rwsem);
remove_wait_queue(&tty->read_wait, &wait);
--
2.27.0
^ permalink raw reply related [flat|nested] 33+ messages in thread
* Re: tty: fix a possible hang on tty device
2022-06-06 13:40 ` cael
@ 2022-06-06 14:43 ` Greg KH
2022-06-11 6:50 ` cael
0 siblings, 1 reply; 33+ messages in thread
From: Greg KH @ 2022-06-06 14:43 UTC (permalink / raw)
To: cael; +Cc: Ilpo Järvinen, Jiri Slaby, linux-serial
On Mon, Jun 06, 2022 at 09:40:16PM +0800, cael wrote:
> From: cael <juanfengpy@gmail.com>
> Subject:[PATCH v3] tty: fix a possible hang on tty device
>
> We have met a hang on pty device, the reader was blocking
> at epoll on master side, the writer was sleeping at wait_woken
> inside n_tty_write on slave side, and the write buffer on
> tty_port was full, we found that the reader and writer would
> never be woken again and block forever.
>
> The problem was caused by a race between reader and kworker:
> n_tty_read(reader): n_tty_receive_buf_common(kworker):
> |room = N_TTY_BUF_SIZE - (ldata->read_head - tail)
> |room <= 0
> copy_from_read_buf()|
> n_tty_kick_worker() |
> |ldata->no_room = true
>
> After writing to slave device, writer wakes up kworker to flush
> data on tty_port to reader, and the kworker finds that reader
> has no room to store data so room <= 0 is met. At this moment,
> reader consumes all the data on reader buffer and call
> n_tty_kick_worker to check ldata->no_room which is false and
> reader quits reading. Then kworker sets ldata->no_room=true
> and quits too.
>
> If write buffer is not full, writer will wake kworker to flush data
> again after following writes, but if writer buffer is full and writer
> goes to sleep, kworker will never be woken again and tty device is
> blocked.
>
> This problem can be solved with a check for read buffer size inside
> n_tty_receive_buf_common, if read buffer is empty and ldata->no_room
> is true, a call to n_tty_kick_worker is necessary to keep flushing
> data to reader.
>
> Signed-off-by: cael <juanfengpy@gmail.com>
>
> diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
> index efc72104c840..544f782b9a11 100644
> --- a/drivers/tty/n_tty.c
> +++ b/drivers/tty/n_tty.c
> @@ -201,8 +201,8 @@ static void n_tty_kick_worker(struct tty_struct *tty)
> struct n_tty_data *ldata = tty->disc_data;
>
> /* Did the input worker stop? Restart it */
> - if (unlikely(ldata->no_room)) {
> - ldata->no_room = 0;
> + if (unlikely(READ_ONCE(ldata->no_room))) {
> + WRITE_ONCE(ldata->no_room, 0);
>
> WARN_RATELIMIT(tty->port->itty == NULL,
> "scheduling with invalid itty\n");
> @@ -1632,7 +1632,7 @@ n_tty_receive_buf_common(struct tty_struct *tty,
> const unsigned char *cp,
> if (overflow && room < 0)
> ldata->read_head--;
> room = overflow;
> - ldata->no_room = flow && !room;
> + WRITE_ONCE(ldata->no_room, flow && !room);
> } else
> overflow = 0;
>
> @@ -1663,6 +1663,24 @@ n_tty_receive_buf_common(struct tty_struct
> *tty, const unsigned char *cp,
> } else
> n_tty_check_throttle(tty);
>
> + if (unlikely(ldata->no_room)) {
> + /*
> + * Barrier here is to ensure to read the latest read_tail in
> + * chars_in_buffer() and to make sure that read_tail
> is not loaded
> + * before ldata->no_room is set, otherwise, following
> race may occur:
> + * n_tty_receive_buf_common() |n_tty_read()
> + * chars_in_buffer() > 0 |
> + *
> |copy_from_read_buf()->chars_in_buffer()==0
> + * |if (ldata->no_room)
> + * ldata->no_room = 1 |
> + * Then both kworker and reader will fail to kick
> n_tty_kick_worker(),
> + * smp_mb is paired with smp_mb() in n_tty_read().
> + */
> + smp_mb();
> + if (!chars_in_buffer(tty))
> + n_tty_kick_worker(tty);
> + }
> +
> up_read(&tty->termios_rwsem);
>
> return rcvd;
> @@ -2180,8 +2198,23 @@ static ssize_t n_tty_read(struct tty_struct
> *tty, struct file *file,
> if (time)
> timeout = time;
> }
> - if (tail != ldata->read_tail)
> + if (tail != ldata->read_tail) {
> + /*
> + * Make sure no_room is not read before setting read_tail,
> + * otherwise, following race may occur:
> + * n_tty_read()
> |n_tty_receive_buf_common()
> + * if(ldata->no_room)->false |
> + * |ldata->no_room = 1
> + * |char_in_buffer() > 0
> + * ldata->read_tail = ldata->commit_head|
> + * Then copy_from_read_buf() in reader consumes all the data
> + * in read buffer, both reader and kworker will fail to kick
> + * tty_buffer_restart_work().
> + * smp_mb is paired with smp_mb() in n_tty_receive_buf_common().
> + */
> + smp_mb();
> n_tty_kick_worker(tty);
> + }
> up_read(&tty->termios_rwsem);
>
> remove_wait_queue(&tty->read_wait, &wait);
> --
> 2.27.0
Hi,
This is the friendly patch-bot of Greg Kroah-Hartman. You have sent him
a patch that has triggered this response. He used to manually respond
to these common problems, but in order to save his sanity (he kept
writing the same thing over and over, yet to different people), I was
created. Hopefully you will not take offence and will fix the problem
in your patch and resubmit it so that it can be accepted into the Linux
kernel tree.
You are receiving this message because of the following common error(s)
as indicated below:
- Your patch is malformed (tabs converted to spaces, linewrapped, etc.)
and can not be applied. Please read the file,
Documentation/email-clients.txt in order to fix this.
- Your patch was attached, please place it inline so that it can be
applied directly from the email message itself.
- You did not write a descriptive Subject: for the patch, allowing Greg,
and everyone else, to know what this patch is all about. Please read
the section entitled "The canonical patch format" in the kernel file,
Documentation/SubmittingPatches for what a proper Subject: line should
look like.
- It looks like you did not use your "real" name for the patch on either
the Signed-off-by: line, or the From: line (both of which have to
match). Please read the kernel file, Documentation/SubmittingPatches
for how to do this correctly.
- This looks like a new version of a previously submitted patch, but you
did not list below the --- line any changes from the previous version.
Please read the section entitled "The canonical patch format" in the
kernel file, Documentation/SubmittingPatches for what needs to be done
here to properly describe this.
If you wish to discuss this problem further, or you have questions about
how to resolve this issue, please feel free to respond to this email and
Greg will reply once he has dug out from the pending patches received
from other developers.
thanks,
greg k-h's patch email bot
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: tty: fix a possible hang on tty device
2022-06-06 14:43 ` Greg KH
@ 2022-06-11 6:50 ` cael
2022-06-11 7:32 ` Greg KH
0 siblings, 1 reply; 33+ messages in thread
From: cael @ 2022-06-11 6:50 UTC (permalink / raw)
To: Greg KH; +Cc: Ilpo Järvinen, Jiri Slaby, linux-serial
From: cael <juanfengpy@gmail.com>
Subject: [PATCH] [PATCH v3] tty: fix a possible hang on tty device
We have met a hang on pty device, the reader was blocking
at epoll on master side, the writer was sleeping at wait_woken
inside n_tty_write on slave side, and the write buffer on
tty_port was full, we found that the reader and writer would
never be woken again and block forever.
The problem was caused by a race between reader and kworker:
n_tty_read(reader): n_tty_receive_buf_common(kworker):
|room = N_TTY_BUF_SIZE - (ldata->read_head - tail)
|room <= 0
copy_from_read_buf()|
n_tty_kick_worker() |
|ldata->no_room = true
After writing to slave device, writer wakes up kworker to flush
data on tty_port to reader, and the kworker finds that reader
has no room to store data so room <= 0 is met. At this moment,
reader consumes all the data on reader buffer and call
n_tty_kick_worker to check ldata->no_room which is false and
reader quits reading. Then kworker sets ldata->no_room=true
and quits too.
If write buffer is not full, writer will wake kworker to flush data
again after following writes, but if writer buffer is full and writer
goes to sleep, kworker will never be woken again and tty device is
blocked.
This problem can be solved with a check for read buffer size inside
n_tty_receive_buf_common, if read buffer is empty and ldata->no_room
is true, a call to n_tty_kick_worker is necessary to keep flushing
data to reader.
Signed-off-by: cael <juanfengpy@gmail.com>
diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
index efc72104c840..544f782b9a11 100644
--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -201,8 +201,8 @@ static void n_tty_kick_worker(struct tty_struct *tty)
struct n_tty_data *ldata = tty->disc_data;
/* Did the input worker stop? Restart it */
- if (unlikely(ldata->no_room)) {
- ldata->no_room = 0;
+ if (unlikely(READ_ONCE(ldata->no_room))) {
+ WRITE_ONCE(ldata->no_room, 0);
WARN_RATELIMIT(tty->port->itty == NULL,
"scheduling with invalid itty\n");
@@ -1632,7 +1632,7 @@ n_tty_receive_buf_common(struct tty_struct *tty,
const unsigned char *cp,
if (overflow && room < 0)
ldata->read_head--;
room = overflow;
- ldata->no_room = flow && !room;
+ WRITE_ONCE(ldata->no_room, flow && !room);
} else
overflow = 0;
@@ -1663,6 +1663,24 @@ n_tty_receive_buf_common(struct tty_struct
*tty, const unsigned char *cp,
} else
n_tty_check_throttle(tty);
+ if (unlikely(ldata->no_room)) {
+ /*
+ * Barrier here is to ensure to read the latest read_tail in
+ * chars_in_buffer() and to make sure that read_tail
is not loaded
+ * before ldata->no_room is set, otherwise, following
race may occur:
+ * n_tty_receive_buf_common() |n_tty_read()
+ * chars_in_buffer() > 0 |
+ *
|copy_from_read_buf()->chars_in_buffer()==0
+ * |if (ldata->no_room)
+ * ldata->no_room = 1 |
+ * Then both kworker and reader will fail to kick
n_tty_kick_worker(),
+ * smp_mb is paired with smp_mb() in n_tty_read().
+ */
+ smp_mb();
+ if (!chars_in_buffer(tty))
+ n_tty_kick_worker(tty);
+ }
+
up_read(&tty->termios_rwsem);
return rcvd;
@@ -2180,8 +2198,23 @@ static ssize_t n_tty_read(struct tty_struct
*tty, struct file *file,
if (time)
timeout = time;
}
- if (tail != ldata->read_tail)
+ if (tail != ldata->read_tail) {
+ /*
+ * Make sure no_room is not read before setting read_tail,
+ * otherwise, following race may occur:
+ * n_tty_read()
|n_tty_receive_buf_common()
+ * if(ldata->no_room)->false |
+ * |ldata->no_room = 1
+ * |char_in_buffer() > 0
+ * ldata->read_tail = ldata->commit_head|
+ * Then copy_from_read_buf() in reader consumes all the data
+ * in read buffer, both reader and kworker will fail to kick
+ * tty_buffer_restart_work().
+ * smp_mb is paired with smp_mb() in n_tty_receive_buf_common().
+ */
+ smp_mb();
n_tty_kick_worker(tty);
+ }
up_read(&tty->termios_rwsem);
remove_wait_queue(&tty->read_wait, &wait);
--
2.27.0
Greg KH <gregkh@linuxfoundation.org> 于2022年6月6日周一 22:43写道:
>
> On Mon, Jun 06, 2022 at 09:40:16PM +0800, cael wrote:
> > From: cael <juanfengpy@gmail.com>
> > Subject:[PATCH v3] tty: fix a possible hang on tty device
> >
> > We have met a hang on pty device, the reader was blocking
> > at epoll on master side, the writer was sleeping at wait_woken
> > inside n_tty_write on slave side, and the write buffer on
> > tty_port was full, we found that the reader and writer would
> > never be woken again and block forever.
> >
> > The problem was caused by a race between reader and kworker:
> > n_tty_read(reader): n_tty_receive_buf_common(kworker):
> > |room = N_TTY_BUF_SIZE - (ldata->read_head - tail)
> > |room <= 0
> > copy_from_read_buf()|
> > n_tty_kick_worker() |
> > |ldata->no_room = true
> >
> > After writing to slave device, writer wakes up kworker to flush
> > data on tty_port to reader, and the kworker finds that reader
> > has no room to store data so room <= 0 is met. At this moment,
> > reader consumes all the data on reader buffer and call
> > n_tty_kick_worker to check ldata->no_room which is false and
> > reader quits reading. Then kworker sets ldata->no_room=true
> > and quits too.
