2020-08-21 00:30:01

by Tyrel Datwyler

[permalink] [raw]
Subject: [PATCH] tty: hvcs: Don't NULL tty->driver_data until hvcs_cleanup()

The code currently NULLs tty->driver_data in hvcs_close() with the
intent of informing the next call to hvcs_open() that device needs to be
reconfigured. However, when hvcs_cleanup() is called we copy hvcsd from
tty->driver_data which was previoulsy NULLed by hvcs_close() and our
call to tty_port_put(&hvcsd->port) doesn't actually do anything since
&hvcsd->port ends up translating to NULL by chance. This has the side
effect that when hvcs_remove() is called we have one too many port
references preventing hvcs_destuct_port() from ever being called. This
also prevents us from reusing the /dev/hvcsX node in a future
hvcs_probe() and we can eventually run out of /dev/hvcsX devices.

Fix this by waiting to NULL tty->driver_data in hvcs_cleanup().

Signed-off-by: Tyrel Datwyler <[email protected]>
---
drivers/tty/hvc/hvcs.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/drivers/tty/hvc/hvcs.c b/drivers/tty/hvc/hvcs.c
index 55105ac38f89..509d1042825a 100644
--- a/drivers/tty/hvc/hvcs.c
+++ b/drivers/tty/hvc/hvcs.c
@@ -1216,13 +1216,6 @@ static void hvcs_close(struct tty_struct *tty, struct file *filp)

tty_wait_until_sent(tty, HVCS_CLOSE_WAIT);

- /*
- * This line is important because it tells hvcs_open that this
- * device needs to be re-configured the next time hvcs_open is
- * called.
- */
- tty->driver_data = NULL;
-
free_irq(irq, hvcsd);
return;
} else if (hvcsd->port.count < 0) {
@@ -1237,6 +1230,13 @@ static void hvcs_cleanup(struct tty_struct * tty)
{
struct hvcs_struct *hvcsd = tty->driver_data;

+ /*
+ * This line is important because it tells hvcs_open that this
+ * device needs to be re-configured the next time hvcs_open is
+ * called.
+ */
+ tty->driver_data = NULL;
+
tty_port_put(&hvcsd->port);
}

--
2.27.0


2020-08-21 21:10:11

by Tyrel Datwyler

[permalink] [raw]
Subject: Re: [PATCH] tty: hvcs: Don't NULL tty->driver_data until hvcs_cleanup()

On 8/20/20 4:46 PM, Tyrel Datwyler wrote:
> The code currently NULLs tty->driver_data in hvcs_close() with the
> intent of informing the next call to hvcs_open() that device needs to be
> reconfigured. However, when hvcs_cleanup() is called we copy hvcsd from
> tty->driver_data which was previoulsy NULLed by hvcs_close() and our
> call to tty_port_put(&hvcsd->port) doesn't actually do anything since
> &hvcsd->port ends up translating to NULL by chance. This has the side
> effect that when hvcs_remove() is called we have one too many port
> references preventing hvcs_destuct_port() from ever being called. This
> also prevents us from reusing the /dev/hvcsX node in a future
> hvcs_probe() and we can eventually run out of /dev/hvcsX devices.
>
> Fix this by waiting to NULL tty->driver_data in hvcs_cleanup().

I just realized I neglected a Fixes tag.

Fixes: 27bf7c43a19c ("TTY: hvcs, add tty install")

-Tyrel

>
> Signed-off-by: Tyrel Datwyler <[email protected]>
> ---
> drivers/tty/hvc/hvcs.c | 14 +++++++-------
> 1 file changed, 7 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/tty/hvc/hvcs.c b/drivers/tty/hvc/hvcs.c
> index 55105ac38f89..509d1042825a 100644
> --- a/drivers/tty/hvc/hvcs.c
> +++ b/drivers/tty/hvc/hvcs.c
> @@ -1216,13 +1216,6 @@ static void hvcs_close(struct tty_struct *tty, struct file *filp)
>
> tty_wait_until_sent(tty, HVCS_CLOSE_WAIT);
>
> - /*
> - * This line is important because it tells hvcs_open that this
> - * device needs to be re-configured the next time hvcs_open is
> - * called.
> - */
> - tty->driver_data = NULL;
> -
> free_irq(irq, hvcsd);
> return;
> } else if (hvcsd->port.count < 0) {
> @@ -1237,6 +1230,13 @@ static void hvcs_cleanup(struct tty_struct * tty)
> {
> struct hvcs_struct *hvcsd = tty->driver_data;
>
> + /*
> + * This line is important because it tells hvcs_open that this
> + * device needs to be re-configured the next time hvcs_open is
> + * called.
> + */
> + tty->driver_data = NULL;
> +
> tty_port_put(&hvcsd->port);
> }
>
>

2020-09-14 05:40:19

by Jiri Slaby

[permalink] [raw]
Subject: Re: [PATCH] tty: hvcs: Don't NULL tty->driver_data until hvcs_cleanup()

On 21. 08. 20, 1:46, Tyrel Datwyler wrote:
> The code currently NULLs tty->driver_data in hvcs_close() with the
> intent of informing the next call to hvcs_open() that device needs to be
> reconfigured. However, when hvcs_cleanup() is called we copy hvcsd from
> tty->driver_data which was previoulsy NULLed by hvcs_close() and our
> call to tty_port_put(&hvcsd->port) doesn't actually do anything since
> &hvcsd->port ends up translating to NULL by chance. This has the side
> effect that when hvcs_remove() is called we have one too many port
> references preventing hvcs_destuct_port() from ever being called. This
> also prevents us from reusing the /dev/hvcsX node in a future
> hvcs_probe() and we can eventually run out of /dev/hvcsX devices.
>
> Fix this by waiting to NULL tty->driver_data in hvcs_cleanup().

Without actually looking into the code, it looks like we need a fix
similar to:
commit 24eb2377f977fe06d84fca558f891f95bc28a449
Author: Jiri Slaby <[email protected]>
Date: Tue May 26 16:56:32 2020 +0200

tty: hvc_console, fix crashes on parallel open/close

here too?

> Signed-off-by: Tyrel Datwyler <[email protected]>
> ---
> drivers/tty/hvc/hvcs.c | 14 +++++++-------
> 1 file changed, 7 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/tty/hvc/hvcs.c b/drivers/tty/hvc/hvcs.c
> index 55105ac38f89..509d1042825a 100644
> --- a/drivers/tty/hvc/hvcs.c
> +++ b/drivers/tty/hvc/hvcs.c
> @@ -1216,13 +1216,6 @@ static void hvcs_close(struct tty_struct *tty, struct file *filp)
>
> tty_wait_until_sent(tty, HVCS_CLOSE_WAIT);
>
> - /*
> - * This line is important because it tells hvcs_open that this
> - * device needs to be re-configured the next time hvcs_open is
> - * called.
> - */
> - tty->driver_data = NULL;
> -
> free_irq(irq, hvcsd);
> return;
> } else if (hvcsd->port.count < 0) {
> @@ -1237,6 +1230,13 @@ static void hvcs_cleanup(struct tty_struct * tty)
> {
> struct hvcs_struct *hvcsd = tty->driver_data;
>
> + /*
> + * This line is important because it tells hvcs_open that this
> + * device needs to be re-configured the next time hvcs_open is
> + * called.
> + */
> + tty->driver_data = NULL;
> +
> tty_port_put(&hvcsd->port);
> }
>
>

thanks,
--
js