The code currently NULLs tty->driver_data in hvcs_close() with the
intent of informing the next call to hvcs_open() that device needs to be
reconfigured. However, when hvcs_cleanup() is called we copy hvcsd from
tty->driver_data which was previoulsy NULLed by hvcs_close() and our
call to tty_port_put(&hvcsd->port) doesn't actually do anything since
&hvcsd->port ends up translating to NULL by chance. This has the side
effect that when hvcs_remove() is called we have one too many port
references preventing hvcs_destuct_port() from ever being called. This
also prevents us from reusing the /dev/hvcsX node in a future
hvcs_probe() and we can eventually run out of /dev/hvcsX devices.
Fix this by waiting to NULL tty->driver_data in hvcs_cleanup().
Signed-off-by: Tyrel Datwyler <[email protected]>
---
drivers/tty/hvc/hvcs.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/drivers/tty/hvc/hvcs.c b/drivers/tty/hvc/hvcs.c
index 55105ac38f89..509d1042825a 100644
--- a/drivers/tty/hvc/hvcs.c
+++ b/drivers/tty/hvc/hvcs.c
@@ -1216,13 +1216,6 @@ static void hvcs_close(struct tty_struct *tty, struct file *filp)
tty_wait_until_sent(tty, HVCS_CLOSE_WAIT);
- /*
- * This line is important because it tells hvcs_open that this
- * device needs to be re-configured the next time hvcs_open is
- * called.
- */
- tty->driver_data = NULL;
-
free_irq(irq, hvcsd);
return;
} else if (hvcsd->port.count < 0) {
@@ -1237,6 +1230,13 @@ static void hvcs_cleanup(struct tty_struct * tty)
{
struct hvcs_struct *hvcsd = tty->driver_data;
+ /*
+ * This line is important because it tells hvcs_open that this
+ * device needs to be re-configured the next time hvcs_open is
+ * called.
+ */
+ tty->driver_data = NULL;
+
tty_port_put(&hvcsd->port);
}
--
2.27.0
On 8/20/20 4:46 PM, Tyrel Datwyler wrote:
> The code currently NULLs tty->driver_data in hvcs_close() with the
> intent of informing the next call to hvcs_open() that device needs to be
> reconfigured. However, when hvcs_cleanup() is called we copy hvcsd from
> tty->driver_data which was previoulsy NULLed by hvcs_close() and our
> call to tty_port_put(&hvcsd->port) doesn't actually do anything since
> &hvcsd->port ends up translating to NULL by chance. This has the side
> effect that when hvcs_remove() is called we have one too many port
> references preventing hvcs_destuct_port() from ever being called. This
> also prevents us from reusing the /dev/hvcsX node in a future
> hvcs_probe() and we can eventually run out of /dev/hvcsX devices.
>
> Fix this by waiting to NULL tty->driver_data in hvcs_cleanup().
I just realized I neglected a Fixes tag.
Fixes: 27bf7c43a19c ("TTY: hvcs, add tty install")
-Tyrel
>
> Signed-off-by: Tyrel Datwyler <[email protected]>
> ---
> drivers/tty/hvc/hvcs.c | 14 +++++++-------
> 1 file changed, 7 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/tty/hvc/hvcs.c b/drivers/tty/hvc/hvcs.c
> index 55105ac38f89..509d1042825a 100644
> --- a/drivers/tty/hvc/hvcs.c
> +++ b/drivers/tty/hvc/hvcs.c
> @@ -1216,13 +1216,6 @@ static void hvcs_close(struct tty_struct *tty, struct file *filp)
>
> tty_wait_until_sent(tty, HVCS_CLOSE_WAIT);
>
> - /*
> - * This line is important because it tells hvcs_open that this
> - * device needs to be re-configured the next time hvcs_open is
> - * called.
> - */
> - tty->driver_data = NULL;
> -
> free_irq(irq, hvcsd);
> return;
> } else if (hvcsd->port.count < 0) {
> @@ -1237,6 +1230,13 @@ static void hvcs_cleanup(struct tty_struct * tty)
> {
> struct hvcs_struct *hvcsd = tty->driver_data;
>
> + /*
> + * This line is important because it tells hvcs_open that this
> + * device needs to be re-configured the next time hvcs_open is
> + * called.
> + */
> + tty->driver_data = NULL;
> +
> tty_port_put(&hvcsd->port);
> }
>
>
On 21. 08. 20, 1:46, Tyrel Datwyler wrote:
> The code currently NULLs tty->driver_data in hvcs_close() with the
> intent of informing the next call to hvcs_open() that device needs to be
> reconfigured. However, when hvcs_cleanup() is called we copy hvcsd from
> tty->driver_data which was previoulsy NULLed by hvcs_close() and our
> call to tty_port_put(&hvcsd->port) doesn't actually do anything since
> &hvcsd->port ends up translating to NULL by chance. This has the side
> effect that when hvcs_remove() is called we have one too many port
> references preventing hvcs_destuct_port() from ever being called. This
> also prevents us from reusing the /dev/hvcsX node in a future
> hvcs_probe() and we can eventually run out of /dev/hvcsX devices.
>
> Fix this by waiting to NULL tty->driver_data in hvcs_cleanup().
Without actually looking into the code, it looks like we need a fix
similar to:
commit 24eb2377f977fe06d84fca558f891f95bc28a449
Author: Jiri Slaby <[email protected]>
Date: Tue May 26 16:56:32 2020 +0200
tty: hvc_console, fix crashes on parallel open/close
here too?
> Signed-off-by: Tyrel Datwyler <[email protected]>
> ---
> drivers/tty/hvc/hvcs.c | 14 +++++++-------
> 1 file changed, 7 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/tty/hvc/hvcs.c b/drivers/tty/hvc/hvcs.c
> index 55105ac38f89..509d1042825a 100644
> --- a/drivers/tty/hvc/hvcs.c
> +++ b/drivers/tty/hvc/hvcs.c
> @@ -1216,13 +1216,6 @@ static void hvcs_close(struct tty_struct *tty, struct file *filp)
>
> tty_wait_until_sent(tty, HVCS_CLOSE_WAIT);
>
> - /*
> - * This line is important because it tells hvcs_open that this
> - * device needs to be re-configured the next time hvcs_open is
> - * called.
> - */
> - tty->driver_data = NULL;
> -
> free_irq(irq, hvcsd);
> return;
> } else if (hvcsd->port.count < 0) {
> @@ -1237,6 +1230,13 @@ static void hvcs_cleanup(struct tty_struct * tty)
> {
> struct hvcs_struct *hvcsd = tty->driver_data;
>
> + /*
> + * This line is important because it tells hvcs_open that this
> + * device needs to be re-configured the next time hvcs_open is
> + * called.
> + */
> + tty->driver_data = NULL;
> +
> tty_port_put(&hvcsd->port);
> }
>
>
thanks,
--
js