> >
> > If write buffer is not full, writer will wake kworker to flush data
> > again after following writes, but if writer buffer is full and writer
> > goes to sleep, kworker will never be woken again and tty device is
> > blocked.
> >
> > This problem can be solved with a check for read buffer size inside
> > n_tty_receive_buf_common, if read buffer is empty and ldata->no_room
> > is true, a call to n_tty_kick_worker is necessary to keep flushing
> > data to reader.
> >
> > Signed-off-by: cael <juanfengpy@gmail.com>
> >
> > diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
> > index efc72104c840..544f782b9a11 100644
> > --- a/drivers/tty/n_tty.c
> > +++ b/drivers/tty/n_tty.c
> > @@ -201,8 +201,8 @@ static void n_tty_kick_worker(struct tty_struct *tty)
> > struct n_tty_data *ldata = tty->disc_data;
> >
> > /* Did the input worker stop? Restart it */
> > - if (unlikely(ldata->no_room)) {
> > - ldata->no_room = 0;
> > + if (unlikely(READ_ONCE(ldata->no_room))) {
> > + WRITE_ONCE(ldata->no_room, 0);
> >
> > WARN_RATELIMIT(tty->port->itty == NULL,
> > "scheduling with invalid itty\n");
> > @@ -1632,7 +1632,7 @@ n_tty_receive_buf_common(struct tty_struct *tty,
> > const unsigned char *cp,
> > if (overflow && room < 0)
> > ldata->read_head--;
> > room = overflow;
> > - ldata->no_room = flow && !room;
> > + WRITE_ONCE(ldata->no_room, flow && !room);
> > } else
> > overflow = 0;
> >
> > @@ -1663,6 +1663,24 @@ n_tty_receive_buf_common(struct tty_struct
> > *tty, const unsigned char *cp,
> > } else
> > n_tty_check_throttle(tty);
> >
> > + if (unlikely(ldata->no_room)) {
> > + /*
> > + * Barrier here is to ensure to read the latest read_tail in
> > + * chars_in_buffer() and to make sure that read_tail
> > is not loaded
> > + * before ldata->no_room is set, otherwise, following
> > race may occur:
> > + * n_tty_receive_buf_common() |n_tty_read()
> > + * chars_in_buffer() > 0 |
> > + *
> > |copy_from_read_buf()->chars_in_buffer()==0
> > + * |if (ldata->no_room)
> > + * ldata->no_room = 1 |
> > + * Then both kworker and reader will fail to kick
> > n_tty_kick_worker(),
> > + * smp_mb is paired with smp_mb() in n_tty_read().
> > + */
> > + smp_mb();
> > + if (!chars_in_buffer(tty))
> > + n_tty_kick_worker(tty);
> > + }
> > +
> > up_read(&tty->termios_rwsem);
> >
> > return rcvd;
> > @@ -2180,8 +2198,23 @@ static ssize_t n_tty_read(struct tty_struct
> > *tty, struct file *file,
> > if (time)
> > timeout = time;
> > }
> > - if (tail != ldata->read_tail)
> > + if (tail != ldata->read_tail) {
> > + /*
> > + * Make sure no_room is not read before setting read_tail,
> > + * otherwise, following race may occur:
> > + * n_tty_read()
> > |n_tty_receive_buf_common()
> > + * if(ldata->no_room)->false |
> > + * |ldata->no_room = 1
> > + * |char_in_buffer() > 0
> > + * ldata->read_tail = ldata->commit_head|
> > + * Then copy_from_read_buf() in reader consumes all the data
> > + * in read buffer, both reader and kworker will fail to kick
> > + * tty_buffer_restart_work().
> > + * smp_mb is paired with smp_mb() in n_tty_receive_buf_common().
> > + */
> > + smp_mb();
> > n_tty_kick_worker(tty);
> > + }
> > up_read(&tty->termios_rwsem);
> >
> > remove_wait_queue(&tty->read_wait, &wait);
> > --
> > 2.27.0
>
>
> Hi,
>
> This is the friendly patch-bot of Greg Kroah-Hartman. You have sent him
> a patch that has triggered this response. He used to manually respond
> to these common problems, but in order to save his sanity (he kept
> writing the same thing over and over, yet to different people), I was
> created. Hopefully you will not take offence and will fix the problem
> in your patch and resubmit it so that it can be accepted into the Linux
> kernel tree.
>
> You are receiving this message because of the following common error(s)
> as indicated below:
>
> - Your patch is malformed (tabs converted to spaces, linewrapped, etc.)
> and can not be applied. Please read the file,
> Documentation/email-clients.txt in order to fix this.
>
> - Your patch was attached, please place it inline so that it can be
> applied directly from the email message itself.
>
> - You did not write a descriptive Subject: for the patch, allowing Greg,
> and everyone else, to know what this patch is all about. Please read
> the section entitled "The canonical patch format" in the kernel file,
> Documentation/SubmittingPatches for what a proper Subject: line should
> look like.
>
> - It looks like you did not use your "real" name for the patch on either
> the Signed-off-by: line, or the From: line (both of which have to
> match). Please read the kernel file, Documentation/SubmittingPatches
> for how to do this correctly.
>
> - This looks like a new version of a previously submitted patch, but you
> did not list below the --- line any changes from the previous version.
> Please read the section entitled "The canonical patch format" in the
> kernel file, Documentation/SubmittingPatches for what needs to be done
> here to properly describe this.
>
> If you wish to discuss this problem further, or you have questions about
> how to resolve this issue, please feel free to respond to this email and
> Greg will reply once he has dug out from the pending patches received
> from other developers.
>
> thanks,
>
> greg k-h's patch email bot
^ permalink raw reply related [flat|nested] 33+ messages in thread
* Re: tty: fix a possible hang on tty device
2022-06-11 6:50 ` cael
@ 2022-06-11 7:32 ` Greg KH
2022-06-13 12:30 ` [PATCH v3] tty: fix hang on tty device with no_room set juanfengpy
0 siblings, 1 reply; 33+ messages in thread
From: Greg KH @ 2022-06-11 7:32 UTC (permalink / raw)
To: cael; +Cc: Ilpo Järvinen, Jiri Slaby, linux-serial
On Sat, Jun 11, 2022 at 02:50:54PM +0800, cael wrote:
> From: cael <juanfengpy@gmail.com>
> Subject: [PATCH] [PATCH v3] tty: fix a possible hang on tty device
>
> We have met a hang on pty device, the reader was blocking
> at epoll on master side, the writer was sleeping at wait_woken
> inside n_tty_write on slave side, and the write buffer on
> tty_port was full, we found that the reader and writer would
> never be woken again and block forever.
>
> The problem was caused by a race between reader and kworker:
> n_tty_read(reader): n_tty_receive_buf_common(kworker):
> |room = N_TTY_BUF_SIZE - (ldata->read_head - tail)
> |room <= 0
> copy_from_read_buf()|
> n_tty_kick_worker() |
> |ldata->no_room = true
>
> After writing to slave device, writer wakes up kworker to flush
> data on tty_port to reader, and the kworker finds that reader
> has no room to store data so room <= 0 is met. At this moment,
> reader consumes all the data on reader buffer and call
> n_tty_kick_worker to check ldata->no_room which is false and
> reader quits reading. Then kworker sets ldata->no_room=true
> and quits too.
>
> If write buffer is not full, writer will wake kworker to flush data
> again after following writes, but if writer buffer is full and writer
> goes to sleep, kworker will never be woken again and tty device is
> blocked.
>
> This problem can be solved with a check for read buffer size inside
> n_tty_receive_buf_common, if read buffer is empty and ldata->no_room
> is true, a call to n_tty_kick_worker is necessary to keep flushing
> data to reader.
>
> Signed-off-by: cael <juanfengpy@gmail.com>
>
> diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
> index efc72104c840..544f782b9a11 100644
> --- a/drivers/tty/n_tty.c
> +++ b/drivers/tty/n_tty.c
> @@ -201,8 +201,8 @@ static void n_tty_kick_worker(struct tty_struct *tty)
> struct n_tty_data *ldata = tty->disc_data;
>
> /* Did the input worker stop? Restart it */
> - if (unlikely(ldata->no_room)) {
> - ldata->no_room = 0;
> + if (unlikely(READ_ONCE(ldata->no_room))) {
> + WRITE_ONCE(ldata->no_room, 0);
>
> WARN_RATELIMIT(tty->port->itty == NULL,
> "scheduling with invalid itty\n");
> @@ -1632,7 +1632,7 @@ n_tty_receive_buf_common(struct tty_struct *tty,
> const unsigned char *cp,
> if (overflow && room < 0)
> ldata->read_head--;
> room = overflow;
> - ldata->no_room = flow && !room;
> + WRITE_ONCE(ldata->no_room, flow && !room);
> } else
> overflow = 0;
>
> @@ -1663,6 +1663,24 @@ n_tty_receive_buf_common(struct tty_struct
> *tty, const unsigned char *cp,
> } else
> n_tty_check_throttle(tty);
>
> + if (unlikely(ldata->no_room)) {
> + /*
> + * Barrier here is to ensure to read the latest read_tail in
> + * chars_in_buffer() and to make sure that read_tail
> is not loaded
> + * before ldata->no_room is set, otherwise, following
> race may occur:
> + * n_tty_receive_buf_common() |n_tty_read()
> + * chars_in_buffer() > 0 |
> + *
> |copy_from_read_buf()->chars_in_buffer()==0
> + * |if (ldata->no_room)
> + * ldata->no_room = 1 |
> + * Then both kworker and reader will fail to kick
> n_tty_kick_worker(),
> + * smp_mb is paired with smp_mb() in n_tty_read().
> + */
> + smp_mb();
> + if (!chars_in_buffer(tty))
> + n_tty_kick_worker(tty);
> + }
> +
> up_read(&tty->termios_rwsem);
>
> return rcvd;
> @@ -2180,8 +2198,23 @@ static ssize_t n_tty_read(struct tty_struct
> *tty, struct file *file,
> if (time)
> timeout = time;
> }
> - if (tail != ldata->read_tail)
> + if (tail != ldata->read_tail) {
> + /*
> + * Make sure no_room is not read before setting read_tail,
> + * otherwise, following race may occur:
> + * n_tty_read()
> |n_tty_receive_buf_common()
> + * if(ldata->no_room)->false |
> + * |ldata->no_room = 1
> + * |char_in_buffer() > 0
> + * ldata->read_tail = ldata->commit_head|
> + * Then copy_from_read_buf() in reader consumes all the data
> + * in read buffer, both reader and kworker will fail to kick
> + * tty_buffer_restart_work().
> + * smp_mb is paired with smp_mb() in n_tty_receive_buf_common().
> + */
> + smp_mb();
> n_tty_kick_worker(tty);
> + }
> up_read(&tty->termios_rwsem);
>
> remove_wait_queue(&tty->read_wait, &wait);
> --
> 2.27.0
Is there any specific reason you ignored all of the recommendations from
my previous email as to what needs to be changed in order for this patch
to be accepted? It doesn't make any sense for me to just keep sending
the same information again :(
thanks,
greg k-h
^ permalink raw reply [flat|nested] 33+ messages in thread
* [PATCH v3] tty: fix hang on tty device with no_room set
2022-06-11 7:32 ` Greg KH
@ 2022-06-13 12:30 ` juanfengpy
2022-06-13 17:20 ` Greg KH
0 siblings, 1 reply; 33+ messages in thread
From: juanfengpy @ 2022-06-13 12:30 UTC (permalink / raw)
To: gregkh
Cc: jirislaby, ilpo.jarvinen, benbjiang, robinlai, linux-serial, caelli
From: caelli <caelli@tencent.com>
We have met a hang on pty device, the reader was blocking
at epoll on master side, the writer was sleeping at wait_woken
inside n_tty_write on slave side, and the write buffer on
tty_port was full, we found that the reader and writer would
never be woken again and blocked forever.
The problem was caused by a race between reader and kworker:
n_tty_read(reader): n_tty_receive_buf_common(kworker):
|room = N_TTY_BUF_SIZE - (ldata->read_head - tail)
|room <= 0
copy_from_read_buf()|
n_tty_kick_worker() |
|ldata->no_room = true
After writing to slave device, writer wakes up kworker to flush
data on tty_port to reader, and the kworker finds that reader
has no room to store data so room <= 0 is met. At this moment,
reader consumes all the data on reader buffer and call
n_tty_kick_worker to check ldata->no_room which is false and
reader quits reading. Then kworker sets ldata->no_room=true
and quits too.
If write buffer is not full, writer will wake kworker to flush data
again after following writes, but if write buffer is full and writer
goes to sleep, kworker will never be woken again and tty device is
blocked.
