From 906cbe1364d94da7cbf74c1d05e3e78b2883f661 Mon Sep 17 00:00:00 2001 From: Jiri Slaby Date: Thu, 14 Jul 2011 14:35:14 +0200 Subject: TTY: remove tty_locked We used it really only serial and ami_serial. The rest of the callsites were BUG/WARN_ONs to check if BTM is held. Now that we pruned tty_locked from both of the real users, we can get rid of tty_lock along with __big_tty_mutex_owner. Signed-off-by: Jiri Slaby Acked-by: Arnd Bergmann Cc: Alan Cox Signed-off-by: Greg Kroah-Hartman --- include/linux/tty.h | 2 -- 1 file changed, 2 deletions(-) (limited to 'include/linux/tty.h') diff --git a/include/linux/tty.h b/include/linux/tty.h index 44bc0c5617e1..6d5eceb165be 100644 --- a/include/linux/tty.h +++ b/include/linux/tty.h @@ -600,8 +600,6 @@ extern long vt_compat_ioctl(struct tty_struct *tty, /* functions for preparation of BKL removal */ extern void __lockfunc tty_lock(void) __acquires(tty_lock); extern void __lockfunc tty_unlock(void) __releases(tty_lock); -extern struct task_struct *__big_tty_mutex_owner; -#define tty_locked() (current == __big_tty_mutex_owner) /* * wait_event_interruptible_tty -- wait for a condition with the tty lock held -- cgit v1.2.3 From a57a7bf3fc7eff00f07eb9c805774d911a3f2472 Mon Sep 17 00:00:00 2001 From: Jiri Slaby Date: Thu, 25 Aug 2011 15:12:06 +0200 Subject: TTY: define tty_wait_until_sent_from_close We need this helper to fix system stalls. The issue is that the rest of the system TTYs wait for us to finish waiting. This wasn't an issue with BKL. BKL used to unlock implicitly. This is based on the Arnd suggestion. Signed-off-by: Jiri Slaby Acked-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman --- include/linux/tty.h | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'include/linux/tty.h') diff --git a/include/linux/tty.h b/include/linux/tty.h index 6d5eceb165be..0ad68889fc1a 100644 --- a/include/linux/tty.h +++ b/include/linux/tty.h @@ -601,6 +601,24 @@ extern long vt_compat_ioctl(struct tty_struct *tty, extern void __lockfunc tty_lock(void) __acquires(tty_lock); extern void __lockfunc tty_unlock(void) __releases(tty_lock); +/* + * this shall be called only from where BTM is held (like close) + * + * We need this to ensure nobody waits for us to finish while we are waiting. + * Without this we were encountering system stalls. + * + * This should be indeed removed with BTM removal later. + * + * Locking: BTM required. Nobody is allowed to hold port->mutex. + */ +static inline void tty_wait_until_sent_from_close(struct tty_struct *tty, + long timeout) +{ + tty_unlock(); /* tty->ops->close holds the BTM, drop it while waiting */ + tty_wait_until_sent(tty, timeout); + tty_lock(); +} + /* * wait_event_interruptible_tty -- wait for a condition with the tty lock held * -- cgit v1.2.3 From 8193c4290620d9b2a6ac116719f11aa99053a90d Mon Sep 17 00:00:00 2001 From: Thomas Meyer Date: Wed, 5 Oct 2011 23:13:13 +0200 Subject: tty: Support compat_ioctl get/set termios_locked When running a Fedora 15 (x86) on an x86_64 kernel, in the boot process plymouthd complains about those two missing ioctls: [ 2.581783] ioctl32(plymouthd:186): Unknown cmd fd(10) cmd(00005457){t:'T';sz:0} arg(ffb6a5d0) on /dev/tty1 [ 2.581803] ioctl32(plymouthd:186): Unknown cmd fd(10) cmd(00005456){t:'T';sz:0} arg(ffb6a680) on /dev/tty1 both ioctl functions work on the 'struct termios' resp. 