This problem can be solved with a check for read buffer size inside
n_tty_receive_buf_common, if read buffer is empty and ldata->no_room
is true, a call to n_tty_kick_worker is necessary to keep flushing
data to reader.
Signed-off-by: caelli <caelli@tencent.com>
---
Previous threads:
https://lore.kernel.org/all/CAPmgiULo4h8bOrzL+XJ5Pndw0kz80fBPfH_KNLx3c5j-Yj04SA@mail.gmail.com/t/
I corrected some format problems as recommended and switched client to git send-email,
which may be ok. And subject is changed from 'tty: fix a possible hang on tty device' to
'tty: fix hang on tty device with no_room set' to make subject more obvious.
diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
index efc72104c840..544f782b9a11 100644
--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -201,8 +201,8 @@ static void n_tty_kick_worker(struct tty_struct *tty)
struct n_tty_data *ldata = tty->disc_data;
/* Did the input worker stop? Restart it */
- if (unlikely(ldata->no_room)) {
- ldata->no_room = 0;
+ if (unlikely(READ_ONCE(ldata->no_room))) {
+ WRITE_ONCE(ldata->no_room, 0);
WARN_RATELIMIT(tty->port->itty == NULL,
"scheduling with invalid itty\n");
@@ -1632,7 +1632,7 @@ n_tty_receive_buf_common(struct tty_struct *tty, const unsigned char *cp,
if (overflow && room < 0)
ldata->read_head--;
room = overflow;
- ldata->no_room = flow && !room;
+ WRITE_ONCE(ldata->no_room, flow && !room);
} else
overflow = 0;
@@ -1663,6 +1663,24 @@ n_tty_receive_buf_common(struct tty_struct *tty, const unsigned char *cp,
} else
n_tty_check_throttle(tty);
+ if (unlikely(ldata->no_room)) {
+ /*
+ * Barrier here is to ensure to read the latest read_tail in
+ * chars_in_buffer() and to make sure that read_tail is not loaded
+ * before ldata->no_room is set, otherwise, following race may occur:
+ * n_tty_receive_buf_common() |n_tty_read()
+ * chars_in_buffer() > 0 |
+ * |copy_from_read_buf()->chars_in_buffer()==0
+ * |if (ldata->no_room)
+ * ldata->no_room = 1 |
+ * Then both kworker and reader will fail to kick n_tty_kick_worker(),
+ * smp_mb is paired with smp_mb() in n_tty_read().
+ */
+ smp_mb();
+ if (!chars_in_buffer(tty))
+ n_tty_kick_worker(tty);
+ }
+
up_read(&tty->termios_rwsem);
return rcvd;
@@ -2180,8 +2198,23 @@ static ssize_t n_tty_read(struct tty_struct *tty, struct file *file,
if (time)
timeout = time;
}
- if (tail != ldata->read_tail)
+ if (tail != ldata->read_tail) {
+ /*
+ * Make sure no_room is not read before setting read_tail,
+ * otherwise, following race may occur:
+ * n_tty_read() |n_tty_receive_buf_common()
+ * if(ldata->no_room)->false |
+ * |ldata->no_room = 1
+ * |char_in_buffer() > 0
+ * ldata->read_tail = ldata->commit_head|
+ * Then copy_from_read_buf() in reader consumes all the data
+ * in read buffer, both reader and kworker will fail to kick
+ * tty_buffer_restart_work().
+ * smp_mb is paired with smp_mb() in n_tty_receive_buf_common().
+ */
+ smp_mb();
n_tty_kick_worker(tty);
+ }
up_read(&tty->termios_rwsem);
remove_wait_queue(&tty->read_wait, &wait);
--
2.27.0
^ permalink raw reply related [flat|nested] 33+ messages in thread
* Re: [PATCH v3] tty: fix hang on tty device with no_room set
2022-06-13 12:30 ` [PATCH v3] tty: fix hang on tty device with no_room set juanfengpy
@ 2022-06-13 17:20 ` Greg KH
2022-06-15 3:45 ` [PATCH v4] " cael
0 siblings, 1 reply; 33+ messages in thread
From: Greg KH @ 2022-06-13 17:20 UTC (permalink / raw)
To: juanfengpy
Cc: jirislaby, ilpo.jarvinen, benbjiang, robinlai, linux-serial, caelli
On Mon, Jun 13, 2022 at 08:30:29PM +0800, juanfengpy@gmail.com wrote:
> From: caelli <caelli@tencent.com>
This name/address does not match what you are sending it from, and I do
not think this is how you sign legal documents right?
For that reason alone, I can't take this :(
>
> We have met a hang on pty device, the reader was blocking
> at epoll on master side, the writer was sleeping at wait_woken
> inside n_tty_write on slave side, and the write buffer on
> tty_port was full, we found that the reader and writer would
> never be woken again and blocked forever.
>
> The problem was caused by a race between reader and kworker:
> n_tty_read(reader): n_tty_receive_buf_common(kworker):
> |room = N_TTY_BUF_SIZE - (ldata->read_head - tail)
> |room <= 0
> copy_from_read_buf()|
> n_tty_kick_worker() |
> |ldata->no_room = true
>
> After writing to slave device, writer wakes up kworker to flush
> data on tty_port to reader, and the kworker finds that reader
> has no room to store data so room <= 0 is met. At this moment,
> reader consumes all the data on reader buffer and call
> n_tty_kick_worker to check ldata->no_room which is false and
> reader quits reading. Then kworker sets ldata->no_room=true
> and quits too.
>
> If write buffer is not full, writer will wake kworker to flush data
> again after following writes, but if write buffer is full and writer
> goes to sleep, kworker will never be woken again and tty device is
> blocked.
>
> This problem can be solved with a check for read buffer size inside
> n_tty_receive_buf_common, if read buffer is empty and ldata->no_room
> is true, a call to n_tty_kick_worker is necessary to keep flushing
> data to reader.
>
> Signed-off-by: caelli <caelli@tencent.com>
> ---
> Previous threads:
> https://lore.kernel.org/all/CAPmgiULo4h8bOrzL+XJ5Pndw0kz80fBPfH_KNLx3c5j-Yj04SA@mail.gmail.com/t/
>
> I corrected some format problems as recommended and switched client to git send-email,
> which may be ok. And subject is changed from 'tty: fix a possible hang on tty device' to
> 'tty: fix hang on tty device with no_room set' to make subject more obvious.
Please properly version your patches like the documentation explains how
to, so we know what has changed from previous versions. Otherwise they
all look identical to us.
thanks,
greg k-h
^ permalink raw reply [flat|nested] 33+ messages in thread
* [PATCH v4] tty: fix hang on tty device with no_room set
2022-06-13 17:20 ` Greg KH
@ 2022-06-15 3:45 ` cael
2022-06-15 5:00 ` Greg KH
0 siblings, 1 reply; 33+ messages in thread
From: cael @ 2022-06-15 3:45 UTC (permalink / raw)
To: gregkh
Cc: jirislaby, ilpo.jarvinen, benbjiang, robinlai, linux-serial, juanfengpy
We have met a hang on pty device, the reader was blocking
at epoll on master side, the writer was sleeping at wait_woken
inside n_tty_write on slave side, and the write buffer on
tty_port was full, we found that the reader and writer would
never be woken again and blocked forever.
The problem was caused by a race between reader and kworker:
n_tty_read(reader): n_tty_receive_buf_common(kworker):
|room = N_TTY_BUF_SIZE - (ldata->read_head - tail)
|room <= 0
copy_from_read_buf()|
n_tty_kick_worker() |
|ldata->no_room = true
After writing to slave device, writer wakes up kworker to flush
data on tty_port to reader, and the kworker finds that reader
has no room to store data so room <= 0 is met. At this moment,
reader consumes all the data on reader buffer and calls
n_tty_kick_worker to check ldata->no_room which is false and
reader quits reading. Then kworker sets ldata->no_room=true
and quits too.
If write buffer is not full, writer will wake kworker to flush data
again after following writes, but if write buffer is full and writer
goes to sleep, kworker will never be woken again and tty device is
blocked.
This problem can be solved with a check for read buffer size inside
n_tty_receive_buf_common, if read buffer is empty and ldata->no_room
is true, a call to n_tty_kick_worker is necessary to keep flushing
data to reader.
Signed-off-by: cael <juanfengpy@gmail.com>
---
Patch changelogs between v1 and v2:
-add barrier inside n_tty_read and n_tty_receive_buf_common;
-comment why barrier is needed;
-access to ldata->no_room is changed with READ_ONCE and WRITE_ONCE;
Patch changelogs between v2 and v3:
-in function n_tty_receive_buf_common, add unlikely to check
ldata->no_room, eg: if (unlikely(ldata->no_room)), and READ_ONCE
is removed here to get locality;
-change comment for barrier to show the race condition to make
comment easier to understand;
Patch changelogs between v3 and v4:
-change subject from 'tty: fix a possible hang on tty device' to
'tty: fix hang on tty device with no_room set' to make subject
more obvious.
drivers/tty/n_tty.c | 41 +++++++++++++++++++++++++++++++++++++----
1 file changed, 37 insertions(+), 4 deletions(-)
diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
index efc72104c840..544f782b9a11 100644
--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -201,8 +201,8 @@ static void n_tty_kick_worker(struct tty_struct *tty)
struct n_tty_data *ldata = tty->disc_data;
/* Did the input worker stop? Restart it */
- if (unlikely(ldata->no_room)) {
- ldata->no_room = 0;
+ if (unlikely(READ_ONCE(ldata->no_room))) {
+ WRITE_ONCE(ldata->no_room, 0);
WARN_RATELIMIT(tty->port->itty == NULL,
"scheduling with invalid itty\n");
@@ -1632,7 +1632,7 @@ n_tty_receive_buf_common(struct tty_struct *tty, const unsigned char *cp,
if (overflow && room < 0)
ldata->read_head--;
room = overflow;
- ldata->no_room = flow && !room;
+ WRITE_ONCE(ldata->no_room, flow && !room);
} else
overflow = 0;
@@ -1663,6 +1663,24 @@ n_tty_receive_buf_common(struct tty_struct *tty, const unsigned char *cp,
} else
n_tty_check_throttle(tty);
+ if (unlikely(ldata->no_room)) {
+ /*
+ * Barrier here is to ensure to read the latest read_tail in
+ * chars_in_buffer() and to make sure that read_tail is not loaded
+ * before ldata->no_room is set, otherwise, following race may occur:
+ * n_tty_receive_buf_common() |n_tty_read()
+ * chars_in_buffer() > 0 |
+ * |copy_from_read_buf()->chars_in_buffer()==0
+ * |if (ldata->no_room)
+ * ldata->no_room = 1 |
+ * Then both kworker and reader will fail to kick n_tty_kick_worker(),
+ * smp_mb is paired with smp_mb() in n_tty_read().
+ */
+ smp_mb();
+ if (!chars_in_buffer(tty))
+ n_tty_kick_worker(tty);
+ }
+
up_read(&tty->termios_rwsem);
return rcvd;
@@ -2180,8 +2198,23 @@ static ssize_t n_tty_read(struct tty_struct *tty, struct file *file,
if (time)
timeout = time;
}
- if (tail != ldata->read_tail)
+ if (tail != ldata->read_tail) {
+ /*
+ * Make sure no_room is not read before setting read_tail,
+ * otherwise, following race may occur:
+ * n_tty_read() |n_tty_receive_buf_common()
+ * if(ldata->no_room)->false |
+ * |ldata->no_room = 1
+ * |char_in_buffer() > 0
+ * ldata->read_tail = ldata->commit_head|
+ * Then copy_from_read_buf() in reader consumes all the data
+ * in read buffer, both reader and kworker will fail to kick
+ * tty_buffer_restart_work().
+ * smp_mb is paired with smp_mb() in n_tty_receive_buf_common().
+ */
+ smp_mb();
n_tty_kick_worker(tty);
+ }
up_read(&tty->termios_rwsem);
remove_wait_queue(&tty->read_wait, &wait);
--
2.27.0
^ permalink raw reply related [flat|nested] 33+ messages in thread
* Re: [PATCH v4] tty: fix hang on tty device with no_room set
2022-06-15 3:45 ` [PATCH v4] " cael
@ 2022-06-15 5:00 ` Greg KH
2022-06-15 7:57 ` Ilpo Järvinen
0 siblings, 1 reply; 33+ messages in thread
From: Greg KH @ 2022-06-15 5:00 UTC (permalink / raw)
To: cael; +Cc: jirislaby, ilpo.jarvinen, benbjiang, robinlai, linux-serial
On Wed, Jun 15, 2022 at 11:45:10AM +0800, cael wrote:
> We have met a hang on pty device, the reader was blocking
> at epoll on master side, the writer was sleeping at wait_woken
> inside n_tty_write on slave side, and the write buffer on
> tty_port was full, we found that the reader and writer would
> never be woken again and blocked forever.
>
> The problem was caused by a race between reader and kworker:
> n_tty_read(reader): n_tty_receive_buf_common(kworker):
> |room = N_TTY_BUF_SIZE - (ldata->read_head - tail)
> |room <= 0
> copy_from_read_buf()|
> n_tty_kick_worker() |
> |ldata->no_room = true
>
> After writing to slave device, writer wakes up kworker to flush
> data on tty_port to reader, and the kworker finds that reader
> has no room to store data so room <= 0 is met. At this moment,
> reader consumes all the data on reader buffer and calls
> n_tty_kick_worker to check ldata->no_room which is false and
> reader quits reading. Then kworker sets ldata->no_room=true
> and quits too.
>
> If write buffer is not full, writer will wake kworker to flush data
> again after following writes, but if write buffer is full and writer
> goes to sleep, kworker will never be woken again and tty device is
> blocked.
>
> This problem can be solved with a check for read buffer size inside
> n_tty_receive_buf_common, if read buffer is empty and ldata->no_room
> is true, a call to n_tty_kick_worker is necessary to keep flushing
> data to reader.
>
> Signed-off-by: cael <juanfengpy@gmail.com>
> ---
> Patch changelogs between v1 and v2:
> -add barrier inside n_tty_read and n_tty_receive_buf_common;
> -comment why barrier is needed;
> -access to ldata->no_room is changed with READ_ONCE and WRITE_ONCE;
> Patch changelogs between v2 and v3:
> -in function n_tty_receive_buf_common, add unlikely to check
> ldata->no_room, eg: if (unlikely(ldata->no_room)), and READ_ONCE
> is removed here to get locality;
> -change comment for barrier to show the race condition to make
> comment easier to understand;
> Patch changelogs between v3 and v4:
> -change subject from 'tty: fix a possible hang on tty device' to
> 'tty: fix hang on tty device with no_room set' to make subject
> more obvious.
>
> drivers/tty/n_tty.c | 41 +++++++++++++++++++++++++++++++++++++----
> 1 file changed, 37 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
> index efc72104c840..544f782b9a11 100644
> --- a/drivers/tty/n_tty.c
> +++ b/drivers/tty/n_tty.c
> @@ -201,8 +201,8 @@ static void n_tty_kick_worker(struct tty_struct *tty)
> struct n_tty_data *ldata = tty->disc_data;
>
> /* Did the input worker stop? Restart it */
> - if (unlikely(ldata->no_room)) {
> - ldata->no_room = 0;
> + if (unlikely(READ_ONCE(ldata->no_room))) {
> + WRITE_ONCE(ldata->no_room, 0);
>
> WARN_RATELIMIT(tty->port->itty == NULL,
> "scheduling with invalid itty\n");
> @@ -1632,7 +1632,7 @@ n_tty_receive_buf_common(struct tty_struct *tty, const unsigned char *cp,
> if (overflow && room < 0)
> ldata->read_head--;
> room = overflow;
> - ldata->no_room = flow && !room;
> + WRITE_ONCE(ldata->no_room, flow && !room);
> } else
> overflow = 0;
>
> @@ -1663,6 +1663,24 @@ n_tty_receive_buf_common(struct tty_struct *tty, const unsigned char *cp,
> } else
> n_tty_check_throttle(tty);
>
> + if (unlikely(ldata->no_room)) {
> + /*
> + * Barrier here is to ensure to read the latest read_tail in
> + * chars_in_buffer() and to make sure that read_tail is not loaded
> + * before ldata->no_room is set, otherwise, following race may occur:
> + * n_tty_receive_buf_common() |n_tty_read()
> + * chars_in_buffer() > 0 |
> + * |copy_from_read_buf()->chars_in_buffer()==0
> + * |if (ldata->no_room)
> + * ldata->no_room = 1 |
> + * Then both kworker and reader will fail to kick n_tty_kick_worker(),
> + * smp_mb is paired with smp_mb() in n_tty_read().
> + */
> + smp_mb();
> + if (!chars_in_buffer(tty))
> + n_tty_kick_worker(tty);
> + }
> +
> up_read(&tty->termios_rwsem);
>
> return rcvd;
> @@ -2180,8 +2198,23 @@ static ssize_t n_tty_read(struct tty_struct *tty, struct file *file,
> if (time)
> timeout = time;
> }
> - if (tail != ldata->read_tail)
> + if (tail != ldata->read_tail) {
> + /*
> + * Make sure no_room is not read before setting read_tail,
> + * otherwise, following race may occur:
> + * n_tty_read() |n_tty_receive_buf_common()
> + * if(ldata->no_room)->false |
> + * |ldata->no_room = 1
> + * |char_in_buffer() > 0
> + * ldata->read_tail = ldata->commit_head|
> + * Then copy_from_read_buf() in reader consumes all the data
> + * in read buffer, both reader and kworker will fail to kick
> + * tty_buffer_restart_work().
> + * smp_mb is paired with smp_mb() in n_tty_receive_buf_common().
> + */
> + smp_mb();
> n_tty_kick_worker(tty);
> + }
> up_read(&tty->termios_rwsem);
>
> remove_wait_queue(&tty->read_wait, &wait);
> --
> 2.27.0
>
Hi,
This is the friendly patch-bot of Greg Kroah-Hartman. You have sent him
a patch that has triggered this response. He used to manually respond
to these common problems, but in order to save his sanity (he kept
writing the same thing over and over, yet to different people), I was
created. Hopefully you will not take offence and will fix the problem
in your patch and resubmit it so that it can be accepted into the Linux
kernel tree.
You are receiving this message because of the following common error(s)
as indicated below:
- It looks like you did not use your "real" name for the patch on either
the Signed-off-by: line, or the From: line (both of which have to
match). Please read the kernel file, Documentation/SubmittingPatches
for how to do this correctly.
- This looks like a new version of a previously submitted patch, but you
did not list below the --- line any changes from the previous version.
Please read the section entitled "The canonical patch format" in the
kernel file, Documentation/SubmittingPatches for what needs to be done
here to properly describe this.
If you wish to discuss this problem further, or you have questions about
how to resolve this issue, please feel free to respond to this email and
Greg will reply once he has dug out from the pending patches received
from other developers.
thanks,
greg k-h's patch email bot
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [PATCH v4] tty: fix hang on tty device with no_room set
2022-06-15 5:00 ` Greg KH
@ 2022-06-15 7:57 ` Ilpo Järvinen
2022-06-15 9:29 ` Greg KH
0 siblings, 1 reply; 33+ messages in thread
From: Ilpo Järvinen @ 2022-06-15 7:57 UTC (permalink / raw)
To: Greg KH; +Cc: cael, Jiri Slaby, benbjiang, robinlai, linux-serial
Hi Greg,
On Wed, 15 Jun 2022, Greg KH wrote:
> On Wed, Jun 15, 2022 at 11:45:10AM +0800, cael wrote:
> > We have met a hang on pty device, the reader was blocking
> > at epoll on master side, the writer was sleeping at wait_woken
> > inside n_tty_write on slave side, and the write buffer on
> > tty_port was full, we found that the reader and writer would
> > never be woken again and blocked forever.
> >
> > The problem was caused by a race between reader and kworker:
> > n_tty_read(reader): n_tty_receive_buf_common(kworker):
> > |room = N_TTY_BUF_SIZE - (ldata->read_head - tail)
> > |room <= 0
> > copy_from_read_buf()|
> > n_tty_kick_worker() |
> > |ldata->no_room = true
> >
> > After writing to slave device, writer wakes up kworker to flush
> > data on tty_port to reader, and the kworker finds that reader
> > has no room to store data so room <= 0 is met. At this moment,
> > reader consumes all the data on reader buffer and calls
> > n_tty_kick_worker to check ldata->no_room which is false and
> > reader quits reading. Then kworker sets ldata->no_room=true
> > and quits too.
> >
> > If write buffer is not full, writer will wake kworker to flush data
> > again after following writes, but if write buffer is full and writer
> > goes to sleep, kworker will never be woken again and tty device is
> > blocked.
> >
> > This problem can be solved with a check for read buffer size inside
> > n_tty_receive_buf_common, if read buffer is empty and ldata->no_room
> > is true, a call to n_tty_kick_worker is necessary to keep flushing
> > data to reader.
> >
> > Signed-off-by: cael <juanfengpy@gmail.com>
> > ---
> > Patch changelogs between v1 and v2:
> > -add barrier inside n_tty_read and n_tty_receive_buf_common;
> > -comment why barrier is needed;
> > -access to ldata->no_room is changed with READ_ONCE and WRITE_ONCE;
> > Patch changelogs between v2 and v3:
> > -in function n_tty_receive_buf_common, add unlikely to check
> > ldata->no_room, eg: if (unlikely(ldata->no_room)), and READ_ONCE
> > is removed here to get locality;
> > -change comment for barrier to show the race condition to make
> > comment easier to understand;
> > Patch changelogs between v3 and v4:
> > -change subject from 'tty: fix a possible hang on tty device' to
> > 'tty: fix hang on tty device with no_room set' to make subject
> > more obvious.
> This is the friendly patch-bot of Greg Kroah-Hartman. You have sent him
> a patch that has triggered this response. He used to manually respond
> to these common problems, but in order to save his sanity (he kept
> writing the same thing over and over, yet to different people), I was
> created. Hopefully you will not take offence and will fix the problem
> in your patch and resubmit it so that it can be accepted into the Linux
> kernel tree.
>
> You are receiving this message because of the following common error(s)
> as indicated below:
[...snip...]
> - This looks like a new version of a previously submitted patch, but you
> did not list below the --- line any changes from the previous version.
> Please read the section entitled "The canonical patch format" in the
> kernel file, Documentation/SubmittingPatches for what needs to be done
> here to properly describe this.
I think your bot's changelog heuristic got it wrong here. He provided
the list of changes as you can see above.
(The name thing might still be valid though, I've no idea which names are
real and which are not).
--
i.
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [PATCH v4] tty: fix hang on tty device with no_room set
2022-06-15 7:57 ` Ilpo Järvinen
@ 2022-06-15 9:29 ` Greg KH
2022-06-15 11:17 ` [PATCH v5] " cael
0 siblings, 1 reply; 33+ messages in thread
From: Greg KH @ 2022-06-15 9:29 UTC (permalink / raw)
To: Ilpo Järvinen; +Cc: cael, Jiri Slaby, benbjiang, robinlai, linux-serial
On Wed, Jun 15, 2022 at 10:57:48AM +0300, Ilpo Järvinen wrote:
> Hi Greg,
>
> On Wed, 15 Jun 2022, Greg KH wrote:
>
> > On Wed, Jun 15, 2022 at 11:45:10AM +0800, cael wrote:
> > > We have met a hang on pty device, the reader was blocking
> > > at epoll on master side, the writer was sleeping at wait_woken
> > > inside n_tty_write on slave side, and the write buffer on
> > > tty_port was full, we found that the reader and writer would
> > > never be woken again and blocked forever.
> > >
> > > The problem was caused by a race between reader and kworker:
> > > n_tty_read(reader): n_tty_receive_buf_common(kworker):
> > > |room = N_TTY_BUF_SIZE - (ldata->read_head - tail)
> > > |room <= 0
> > > copy_from_read_buf()|
> > > n_tty_kick_worker() |
> > > |ldata->no_room = true
> > >
> > > After writing to slave device, writer wakes up kworker to flush
> > > data on tty_port to reader, and the kworker finds that reader
> > > has no room to store data so room <= 0 is met. At this moment,
> > > reader consumes all the data on reader buffer and calls
> > > n_tty_kick_worker to check ldata->no_room which is false and
> > > reader quits reading. Then kworker sets ldata->no_room=true
> > > and quits too.
> > >
> > > If write buffer is not full, writer will wake kworker to flush data
> > > again after following writes, but if write buffer is full and writer
> > > goes to sleep, kworker will never be woken again and tty device is
> > > blocked.
> > >
> > > This problem can be solved with a check for read buffer size inside
> > > n_tty_receive_buf_common, if read buffer is empty and ldata->no_room
> > > is true, a call to n_tty_kick_worker is necessary to keep flushing
> > > data to reader.
> > >
> > > Signed-off-by: cael <juanfengpy@gmail.com>
> > > ---
> > > Patch changelogs between v1 and v2:
> > > -add barrier inside n_tty_read and n_tty_receive_buf_common;
> > > -comment why barrier is needed;
> > > -access to ldata->no_room is changed with READ_ONCE and WRITE_ONCE;
> > > Patch changelogs between v2 and v3:
> > > -in function n_tty_receive_buf_common, add unlikely to check
> > > ldata->no_room, eg: if (unlikely(ldata->no_room)), and READ_ONCE
> > > is removed here to get locality;
> > > -change comment for barrier to show the race condition to make
> > > comment easier to understand;
> > > Patch changelogs between v3 and v4:
> > > -change subject from 'tty: fix a possible hang on tty device' to
> > > 'tty: fix hang on tty device with no_room set' to make subject
> > > more obvious.