'struct termios2', which has the same size (36 bytes resp. 44 bytes) on x86 and x86_64, so it's just a matter of converting the pointer from userland. Signed-off-by: Thomas Meyer Cc: Arnd Bergmann Cc: Alan Cox Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman --- drivers/tty/tty_io.c | 2 ++ drivers/tty/tty_ioctl.c | 17 +++++++++++++++++ include/linux/tty.h | 2 ++ 3 files changed, 21 insertions(+) (limited to 'include/linux/tty.h') diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c index 150e4f747c7d..4ca4bcd28ff7 100644 --- a/drivers/tty/tty_io.c +++ b/drivers/tty/tty_io.c @@ -2717,6 +2717,8 @@ static long tty_compat_ioctl(struct file *file, unsigned int cmd, ld = tty_ldisc_ref_wait(tty); if (ld->ops->compat_ioctl) retval = ld->ops->compat_ioctl(tty, file, cmd, arg); + else + retval = n_tty_compat_ioctl_helper(tty, file, cmd, arg); tty_ldisc_deref(ld); return retval; diff --git a/drivers/tty/tty_ioctl.c b/drivers/tty/tty_ioctl.c index 53f2442c6099..9314d93c1a20 100644 --- a/drivers/tty/tty_ioctl.c +++ b/drivers/tty/tty_ioctl.c @@ -19,6 +19,7 @@ #include #include #include +#include #include #include @@ -1179,3 +1180,19 @@ int n_tty_ioctl_helper(struct tty_struct *tty, struct file *file, } } EXPORT_SYMBOL(n_tty_ioctl_helper); + +#ifdef CONFIG_COMPAT +long n_tty_compat_ioctl_helper(struct tty_struct *tty, struct file *file, + unsigned int cmd, unsigned long arg) +{ + switch (cmd) { + case TIOCGLCKTRMIOS: + case TIOCSLCKTRMIOS: + return tty_mode_ioctl(tty, file, cmd, (unsigned long) compat_ptr(arg)); + default: + return -ENOIOCTLCMD; + } +} +EXPORT_SYMBOL(n_tty_compat_ioctl_helper); +#endif + diff --git a/include/linux/tty.h b/include/linux/tty.h index 0ad68889fc1a..64c12a3e65f0 100644 --- a/include/linux/tty.h +++ b/include/linux/tty.h @@ -579,6 +579,8 @@ extern int __init tty_init(void); /* tty_ioctl.c */ extern int n_tty_ioctl_helper(struct tty_struct *tty, struct file *file, unsigned int cmd, unsigned long arg); +extern long n_tty_compat_ioctl_helper(struct tty_struct *tty, struct file *file, + unsigned int cmd, unsigned long arg); /* serial.c */ -- cgit v1.2.3 From fa90e1c935472281de314e6d7c9a37db9cbc2e4e Mon Sep 17 00:00:00 2001 From: Jiri Slaby Date: Wed, 12 Oct 2011 11:32:43 +0200 Subject: TTY: make tty_add_file non-failing If tty_add_file fails at the point it is now, we have to revert all the changes we did to the tty. It means either decrease all refcounts if this was a tty reopen or delete the tty if it was newly allocated. There was a try to fix this in v3.0-rc2 using tty_release in 0259894c7 (TTY: fix fail path in tty_open). But instead it introduced a NULL dereference. It's because tty_release dereferences filp->private_data, but that one is set even in our tty_add_file. And when tty_add_file fails, it's still NULL/garbage. Hence tty_release cannot be called there. To circumvent the original leak (and the current NULL deref) we split tty_add_file into two functions, making the latter non-failing. In that case we may do the former early in open, where handling failures is easy. The latter stays as it is now. So there is no change in functionality. The original bug (leak) was introduced by f573bd176 (tty: Remove __GFP_NOFAIL from tty_add_file()). Thanks Dan for reporting this. Later, we may split tty_release into more functions and call only some of them in this fail path instead. (If at all possible.) Introduced-in: v2.6.37-rc2 Signed-off-by: Jiri Slaby Reported-by: Dan Carpenter Cc: stable Cc: Alan Cox Cc: Pekka Enberg Signed-off-by: Greg Kroah-Hartman --- drivers/tty/pty.c | 16 +++++++++++----- drivers/tty/tty_io.c | 47 +++++++++++++++++++++++++++++++++++------------ include/linux/tty.h | 4 +++- 3 files changed, 49 insertions(+), 18 deletions(-) (limited to 'include/linux/tty.h') diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c index 98b6e3bdb000..7613f95f2d6b 100644 --- a/drivers/tty/pty.c +++ b/drivers/tty/pty.c @@ -657,12 +657,18 @@ static int ptmx_open(struct inode *inode, struct file *filp) nonseekable_open(inode, filp); + retval = tty_alloc_file(filp); + if (retval) + return retval; + /* find a device that is not in use. */ tty_lock(); index = devpts_new_index(inode); tty_unlock(); - if (index < 0) - return index; + if (index < 0) { + retval = index; + goto err_file; + } mutex_lock(&tty_mutex); tty_lock(); @@ -676,9 +682,7 @@ static int ptmx_open(struct