>
>
> > This is the friendly patch-bot of Greg Kroah-Hartman. You have sent him
> > a patch that has triggered this response. He used to manually respond
> > to these common problems, but in order to save his sanity (he kept
> > writing the same thing over and over, yet to different people), I was
> > created. Hopefully you will not take offence and will fix the problem
> > in your patch and resubmit it so that it can be accepted into the Linux
> > kernel tree.
> >
> > You are receiving this message because of the following common error(s)
> > as indicated below:
>
> [...snip...]
>
> > - This looks like a new version of a previously submitted patch, but you
> > did not list below the --- line any changes from the previous version.
> > Please read the section entitled "The canonical patch format" in the
> > kernel file, Documentation/SubmittingPatches for what needs to be done
> > here to properly describe this.
>
> I think your bot's changelog heuristic got it wrong here. He provided
> the list of changes as you can see above.
Ah, yeah, it didn't catch the changelog text at all, will go fix that
up...
> (The name thing might still be valid though, I've no idea which names are
> real and which are not).
Yes, for the name reason alone we can't take this change :(
thanks,
greg k-h
^ permalink raw reply [flat|nested] 33+ messages in thread
* [PATCH v5] tty: fix hang on tty device with no_room set
2022-06-15 9:29 ` Greg KH
@ 2022-06-15 11:17 ` cael
2022-06-15 11:29 ` Ilpo Järvinen
2022-06-27 12:05 ` Greg KH
0 siblings, 2 replies; 33+ messages in thread
From: cael @ 2022-06-15 11:17 UTC (permalink / raw)
To: gregkh
Cc: jirislaby, ilpo.jarvinen, benbjiang, robinlai, linux-serial, juanfengpy
From: caelli <juanfengpy@gmail.com>
We have met a hang on pty device, the reader was blocking
at epoll on master side, the writer was sleeping at wait_woken
inside n_tty_write on slave side, and the write buffer on
tty_port was full, we found that the reader and writer would
never be woken again and blocked forever.
The problem was caused by a race between reader and kworker:
n_tty_read(reader): n_tty_receive_buf_common(kworker):
|room = N_TTY_BUF_SIZE - (ldata->read_head - tail)
|room <= 0
copy_from_read_buf()|
n_tty_kick_worker() |
|ldata->no_room = true
After writing to slave device, writer wakes up kworker to flush
data on tty_port to reader, and the kworker finds that reader
has no room to store data so room <= 0 is met. At this moment,
reader consumes all the data on reader buffer and calls
n_tty_kick_worker to check ldata->no_room which is false and
reader quits reading. Then kworker sets ldata->no_room=true
and quits too.
If write buffer is not full, writer will wake kworker to flush data
again after following writes, but if write buffer is full and writer
goes to sleep, kworker will never be woken again and tty device is
blocked.
This problem can be solved with a check for read buffer size inside
n_tty_receive_buf_common, if read buffer is empty and ldata->no_room
is true, a call to n_tty_kick_worker is necessary to keep flushing
data to reader.
Signed-off-by: caelli <juanfengpy@gmail.com>
---
Patch changelogs between v1 and v2:
-add barrier inside n_tty_read and n_tty_receive_buf_common;
-comment why barrier is needed;
-access to ldata->no_room is changed with READ_ONCE and WRITE_ONCE;
Patch changelogs between v2 and v3:
-in function n_tty_receive_buf_common, add unlikely to check
ldata->no_room, eg: if (unlikely(ldata->no_room)), and READ_ONCE
is removed here to get locality;
-change comment for barrier to show the race condition to make
comment easier to understand;
Patch changelogs between v3 and v4:
-change subject from 'tty: fix a possible hang on tty device' to
'tty: fix hang on tty device with no_room set' to make subject
more obvious;
Patch changelogs between v4 and v5:
-name is changed from cael to caelli, li is added as the family
name and caelli is the fullname.
drivers/tty/n_tty.c | 41 +++++++++++++++++++++++++++++++++++++----
1 file changed, 37 insertions(+), 4 deletions(-)
diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
index efc72104c840..544f782b9a11 100644
--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -201,8 +201,8 @@ static void n_tty_kick_worker(struct tty_struct *tty)
struct n_tty_data *ldata = tty->disc_data;
/* Did the input worker stop? Restart it */
- if (unlikely(ldata->no_room)) {
- ldata->no_room = 0;
+ if (unlikely(READ_ONCE(ldata->no_room))) {
+ WRITE_ONCE(ldata->no_room, 0);
WARN_RATELIMIT(tty->port->itty == NULL,
"scheduling with invalid itty\n");
@@ -1632,7 +1632,7 @@ n_tty_receive_buf_common(struct tty_struct *tty, const unsigned char *cp,
if (overflow && room < 0)
ldata->read_head--;
room = overflow;
- ldata->no_room = flow && !room;
+ WRITE_ONCE(ldata->no_room, flow && !room);
} else
overflow = 0;
@@ -1663,6 +1663,24 @@ n_tty_receive_buf_common(struct tty_struct *tty, const unsigned char *cp,
} else
n_tty_check_throttle(tty);
+ if (unlikely(ldata->no_room)) {
+ /*
+ * Barrier here is to ensure to read the latest read_tail in
+ * chars_in_buffer() and to make sure that read_tail is not loaded
+ * before ldata->no_room is set, otherwise, following race may occur:
+ * n_tty_receive_buf_common() |n_tty_read()
+ * chars_in_buffer() > 0 |
+ * |copy_from_read_buf()->chars_in_buffer()==0
+ * |if (ldata->no_room)
+ * ldata->no_room = 1 |
+ * Then both kworker and reader will fail to kick n_tty_kick_worker(),
+ * smp_mb is paired with smp_mb() in n_tty_read().
+ */
+ smp_mb();
+ if (!chars_in_buffer(tty))
+ n_tty_kick_worker(tty);
+ }
+
up_read(&tty->termios_rwsem);
return rcvd;
@@ -2180,8 +2198,23 @@ static ssize_t n_tty_read(struct tty_struct *tty, struct file *file,
if (time)
timeout = time;
}
- if (tail != ldata->read_tail)
+ if (tail != ldata->read_tail) {
+ /*
+ * Make sure no_room is not read before setting read_tail,
+ * otherwise, following race may occur:
+ * n_tty_read() |n_tty_receive_buf_common()
+ * if(ldata->no_room)->false |
+ * |ldata->no_room = 1
+ * |char_in_buffer() > 0
+ * ldata->read_tail = ldata->commit_head|
+ * Then copy_from_read_buf() in reader consumes all the data
+ * in read buffer, both reader and kworker will fail to kick
+ * tty_buffer_restart_work().
+ * smp_mb is paired with smp_mb() in n_tty_receive_buf_common().
+ */
+ smp_mb();
n_tty_kick_worker(tty);
+ }
up_read(&tty->termios_rwsem);
remove_wait_queue(&tty->read_wait, &wait);
--
2.27.0
^ permalink raw reply related [flat|nested] 33+ messages in thread
* Re: [PATCH v5] tty: fix hang on tty device with no_room set
2022-06-15 11:17 ` [PATCH v5] " cael
@ 2022-06-15 11:29 ` Ilpo Järvinen
2022-06-15 13:33 ` caelli
2022-06-27 12:05 ` Greg KH
1 sibling, 1 reply; 33+ messages in thread
From: Ilpo Järvinen @ 2022-06-15 11:29 UTC (permalink / raw)
To: cael; +Cc: Greg Kroah-Hartman, Jiri Slaby, benbjiang, robinlai, linux-serial
[-- Attachment #1: Type: text/plain, Size: 5774 bytes --]
On Wed, 15 Jun 2022, cael wrote:
> From: caelli <juanfengpy@gmail.com>
>
> We have met a hang on pty device, the reader was blocking
> at epoll on master side, the writer was sleeping at wait_woken
> inside n_tty_write on slave side, and the write buffer on
> tty_port was full, we found that the reader and writer would
> never be woken again and blocked forever.
>
> The problem was caused by a race between reader and kworker:
> n_tty_read(reader): n_tty_receive_buf_common(kworker):
> |room = N_TTY_BUF_SIZE - (ldata->read_head - tail)
> |room <= 0
> copy_from_read_buf()|
> n_tty_kick_worker() |
> |ldata->no_room = true
>
> After writing to slave device, writer wakes up kworker to flush
> data on tty_port to reader, and the kworker finds that reader
> has no room to store data so room <= 0 is met. At this moment,
> reader consumes all the data on reader buffer and calls
> n_tty_kick_worker to check ldata->no_room which is false and
> reader quits reading. Then kworker sets ldata->no_room=true
> and quits too.
>
> If write buffer is not full, writer will wake kworker to flush data
> again after following writes, but if write buffer is full and writer
> goes to sleep, kworker will never be woken again and tty device is
> blocked.
>
> This problem can be solved with a check for read buffer size inside
> n_tty_receive_buf_common, if read buffer is empty and ldata->no_room
> is true, a call to n_tty_kick_worker is necessary to keep flushing
> data to reader.
>
> Signed-off-by: caelli <juanfengpy@gmail.com>
> ---
> Patch changelogs between v1 and v2:
> -add barrier inside n_tty_read and n_tty_receive_buf_common;
> -comment why barrier is needed;
> -access to ldata->no_room is changed with READ_ONCE and WRITE_ONCE;
> Patch changelogs between v2 and v3:
> -in function n_tty_receive_buf_common, add unlikely to check
> ldata->no_room, eg: if (unlikely(ldata->no_room)), and READ_ONCE
> is removed here to get locality;
> -change comment for barrier to show the race condition to make
> comment easier to understand;
> Patch changelogs between v3 and v4:
> -change subject from 'tty: fix a possible hang on tty device' to
> 'tty: fix hang on tty device with no_room set' to make subject
> more obvious;
> Patch changelogs between v4 and v5:
> -name is changed from cael to caelli, li is added as the family
> name and caelli is the fullname.
>
> drivers/tty/n_tty.c | 41 +++++++++++++++++++++++++++++++++++++----
> 1 file changed, 37 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
> index efc72104c840..544f782b9a11 100644
> --- a/drivers/tty/n_tty.c
> +++ b/drivers/tty/n_tty.c
> @@ -201,8 +201,8 @@ static void n_tty_kick_worker(struct tty_struct *tty)
> struct n_tty_data *ldata = tty->disc_data;
>
> /* Did the input worker stop? Restart it */
> - if (unlikely(ldata->no_room)) {
> - ldata->no_room = 0;
> + if (unlikely(READ_ONCE(ldata->no_room))) {
> + WRITE_ONCE(ldata->no_room, 0);
>
> WARN_RATELIMIT(tty->port->itty == NULL,
> "scheduling with invalid itty\n");
> @@ -1632,7 +1632,7 @@ n_tty_receive_buf_common(struct tty_struct *tty, const unsigned char *cp,
> if (overflow && room < 0)
> ldata->read_head--;
> room = overflow;
> - ldata->no_room = flow && !room;
> + WRITE_ONCE(ldata->no_room, flow && !room);
> } else
> overflow = 0;
>
> @@ -1663,6 +1663,24 @@ n_tty_receive_buf_common(struct tty_struct *tty, const unsigned char *cp,
> } else
> n_tty_check_throttle(tty);
>
> + if (unlikely(ldata->no_room)) {
> + /*
> + * Barrier here is to ensure to read the latest read_tail in
> + * chars_in_buffer() and to make sure that read_tail is not loaded
> + * before ldata->no_room is set, otherwise, following race may occur:
> + * n_tty_receive_buf_common() |n_tty_read()
> + * chars_in_buffer() > 0 |
> + * |copy_from_read_buf()->chars_in_buffer()==0
> + * |if (ldata->no_room)
> + * ldata->no_room = 1 |
> + * Then both kworker and reader will fail to kick n_tty_kick_worker(),
> + * smp_mb is paired with smp_mb() in n_tty_read().
> + */
> + smp_mb();
> + if (!chars_in_buffer(tty))
> + n_tty_kick_worker(tty);
> + }
> +
> up_read(&tty->termios_rwsem);
>
> return rcvd;
> @@ -2180,8 +2198,23 @@ static ssize_t n_tty_read(struct tty_struct *tty, struct file *file,
> if (time)
> timeout = time;
> }
> - if (tail != ldata->read_tail)
> + if (tail != ldata->read_tail) {
> + /*
> + * Make sure no_room is not read before setting read_tail,
> + * otherwise, following race may occur:
> + * n_tty_read() |n_tty_receive_buf_common()
> + * if(ldata->no_room)->false |
> + * |ldata->no_room = 1
> + * |char_in_buffer() > 0
> + * ldata->read_tail = ldata->commit_head|
> + * Then copy_from_read_buf() in reader consumes all the data
> + * in read buffer, both reader and kworker will fail to kick
> + * tty_buffer_restart_work().
> + * smp_mb is paired with smp_mb() in n_tty_receive_buf_common().
> + */
> + smp_mb();
> n_tty_kick_worker(tty);
> + }
> up_read(&tty->termios_rwsem);
>
> remove_wait_queue(&tty->read_wait, &wait);
I think the code looks fine. What I'm not entirely sure if there is
supposed to be some other backup mechanism to handle this case.
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Note to Cael: you don't need to resend the patch just to add my reviewed
by, it would be picked by the tools automatically. But if you need to
resend due to other reasons, please add it in that case.
--
i.
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [PATCH v5] tty: fix hang on tty device with no_room set
2022-06-15 11:29 ` Ilpo Järvinen
@ 2022-06-15 13:33 ` caelli
0 siblings, 0 replies; 33+ messages in thread
From: caelli @ 2022-06-15 13:33 UTC (permalink / raw)
To: Ilpo Järvinen
Cc: Greg Kroah-Hartman, Jiri Slaby, benbjiang, robinlai, linux-serial
It seems done, thanks for your opinion and help. The original patch
(without barrier) was tested in our environment and seemed to work.
The main idea is around when to call n_tty_kick_worker, calling it
periodically still works, the current solution seems to be more
reasonable and obvious.
Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> 于2022年6月15日周三 19:29写道:
>
> On Wed, 15 Jun 2022, cael wrote:
>
> > From: caelli <juanfengpy@gmail.com>
> >
> > We have met a hang on pty device, the reader was blocking
> > at epoll on master side, the writer was sleeping at wait_woken
> > inside n_tty_write on slave side, and the write buffer on
> > tty_port was full, we found that the reader and writer would
> > never be woken again and blocked forever.
> >
> > The problem was caused by a race between reader and kworker:
> > n_tty_read(reader): n_tty_receive_buf_common(kworker):
> > |room = N_TTY_BUF_SIZE - (ldata->read_head - tail)
> > |room <= 0
> > copy_from_read_buf()|
> > n_tty_kick_worker() |
> > |ldata->no_room = true
> >
> > After writing to slave device, writer wakes up kworker to flush
> > data on tty_port to reader, and the kworker finds that reader
> > has no room to store data so room <= 0 is met. At this moment,
> > reader consumes all the data on reader buffer and calls
> > n_tty_kick_worker to check ldata->no_room which is false and
> > reader quits reading. Then kworker sets ldata->no_room=true
> > and quits too.
> >
> > If write buffer is not full, writer will wake kworker to flush data
> > again after following writes, but if write buffer is full and writer
> > goes to sleep, kworker will never be woken again and tty device is
> > blocked.
> >
> > This problem can be solved with a check for read buffer size inside
> > n_tty_receive_buf_common, if read buffer is empty and ldata->no_room
> > is true, a call to n_tty_kick_worker is necessary to keep flushing
> > data to reader.
> >
> > Signed-off-by: caelli <juanfengpy@gmail.com>
> > ---
> > Patch changelogs between v1 and v2:
> > -add barrier inside n_tty_read and n_tty_receive_buf_common;
> > -comment why barrier is needed;
> > -access to ldata->no_room is changed with READ_ONCE and WRITE_ONCE;
> > Patch changelogs between v2 and v3:
> > -in function n_tty_receive_buf_common, add unlikely to check
> > ldata->no_room, eg: if (unlikely(ldata->no_room)), and READ_ONCE
> > is removed here to get locality;
> > -change comment for barrier to show the race condition to make
> > comment easier to understand;
> > Patch changelogs between v3 and v4:
> > -change subject from 'tty: fix a possible hang on tty device' to
> > 'tty: fix hang on tty device with no_room set' to make subject
> > more obvious;
> > Patch changelogs between v4 and v5:
> > -name is changed from cael to caelli, li is added as the family
> > name and caelli is the fullname.
> >
> > drivers/tty/n_tty.c | 41 +++++++++++++++++++++++++++++++++++++----
> > 1 file changed, 37 insertions(+), 4 deletions(-)
> >
> > diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
> > index efc72104c840..544f782b9a11 100644
> > --- a/drivers/tty/n_tty.c
> > +++ b/drivers/tty/n_tty.c
> > @@ -201,8 +201,8 @@ static void n_tty_kick_worker(struct tty_struct *tty)
> > struct n_tty_data *ldata = tty->disc_data;
> >
> > /* Did the input worker stop? Restart it */
> > - if (unlikely(ldata->no_room)) {
> > - ldata->no_room = 0;
> > + if (unlikely(READ_ONCE(ldata->no_room))) {
> > + WRITE_ONCE(ldata->no_room, 0);
> >
> > WARN_RATELIMIT(tty->port->itty == NULL,
> > "scheduling with invalid itty\n");
> > @@ -1632,7 +1632,7 @@ n_tty_receive_buf_common(struct tty_struct *tty, const unsigned char *cp,
> > if (overflow && room < 0)
> > ldata->read_head--;
> > room = overflow;
> > - ldata->no_room = flow && !room;
> > + WRITE_ONCE(ldata->no_room, flow && !room);
> > } else
> > overflow = 0;
> >
> > @@ -1663,6 +1663,24 @@ n_tty_receive_buf_common(struct tty_struct *tty, const unsigned char *cp,
> > } else
> > n_tty_check_throttle(tty);
> >
> > + if (unlikely(ldata->no_room)) {
> > + /*
> > + * Barrier here is to ensure to read the latest read_tail in
> > + * chars_in_buffer() and to make sure that read_tail is not loaded
> > + * before ldata->no_room is set, otherwise, following race may occur:
> > + * n_tty_receive_buf_common() |n_tty_read()
> > + * chars_in_buffer() > 0 |
> > + * |copy_from_read_buf()->chars_in_buffer()==0
> > + * |if (ldata->no_room)
> > + * ldata->no_room = 1 |
> > + * Then both kworker and reader will fail to kick n_tty_kick_worker(),
> > + * smp_mb is paired with smp_mb() in n_tty_read().
> > + */
> > + smp_mb();
> > + if (!chars_in_buffer(tty))
> > + n_tty_kick_worker(tty);
> > + }
> > +
> > up_read(&tty->termios_rwsem);
> >
> > return rcvd;
> > @@ -2180,8 +2198,23 @@ static ssize_t n_tty_read(struct tty_struct *tty, struct file *file,
> > if (time)
> > timeout = time;
> > }
> > - if (tail != ldata->read_tail)
> > + if (tail != ldata->read_tail) {
> > + /*
> > + * Make sure no_room is not read before setting read_tail,
> > + * otherwise, following race may occur:
> > + * n_tty_read() |n_tty_receive_buf_common()
> > + * if(ldata->no_room)->false |
> > + * |ldata->no_room = 1
> > + * |char_in_buffer() > 0
> > + * ldata->read_tail = ldata->commit_head|
> > + * Then copy_from_read_buf() in reader consumes all the data
> > + * in read buffer, both reader and kworker will fail to kick
> > + * tty_buffer_restart_work().
> > + * smp_mb is paired with smp_mb() in n_tty_receive_buf_common().
> > + */
> > + smp_mb();
> > n_tty_kick_worker(tty);
> > + }
> > up_read(&tty->termios_rwsem);
> >
> > remove_wait_queue(&tty->read_wait, &wait);
>
> I think the code looks fine. What I'm not entirely sure if there is
> supposed to be some other backup mechanism to handle this case.
>
> Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
>
> Note to Cael: you don't need to resend the patch just to add my reviewed
> by, it would be picked by the tools automatically. But if you need to
> resend due to other reasons, please add it in that case.
>
>
> --
> i.
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [PATCH v5] tty: fix hang on tty device with no_room set
2022-06-15 11:17 ` [PATCH v5] " cael
2022-06-15 11:29 ` Ilpo Järvinen
@ 2022-06-27 12:05 ` Greg KH
2022-06-27 13:53 ` [PATCH v6] " juanfengpy
2023-03-17 2:41 ` [PATCH v7] " juanfengpy
1 sibling, 2 replies; 33+ messages in thread
From: Greg KH @ 2022-06-27 12:05 UTC (permalink / raw)
To: cael; +Cc: jirislaby, ilpo.jarvinen, benbjiang, robinlai, linux-serial
On Wed, Jun 15, 2022 at 07:17:01PM +0800, cael wrote:
> From: caelli <juanfengpy@gmail.com>
Can you please use the name you use to sign legal documents as the
number of different names being used and written here is totally
confusing. Please use your native language if that's an issue, that
would be best.
Also, why not use your corporate email address as the From: and
signed-off-by line also? That is preferred, and in this case, I'm going
to ask for it given the confusion that has happened so far in this
thread in the past.
thanks,
greg k-h
^ permalink raw reply [flat|nested] 33+ messages in thread
* [PATCH v6] tty: fix hang on tty device with no_room set
2022-06-27 12:05 ` Greg KH
@ 2022-06-27 13:53 ` juanfengpy
2023-03-17 2:41 ` [PATCH v7] " juanfengpy
1 sibling, 0 replies; 33+ messages in thread
From: juanfengpy @ 2022-06-27 13:53 UTC (permalink / raw)
To: gregkh
Cc: jirislaby, ilpo.jarvinen, benbjiang, robinlai, linux-serial,
juanfengpy, caelli
From: caelli <caelli@tencent.com>
We have met a hang on pty device, the reader was blocking
at epoll on master side, the writer was sleeping at wait_woken
inside n_tty_write on slave side, and the write buffer on
tty_port was full, we found that the reader and writer would
never be woken again and blocked forever.
The problem was caused by a race between reader and kworker:
n_tty_read(reader): n_tty_receive_buf_common(kworker):
|room = N_TTY_BUF_SIZE - (ldata->read_head - tail)
|room <= 0
copy_from_read_buf()|
n_tty_kick_worker() |
|ldata->no_room = true
After writing to slave device, writer wakes up kworker to flush
data on tty_port to reader, and the kworker finds that reader
has no room to store data so room <= 0 is met. At this moment,
reader consumes all the data on reader buffer and calls
n_tty_kick_worker to check ldata->no_room which is false and
reader quits reading. Then kworker sets ldata->no_room=true
and quits too.
If write buffer is not full, writer will wake kworker to flush data
again after following writes, but if write buffer is full and writer
goes to sleep, kworker will never be woken again and tty device is
blocked.
This problem can be solved with a check for read buffer size inside
n_tty_receive_buf_common, if read buffer is empty and ldata->no_room
is true, a call to n_tty_kick_worker is necessary to keep flushing
data to reader.
Signed-off-by: caelli <caelli@tencent.com>
---
Patch changelogs between v1 and v2:
-add barrier inside n_tty_read and n_tty_receive_buf_common;
-comment why barrier is needed;
-access to ldata->no_room is changed with READ_ONCE and WRITE_ONCE;
Patch changelogs between v2 and v3:
-in function n_tty_receive_buf_common, add unlikely to check
ldata->no_room, eg: if (unlikely(ldata->no_room)), and READ_ONCE
is removed here to get locality;
-change comment for barrier to show the race condition to make
comment easier to understand;
Patch changelogs between v3 and v4:
-change subject from 'tty: fix a possible hang on tty device' to
'tty: fix hang on tty device with no_room set' to make subject
more obvious;
Patch changelogs between v4 and v5:
-name is changed from cael to caelli, li is added as the family
name and caelli is the fullname.
Patch changelogs between v5 and v6:
-change from and Signed-off-by, from 'caelli <juanfengpy@gmail.com>'
to 'caelli <caelli@tencent.com>', later one is my corporate address.
drivers/tty/n_tty.c | 41 +++++++++++++++++++++++++++++++++++++----
1 file changed, 37 insertions(+), 4 deletions(-)
diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
index efc72104c840..544f782b9a11 100644
--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -201,8 +201,8 @@ static void n_tty_kick_worker(struct tty_struct *tty)
struct n_tty_data *ldata = tty->disc_data;
/* Did the input worker stop? Restart it */
- if (unlikely(ldata->no_room)) {
- ldata->no_room = 0;
+ if (unlikely(READ_ONCE(ldata->no_room))) {
+ WRITE_ONCE(ldata->no_room, 0);
WARN_RATELIMIT(tty->port->itty == NULL,
"scheduling with invalid itty\n");
@@ -1632,7 +1632,7 @@ n_tty_receive_buf_common(struct tty_struct *tty, const unsigned char *cp,
if (overflow && room < 0)
ldata->read_head--;
room = overflow;
- ldata->no_room = flow && !room;
+ WRITE_ONCE(ldata->no_room, flow && !room);
} else
overflow = 0;
@@ -1663,6 +1663,24 @@ n_tty_receive_buf_common(struct tty_struct *tty, const unsigned char *cp,
} else
n_tty_check_throttle(tty);
+ if (unlikely(ldata->no_room)) {
+ /*
+ * Barrier here is to ensure to read the latest read_tail in
+ * chars_in_buffer() and to make sure that read_tail is not loaded
+ * before ldata->no_room is set, otherwise, following race may occur:
+ * n_tty_receive_buf_common() |n_tty_read()
+ * chars_in_buffer() > 0 |
+ * |copy_from_read_buf()->chars_in_buffer()==0
+ * |if (ldata->no_room)
+ * ldata->no_room = 1 |
+ * Then both kworker and reader will fail to kick n_tty_kick_worker(),
+ * smp_mb is paired with smp_mb() in n_tty_read().