inode *inode, struct file *filp) set_bit(TTY_PTY_LOCK, &tty->flags); /* LOCK THE SLAVE */ - retval = tty_add_file(tty, filp); - if (retval) - goto out; + tty_add_file(tty, filp); retval = devpts_pty_new(inode, tty->link); if (retval) @@ -697,6 +701,8 @@ out2: out: devpts_kill_index(inode, index); tty_unlock(); +err_file: + tty_free_file(filp); return retval; } diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c index 6913da8f202c..767ecbb4761a 100644 --- a/drivers/tty/tty_io.c +++ b/drivers/tty/tty_io.c @@ -194,8 +194,7 @@ static inline struct tty_struct *file_tty(struct file *file) return ((struct tty_file_private *)file->private_data)->tty; } -/* Associate a new file with the tty structure */ -int tty_add_file(struct tty_struct *tty, struct file *file) +int tty_alloc_file(struct file *file) { struct tty_file_private *priv; @@ -203,15 +202,36 @@ int tty_add_file(struct tty_struct *tty, struct file *file) if (!priv) return -ENOMEM; + file->private_data = priv; + + return 0; +} + +/* Associate a new file with the tty structure */ +void tty_add_file(struct tty_struct *tty, struct file *file) +{ + struct tty_file_private *priv = file->private_data; + priv->tty = tty; priv->file = file; - file->private_data = priv; spin_lock(&tty_files_lock); list_add(&priv->list, &tty->tty_files); spin_unlock(&tty_files_lock); +} - return 0; +/** + * tty_free_file - free file->private_data + * + * This shall be used only for fail path handling when tty_add_file was not + * called yet. + */ +void tty_free_file(struct file *file) +{ + struct tty_file_private *priv = file->private_data; + + file->private_data = NULL; + kfree(priv); } /* Delete file from its tty */ @@ -222,8 +242,7 @@ void tty_del_file(struct file *file) spin_lock(&tty_files_lock); list_del(&priv->list); spin_unlock(&tty_files_lock); - file->private_data = NULL; - kfree(priv); + tty_free_file(file); } @@ -1812,6 +1831,10 @@ static int tty_open(struct inode *inode, struct file *filp) nonseekable_open(inode, filp); retry_open: + retval = tty_alloc_file(filp); + if (retval) + return -ENOMEM; + noctty = filp->f_flags & O_NOCTTY; index = -1; retval = 0; @@ -1824,6 +1847,7 @@ retry_open: if (!tty) { tty_unlock(); mutex_unlock(&tty_mutex); + tty_free_file(filp); return -ENXIO; } driver = tty_driver_kref_get(tty->driver); @@ -1856,6 +1880,7 @@ retry_open: } tty_unlock(); mutex_unlock(&tty_mutex); + tty_free_file(filp); return -ENODEV; } @@ -1863,6 +1888,7 @@ retry_open: if (!driver) { tty_unlock(); mutex_unlock(&tty_mutex); + tty_free_file(filp); return -ENODEV; } got_driver: @@ -1874,6 +1900,7 @@ got_driver: tty_unlock(); mutex_unlock(&tty_mutex); tty_driver_kref_put(driver); + tty_free_file(filp); return PTR_ERR(tty); } } @@ -1889,15 +1916,11 @@ got_driver: tty_driver_kref_put(driver); if (IS_ERR(tty)) { tty_unlock(); + tty_free_file(filp); return PTR_ERR(tty); } - retval = tty_add_file(tty, filp); - if (retval) { - tty_unlock(); - tty_release(inode, filp); - return retval; - } + tty_add_file(tty, filp); check_tty_count(tty, "tty_open"); if (tty->driver->type == TTY_DRIVER_TYPE_PTY && diff --git a/include/linux/tty.h b/include/linux/tty.h index 64c12a3e65f0..ff2925aa4e79 100644 --- a/include/linux/tty.h +++ b/include/linux/tty.h @@ -471,7 +471,9 @@ extern void proc_clear_tty(struct task_struct *p); extern struct tty_struct *get_current_tty(void); extern void tty_default_fops(struct file_operations *fops); extern struct tty_struct *alloc_tty_struct(void); -extern int tty_add_file(struct tty_struct *tty, struct file *file); +extern int tty_alloc_file(struct file *file); +extern void tty_add_file(struct tty_struct *tty, struct file *file); +extern void tty_free_file(struct file *file); extern void free_tty_struct(struct tty_struct *tty); extern void initialize_tty_struct(struct tty_struct *tty, struct tty_driver *driver, int idx); -- cgit v1.2.3