+ */
+ smp_mb();
+ if (!chars_in_buffer(tty))
+ n_tty_kick_worker(tty);
+ }
+
up_read(&tty->termios_rwsem);
return rcvd;
@@ -2180,8 +2198,23 @@ static ssize_t n_tty_read(struct tty_struct *tty, struct file *file,
if (time)
timeout = time;
}
- if (tail != ldata->read_tail)
+ if (tail != ldata->read_tail) {
+ /*
+ * Make sure no_room is not read before setting read_tail,
+ * otherwise, following race may occur:
+ * n_tty_read() |n_tty_receive_buf_common()
+ * if(ldata->no_room)->false |
+ * |ldata->no_room = 1
+ * |char_in_buffer() > 0
+ * ldata->read_tail = ldata->commit_head|
+ * Then copy_from_read_buf() in reader consumes all the data
+ * in read buffer, both reader and kworker will fail to kick
+ * tty_buffer_restart_work().
+ * smp_mb is paired with smp_mb() in n_tty_receive_buf_common().
+ */
+ smp_mb();
n_tty_kick_worker(tty);
+ }
up_read(&tty->termios_rwsem);
remove_wait_queue(&tty->read_wait, &wait);
--
2.27.0
^ permalink raw reply related [flat|nested] 33+ messages in thread
* [PATCH v7] tty: fix hang on tty device with no_room set
2022-06-27 12:05 ` Greg KH
2022-06-27 13:53 ` [PATCH v6] " juanfengpy
@ 2023-03-17 2:41 ` juanfengpy
2023-03-17 6:32 ` Jiri Slaby
1 sibling, 1 reply; 33+ messages in thread
From: juanfengpy @ 2023-03-17 2:41 UTC (permalink / raw)
To: gregkh
Cc: jirislaby, ilpo.jarvinen, benbjiang, robinlai, linux-serial,
juanfengpy, Hui Li, stable
From: Hui Li <caelli@tencent.com>
We have met a hang on pty device, the reader was blocking
at epoll on master side, the writer was sleeping at wait_woken
inside n_tty_write on slave side, and the write buffer on
tty_port was full, we found that the reader and writer would
never be woken again and blocked forever.
The problem was caused by a race between reader and kworker:
n_tty_read(reader): n_tty_receive_buf_common(kworker):
copy_from_read_buf()|
|room = N_TTY_BUF_SIZE - (ldata->read_head - tail)
|room <= 0
n_tty_kick_worker() |
|ldata->no_room = true
After writing to slave device, writer wakes up kworker to flush
data on tty_port to reader, and the kworker finds that reader
has no room to store data so room <= 0 is met. At this moment,
reader consumes all the data on reader buffer and calls
n_tty_kick_worker to check ldata->no_room which is false and
reader quits reading. Then kworker sets ldata->no_room=true
and quits too.
If write buffer is not full, writer will wake kworker to flush data
again after following writes, but if write buffer is full and writer
goes to sleep, kworker will never be woken again and tty device is
blocked.
This problem can be solved with a check for read buffer size inside
n_tty_receive_buf_common, if read buffer is empty and ldata->no_room
is true, a call to n_tty_kick_worker is necessary to keep flushing
data to reader.
Cc: <stable@vger.kernel.org>
Fixes: 42458f41d08f ("n_tty: Ensure reader restarts worker for next reader")
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Hui Li <caelli@tencent.com>
---
Patch changelogs between v1 and v2:
-add barrier inside n_tty_read and n_tty_receive_buf_common;
-comment why barrier is needed;
-access to ldata->no_room is changed with READ_ONCE and WRITE_ONCE;
Patch changelogs between v2 and v3:
-in function n_tty_receive_buf_common, add unlikely to check
ldata->no_room, eg: if (unlikely(ldata->no_room)), and READ_ONCE
is removed here to get locality;
-change comment for barrier to show the race condition to make
comment easier to understand;
Patch changelogs between v3 and v4:
-change subject from 'tty: fix a possible hang on tty device' to
'tty: fix hang on tty device with no_room set' to make subject
more obvious;
Patch changelogs between v4 and v5:
-name is changed from cael to caelli, li is added as the family
name and caelli is the fullname.
Patch changelogs between v5 and v6:
-change from and Signed-off-by, from 'caelli <juanfengpy@gmail.com>'
to 'caelli <caelli@tencent.com>', later one is my corporate address.
Patch changelogs between v6 and v7:
-change name from caelli to 'Hui Li', which is my name in chinese.
-the comment for barrier is improved, and a Fixes and Reviewed-by
tags is added.
drivers/tty/n_tty.c | 41 +++++++++++++++++++++++++++++++++++++----
1 file changed, 37 insertions(+), 4 deletions(-)
diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
index c8f56c9b1a1c..8c17304fffcf 100644
--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -204,8 +204,8 @@ static void n_tty_kick_worker(struct tty_struct *tty)
struct n_tty_data *ldata = tty->disc_data;
/* Did the input worker stop? Restart it */
- if (unlikely(ldata->no_room)) {
- ldata->no_room = 0;
+ if (unlikely(READ_ONCE(ldata->no_room))) {
+ WRITE_ONCE(ldata->no_room, 0);
WARN_RATELIMIT(tty->port->itty == NULL,
"scheduling with invalid itty\n");
@@ -1698,7 +1698,7 @@ n_tty_receive_buf_common(struct tty_struct *tty, const unsigned char *cp,
if (overflow && room < 0)
ldata->read_head--;
room = overflow;
- ldata->no_room = flow && !room;
+ WRITE_ONCE(ldata->no_room, flow && !room);
} else
overflow = 0;
@@ -1729,6 +1729,27 @@ n_tty_receive_buf_common(struct tty_struct *tty, const unsigned char *cp,
} else
n_tty_check_throttle(tty);
+ if (unlikely(ldata->no_room)) {
+ /*
+ * Barrier here is to ensure to read the latest read_tail in
+ * chars_in_buffer() and to make sure that read_tail is not loaded
+ * before ldata->no_room is set, otherwise, following race may occur:
+ * n_tty_receive_buf_common()
+ * n_tty_read()
+ * if (!chars_in_buffer(tty))->false
+ * copy_from_read_buf()
+ * read_tail=commit_head
+ * n_tty_kick_worker()
+ * if (ldata->no_room)->false
+ * ldata->no_room = 1
+ * Then both kworker and reader will fail to kick n_tty_kick_worker(),
+ * smp_mb is paired with smp_mb() in n_tty_read().
+ */
+ smp_mb();
+ if (!chars_in_buffer(tty))
+ n_tty_kick_worker(tty);
+ }
+
up_read(&tty->termios_rwsem);
return rcvd;
@@ -2282,8 +2303,25 @@ static ssize_t n_tty_read(struct tty_struct *tty, struct file *file,
if (time)
timeout = time;
}
- if (old_tail != ldata->read_tail)
+ if (old_tail != ldata->read_tail) {
+ /*
+ * Make sure no_room is not read in n_tty_kick_worker()
+ * before setting ldata->read_tail in copy_from_read_buf(),
+ * otherwise, following race may occur:
+ * n_tty_read()
+ * n_tty_receive_buf_common()
+ * n_tty_kick_worker()
+ * if(ldata->no_room)->false
+ * ldata->no_room = 1
+ * if (!chars_in_buffer(tty))->false
+ * copy_from_read_buf()
+ * read_tail=commit_head
+ * Both reader and kworker will fail to kick tty_buffer_restart_work(),
+ * smp_mb is paired with smp_mb() in n_tty_receive_buf_common().
+ */
+ smp_mb();
n_tty_kick_worker(tty);
+ }
up_read(&tty->termios_rwsem);
remove_wait_queue(&tty->read_wait, &wait);
--
2.27.0
^ permalink raw reply related [flat|nested] 33+ messages in thread
* Re: [PATCH v7] tty: fix hang on tty device with no_room set
2023-03-17 2:41 ` [PATCH v7] " juanfengpy
@ 2023-03-17 6:32 ` Jiri Slaby
2023-03-17 7:25 ` [PATCH v8] " juanfengpy
0 siblings, 1 reply; 33+ messages in thread
From: Jiri Slaby @ 2023-03-17 6:32 UTC (permalink / raw)
To: juanfengpy, gregkh
Cc: ilpo.jarvinen, benbjiang, robinlai, linux-serial, Hui Li, stable
On 17. 03. 23, 3:41, juanfengpy@gmail.com wrote:
> From: Hui Li <caelli@tencent.com>
>
> We have met a hang on pty device, the reader was blocking
> at epoll on master side, the writer was sleeping at wait_woken
> inside n_tty_write on slave side, and the write buffer on
> tty_port was full, we found that the reader and writer would
> never be woken again and blocked forever.
>
> The problem was caused by a race between reader and kworker:
> n_tty_read(reader): n_tty_receive_buf_common(kworker):
> copy_from_read_buf()|
> |room = N_TTY_BUF_SIZE - (ldata->read_head - tail)
> |room <= 0
> n_tty_kick_worker() |
> |ldata->no_room = true
>
> After writing to slave device, writer wakes up kworker to flush
> data on tty_port to reader, and the kworker finds that reader
> has no room to store data so room <= 0 is met. At this moment,
> reader consumes all the data on reader buffer and calls
> n_tty_kick_worker to check ldata->no_room which is false and
> reader quits reading. Then kworker sets ldata->no_room=true
> and quits too.
...
> --- a/drivers/tty/n_tty.c
> +++ b/drivers/tty/n_tty.c
...
> @@ -1729,6 +1729,27 @@ n_tty_receive_buf_common(struct tty_struct *tty, const unsigned char *cp,
> } else
> n_tty_check_throttle(tty);
>
> + if (unlikely(ldata->no_room)) {
> + /*
> + * Barrier here is to ensure to read the latest read_tail in
> + * chars_in_buffer() and to make sure that read_tail is not loaded
> + * before ldata->no_room is set,
I am not sure I would keep the following part of the comment in the code:
> otherwise, following race may occur:
> + * n_tty_receive_buf_common()
> + * n_tty_read()
> + * if (!chars_in_buffer(tty))->false
> + * copy_from_read_buf()
> + * read_tail=commit_head
> + * n_tty_kick_worker()
> + * if (ldata->no_room)->false
> + * ldata->no_room = 1
> + * Then both kworker and reader will fail to kick n_tty_kick_worker(),
> + * smp_mb is paired with smp_mb() in n_tty_read().
I would only let it ^^^ documented in the commit log as you did.
> + */
> + smp_mb();
> + if (!chars_in_buffer(tty))
> + n_tty_kick_worker(tty);
> + }
> +
> up_read(&tty->termios_rwsem);
>
> return rcvd;
> @@ -2282,8 +2303,25 @@ static ssize_t n_tty_read(struct tty_struct *tty, struct file *file,
> if (time)
> timeout = time;
> }
> - if (old_tail != ldata->read_tail)
> + if (old_tail != ldata->read_tail) {
> + /*
> + * Make sure no_room is not read in n_tty_kick_worker()
> + * before setting ldata->read_tail in copy_from_read_buf(),
The same here (it's only repeated). I think the above two lines are
enough for the comment. We have git blame after all.
> + * otherwise, following race may occur:
> + * n_tty_read()
> + * n_tty_receive_buf_common()
> + * n_tty_kick_worker()
> + * if(ldata->no_room)->false
> + * ldata->no_room = 1
> + * if (!chars_in_buffer(tty))->false
> + * copy_from_read_buf()
> + * read_tail=commit_head
> + * Both reader and kworker will fail to kick tty_buffer_restart_work(),
> + * smp_mb is paired with smp_mb() in n_tty_receive_buf_common().
> + */
> + smp_mb();
> n_tty_kick_worker(tty);
> + }
> up_read(&tty->termios_rwsem);
>
> remove_wait_queue(&tty->read_wait, &wait);
--
js
^ permalink raw reply [flat|nested] 33+ messages in thread
* [PATCH v8] tty: fix hang on tty device with no_room set
2023-03-17 6:32 ` Jiri Slaby
@ 2023-03-17 7:25 ` juanfengpy
2023-04-06 2:44 ` [PATCH v9] " juanfengpy
0 siblings, 1 reply; 33+ messages in thread
From: juanfengpy @ 2023-03-17 7:25 UTC (permalink / raw)
To: jirislaby, gregkh
Cc: ilpo.jarvinen, benbjiang, robinlai, linux-serial, juanfengpy,
Hui Li, stable
From: Hui Li <caelli@tencent.com>
We have met a hang on pty device, the reader was blocking
at epoll on master side, the writer was sleeping at wait_woken
inside n_tty_write on slave side, and the write buffer on
tty_port was full, we found that the reader and writer would
never be woken again and blocked forever.
The problem was caused by a race between reader and kworker:
n_tty_read(reader): n_tty_receive_buf_common(kworker):
copy_from_read_buf()|
|room = N_TTY_BUF_SIZE - (ldata->read_head - tail)
|room <= 0
n_tty_kick_worker() |
|ldata->no_room = true
After writing to slave device, writer wakes up kworker to flush
data on tty_port to reader, and the kworker finds that reader
has no room to store data so room <= 0 is met. At this moment,
reader consumes all the data on reader buffer and calls
n_tty_kick_worker to check ldata->no_room which is false and
reader quits reading. Then kworker sets ldata->no_room=true
and quits too.
If write buffer is not full, writer will wake kworker to flush data
again after following writes, but if write buffer is full and writer
goes to sleep, kworker will never be woken again and tty device is
blocked.
This problem can be solved with a check for read buffer size inside
n_tty_receive_buf_common, if read buffer is empty and ldata->no_room
is true, a call to n_tty_kick_worker is necessary to keep flushing
data to reader.
Cc: <stable@vger.kernel.org>
Fixes: 42458f41d08f ("n_tty: Ensure reader restarts worker for next reader")
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Hui Li <caelli@tencent.com>
---
Patch changelogs between v1 and v2:
-add barrier inside n_tty_read and n_tty_receive_buf_common;
-comment why barrier is needed;
-access to ldata->no_room is changed with READ_ONCE and WRITE_ONCE;
Patch changelogs between v2 and v3:
-in function n_tty_receive_buf_common, add unlikely to check
ldata->no_room, eg: if (unlikely(ldata->no_room)), and READ_ONCE
is removed here to get locality;
-change comment for barrier to show the race condition to make
comment easier to understand;
Patch changelogs between v3 and v4:
-change subject from 'tty: fix a possible hang on tty device' to
'tty: fix hang on tty device with no_room set' to make subject
more obvious;
Patch changelogs between v4 and v5:
-name is changed from cael to caelli, li is added as the family
name and caelli is the fullname.
Patch changelogs between v5 and v6:
-change from and Signed-off-by, from 'caelli <juanfengpy@gmail.com>'
to 'caelli <caelli@tencent.com>', later one is my corporate address.
Patch changelogs between v6 and v7:
-change name from caelli to 'Hui Li', which is my name in chinese.
-the comment for barrier is improved, and a Fixes and Reviewed-by
tags is added.
Patch changelogs between v7 and v8:
-Simplify the comments for barriers.
drivers/tty/n_tty.c | 25 +++++++++++++++++++++----
1 file changed, 21 insertions(+), 4 deletions(-)
diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
index c8f56c9b1a1c..4dff2f34e2d0 100644
--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -204,8 +204,8 @@ static void n_tty_kick_worker(struct tty_struct *tty)
struct n_tty_data *ldata = tty->disc_data;
/* Did the input worker stop? Restart it */
- if (unlikely(ldata->no_room)) {
- ldata->no_room = 0;
+ if (unlikely(READ_ONCE(ldata->no_room))) {
+ WRITE_ONCE(ldata->no_room, 0);
WARN_RATELIMIT(tty->port->itty == NULL,
"scheduling with invalid itty\n");
@@ -1698,7 +1698,7 @@ n_tty_receive_buf_common(struct tty_struct *tty, const unsigned char *cp,
if (overflow && room < 0)
ldata->read_head--;
room = overflow;
- ldata->no_room = flow && !room;
+ WRITE_ONCE(ldata->no_room, flow && !room);
} else
overflow = 0;
@@ -1729,6 +1729,17 @@ n_tty_receive_buf_common(struct tty_struct *tty, const unsigned char *cp,
} else
n_tty_check_throttle(tty);
+ if (unlikely(ldata->no_room)) {
+ /*
+ * Barrier here is to ensure to read the latest read_tail in
+ * chars_in_buffer() and to make sure that read_tail is not loaded
+ * before ldata->no_room is set.
+ */
+ smp_mb();
+ if (!chars_in_buffer(tty))
+ n_tty_kick_worker(tty);
+ }
+
up_read(&tty->termios_rwsem);
return rcvd;
@@ -2282,8 +2293,14 @@ static ssize_t n_tty_read(struct tty_struct *tty, struct file *file,
if (time)
timeout = time;
}
- if (old_tail != ldata->read_tail)
+ if (old_tail != ldata->read_tail) {
+ /*
+ * Make sure no_room is not read in n_tty_kick_worker()
+ * before setting ldata->read_tail in copy_from_read_buf().
+ */
+ smp_mb();
n_tty_kick_worker(tty);
+ }
up_read(&tty->termios_rwsem);
remove_wait_queue(&tty->read_wait, &wait);
--
2.27.0
^ permalink raw reply related [flat|nested] 33+ messages in thread
* [PATCH v9] tty: fix hang on tty device with no_room set
2023-03-17 7:25 ` [PATCH v8] " juanfengpy
@ 2023-04-06 2:44 ` juanfengpy
0 siblings, 0 replies; 33+ messages in thread
From: juanfengpy @ 2023-04-06 2:44 UTC (permalink / raw)
To: jirislaby, gregkh
Cc: ilpo.jarvinen, bagasdotme, benbjiang, robinlai, linux-serial,
juanfengpy, Hui Li, stable
From: Hui Li <caelli@tencent.com>
It is possible to hang pty devices in this case, the reader was
blocking at epoll on master side, the writer was sleeping at
wait_woken inside n_tty_write on slave side, and the write buffer
on tty_port was full, we found that the reader and writer would
never be woken again and blocked forever.
The problem was caused by a race between reader and kworker:
n_tty_read(reader): n_tty_receive_buf_common(kworker):
copy_from_read_buf()|
|room = N_TTY_BUF_SIZE - (ldata->read_head - tail)
|room <= 0
n_tty_kick_worker() |
|ldata->no_room = true
After writing to slave device, writer wakes up kworker to flush
data on tty_port to reader, and the kworker finds that reader
has no room to store data so room <= 0 is met. At this moment,
reader consumes all the data on reader buffer and calls
n_tty_kick_worker to check ldata->no_room which is false and
reader quits reading. Then kworker sets ldata->no_room=true
and quits too.
If write buffer is not full, writer will wake kworker to flush data
again after following writes, but if write buffer is full and writer
goes to sleep, kworker will never be woken again and tty device is
blocked.
This problem can be solved with a check for read buffer size inside
n_tty_receive_buf_common, if read buffer is empty and ldata->no_room
is true, a call to n_tty_kick_worker is necessary to keep flushing
data to reader.
Cc: <stable@vger.kernel.org>
Fixes: 42458f41d08f ("n_tty: Ensure reader restarts worker for next reader")
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Hui Li <caelli@tencent.com>
---
Patch changelogs between v1 and v2:
-add barrier inside n_tty_read and n_tty_receive_buf_common;
-comment why barrier is needed;
-access to ldata->no_room is changed with READ_ONCE and WRITE_ONCE;
Patch changelogs between v2 and v3:
-in function n_tty_receive_buf_common, add unlikely to check
ldata->no_room, eg: if (unlikely(ldata->no_room)), and READ_ONCE
is removed here to get locality;
-change comment for barrier to show the race condition to make
comment easier to understand;
Patch changelogs between v3 and v4:
-change subject from 'tty: fix a possible hang on tty device' to
'tty: fix hang on tty device with no_room set' to make subject
more obvious;
Patch changelogs between v4 and v5:
-name is changed from cael to caelli, li is added as the family
name and caelli is the fullname.
Patch changelogs between v5 and v6:
-change from and Signed-off-by, from 'caelli <juanfengpy@gmail.com>'
to 'caelli <caelli@tencent.com>', later one is my corporate address.
Patch changelogs between v6 and v7:
-change name from caelli to 'Hui Li', which is my name in chinese.
-the comment for barrier is improved, and a Fixes and Reviewed-by
tags is added.
Patch changelogs between v7 and v8:
-Simplify the comments for barriers.
Patch changelogs between v8 and v9:
-change the commit messages as suggested by Bagas Sanjaya.
drivers/tty/n_tty.c | 25 +++++++++++++++++++++----
1 file changed, 21 insertions(+), 4 deletions(-)
diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
index c8f56c9b1a1c..4dff2f34e2d0 100644
--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -204,8 +204,8 @@ static void n_tty_kick_worker(struct tty_struct *tty)
struct n_tty_data *ldata = tty->disc_data;
/* Did the input worker stop? Restart it */
- if (unlikely(ldata->no_room)) {
- ldata->no_room = 0;
+ if (unlikely(READ_ONCE(ldata->no_room))) {
+ WRITE_ONCE(ldata->no_room, 0);
WARN_RATELIMIT(tty->port->itty == NULL,
"scheduling with invalid itty\n");
@@ -1698,7 +1698,7 @@ n_tty_receive_buf_common(struct tty_struct *tty, const unsigned char *cp,
if (overflow && room < 0)
ldata->read_head--;
room = overflow;
- ldata->no_room = flow && !room;
+ WRITE_ONCE(ldata->no_room, flow && !room);
} else
overflow = 0;
@@ -1729,6 +1729,17 @@ n_tty_receive_buf_common(struct tty_struct *tty, const unsigned char *cp,
} else
n_tty_check_throttle(tty);
+ if (unlikely(ldata->no_room)) {
+ /*
+ * Barrier here is to ensure to read the latest read_tail in
+ * chars_in_buffer() and to make sure that read_tail is not loaded
+ * before ldata->no_room is set.
+ */
+ smp_mb();
+ if (!chars_in_buffer(tty))
+ n_tty_kick_worker(tty);
+ }
+
up_read(&tty->termios_rwsem);
return rcvd;
@@ -2282,8 +2293,14 @@ static ssize_t n_tty_read(struct tty_struct *tty, struct file *file,
if (time)
timeout = time;
}
- if (old_tail != ldata->read_tail)
+ if (old_tail != ldata->read_tail) {
+ /*
+ * Make sure no_room is not read in n_tty_kick_worker()
+ * before setting ldata->read_tail in copy_from_read_buf().
+ */
+ smp_mb();
n_tty_kick_worker(tty);
+ }
up_read(&tty->termios_rwsem);
remove_wait_queue(&tty->read_wait, &wait);
--
2.27.0
^ permalink raw reply related [flat|nested] 33+ messages in thread
end of thread, other threads:[~2023-04-06 2:46 UTC | newest]
Thread overview: 33+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-05-24 2:21 tty: fix a possible hang on tty device cael
2022-05-24 9:11 ` Ilpo Järvinen
2022-05-24 11:09 ` cael
2022-05-24 11:40 ` Ilpo Järvinen
2022-05-24 12:47 ` cael
2022-05-24 13:25 ` Ilpo Järvinen
2022-05-25 10:36 ` cael
2022-05-25 11:21 ` Ilpo Järvinen
2022-05-30 13:13 ` cael
2022-05-31 12:37 ` Ilpo Järvinen
2022-06-01 9:38 ` Greg KH
2022-06-01 13:39 ` cael
2022-06-01 14:47 ` Greg KH
2022-06-01 15:28 ` Ilpo Järvinen
2022-06-06 13:40 ` cael
2022-06-06 14:43 ` Greg KH
2022-06-11 6:50 ` cael
2022-06-11 7:32 ` Greg KH
2022-06-13 12:30 ` [PATCH v3] tty: fix hang on tty device with no_room set juanfengpy
2022-06-13 17:20 ` Greg KH
2022-06-15 3:45 ` [PATCH v4] " cael
2022-06-15 5:00 ` Greg KH
2022-06-15 7:57 ` Ilpo Järvinen
2022-06-15 9:29 ` Greg KH
2022-06-15 11:17 ` [PATCH v5] " cael
2022-06-15 11:29 ` Ilpo Järvinen
2022-06-15 13:33 ` caelli
2022-06-27 12:05 ` Greg KH
2022-06-27 13:53 ` [PATCH v6] " juanfengpy
2023-03-17 2:41 ` [PATCH v7] " juanfengpy
2023-03-17 6:32 ` Jiri Slaby
2023-03-17 7:25 ` [PATCH v8] " juanfengpy
2023-04-06 2:44 ` [PATCH v9] " juanfengpy
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).