linux/drivers/tty
Chao Bi c284ee2cf1 n_gsm: race between ld close and gsmtty open
ttyA has ld associated to n_gsm, when ttyA is closing, it triggers
to release gsmttyB's ld data dlci[B], then race would happen if gsmttyB
is opening in parallel.

Here are race cases we found recently in test:

CASE #1
====================================================================
releasing dlci[B] race with gsmtty_install(gsmttyB), then panic
in gsmtty_open(gsmttyB), as below:

 tty_release(ttyA)                  tty_open(gsmttyB)
     |                                   |
   -----                           gsmtty_install(gsmttyB)
     |                                   |
   -----                    gsm_dlci_alloc(gsmttyB) => alloc dlci[B]
 tty_ldisc_release(ttyA)               -----
     |                                   |
 gsm_dlci_release(dlci[B])             -----
     |                                   |
 gsm_dlci_free(dlci[B])                -----
     |                                   |
   -----                           gsmtty_open(gsmttyB)

 gsmtty_open()
 {
     struct gsm_dlci *dlci = tty->driver_data; => here it uses dlci[B]
     ...
 }

 In gsmtty_open(gsmttyA), it uses dlci[B] which was release, so hit a panic.
=====================================================================

CASE #2
=====================================================================
releasing dlci[0] race with gsmtty_install(gsmttyB), then panic
in gsmtty_open(), as below:

 tty_release(ttyA)                  tty_open(gsmttyB)
     |                                   |
   -----                           gsmtty_install(gsmttyB)
     |                                   |
   -----                    gsm_dlci_alloc(gsmttyB) => alloc dlci[B]
     |                                   |
   -----                         gsmtty_open(gsmttyB) fail
     |                                   |
   -----                           tty_release(gsmttyB)
     |                                   |
   -----                           gsmtty_close(gsmttyB)
     |                                   |
   -----                        gsmtty_detach_dlci(dlci[B])
     |                                   |
   -----                             dlci_put(dlci[B])
     |                                   |
 tty_ldisc_release(ttyA)               -----
     |                                   |
 gsm_dlci_release(dlci[0])             -----
     |                                   |
 gsm_dlci_free(dlci[0])                -----
     |                                   |
   -----                             dlci_put(dlci[0])

 In gsmtty_detach_dlci(dlci[B]), it tries to use dlci[0] which was released,
 then hit panic.
=====================================================================

IMHO, n_gsm tty operations would refer released ldisc,  as long as
gsm_dlci_release() has chance to release ldisc data when some gsmtty operations
are not completed..

This patch is try to avoid it by:

1) in n_gsm driver, use a global gsm spin lock to avoid gsm_dlci_release() run in
parallel with gsmtty_install();

2) Increase dlci's ref count in gsmtty_install() instead of in gsmtty_open(), the
purpose is to prevent gsm_dlci_release() releasing dlci after gsmtty_install()
allocats dlci but before gsmtty_open increases dlci's ref count;

3) Decrease dlci's ref count in gsmtty_remove(), which is a tty framework api, and
this is the opposite process of step 2).

Signed-off-by: Chao Bi <chao.bi@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-11-25 08:52:53 -08:00
..
hvc Features: 2013-11-15 13:34:37 +09:00
ipwireless tty: ipwireless: Remove redundant NULL check before kfree 2013-03-15 13:58:32 -07:00
serial tty/serial/8250: fix typo in help text 2013-11-25 08:52:53 -08:00
vt vt: properly ignore xterm-256 colour codes 2013-09-26 15:58:27 -07:00
amiserial.c TTY: amiserial, remove unnecessary platform_set_drvdata() 2013-08-27 16:24:33 -07:00
bfin_jtag_comm.c TTY: bfin_jtag_comm: fix incorrect placement of __initdata tag 2013-09-30 19:09:37 -07:00
cyclades.c TTY: add tty_port_tty_hangup helper 2013-03-18 16:24:29 -07:00
ehv_bytechan.c drivers: clean-up prom.h implicit includes 2013-10-09 20:04:04 -05:00
goldfish.c goldfish: move to tty_port for flip buffers 2013-01-25 08:09:38 -08:00
isicom.c TTY: switch tty_flip_buffer_push 2013-01-15 22:30:15 -08:00
Kconfig tty: metag_da: Add metag DA TTY driver 2013-02-06 11:10:17 -08:00
Makefile tty: Add timed, writer-prioritized rw semaphore 2013-05-20 12:30:32 -07:00
metag_da.c tree-wide: use reinit_completion instead of INIT_COMPLETION 2013-11-15 09:32:21 +09:00
moxa.c TTY: add tty_port_tty_hangup helper 2013-03-18 16:24:29 -07:00
moxa.h
mxser.c tty: mxser: Fix build warning introduced by dfc7b837c7 (Re: linux-next: build warning after merge of the tty.current tree) 2013-05-22 10:26:02 -07:00
mxser.h
n_gsm.c n_gsm: race between ld close and gsmtty open 2013-11-25 08:52:53 -08:00
n_hdlc.c
n_r3964.c tty: localise the lock 2012-08-10 12:55:47 -07:00
n_tracerouter.c
n_tracesink.c
n_tracesink.h
n_tty.c n_tty: Fix 4096-byte canonical reads 2013-11-25 08:36:56 -08:00
nozomi.c tty: Remove unnecessary semicolons 2013-10-16 13:08:16 -07:00
pty.c tty: Fix lock order in tty_do_resize() 2013-07-24 15:12:53 -07:00
rocket_int.h
rocket.c TTY: rocket, fix more no-PCI warnings 2013-05-20 12:15:59 -07:00
rocket.h
synclink_gt.c TTY: synclink_gt: fix DTR being raised on hang up 2013-04-12 14:08:17 -07:00
synclink.c TTY: synclink: replace bitmasks add operation with OR operation. 2013-07-29 12:47:37 -07:00
synclinkmp.c TTY: snyclinkmp: calculating wrong addresses 2013-07-24 15:23:38 -07:00
sysrq.c sysrq: Allow magic SysRq key functions to be disabled through Kconfig 2013-10-16 13:01:44 -07:00
tty_audit.c audit: do not needlessly take a lock in tty_audit_exit 2013-04-30 15:31:28 -04:00
tty_buffer.c tty: Remove private constant from global namespace 2013-07-23 16:47:10 -07:00
tty_io.c tty: disassociate_ctty() sends the extra SIGCONT 2013-09-17 21:53:32 -04:00
tty_ioctl.c tty: Fix SIGTTOU not sent with tcflush() 2013-09-25 17:52:17 -07:00
tty_ldisc.c tty: Convert termios_mutex to termios_rwsem 2013-07-23 16:43:01 -07:00
tty_ldsem.c tty: Add timed, writer-prioritized rw semaphore 2013-05-20 12:30:32 -07:00
tty_mutex.c tty: tty_mutex.c: Fixed coding style warning (using printk) 2012-10-24 11:34:51 -07:00
tty_port.c tty: Remove unused drop() method from tty_port interface 2013-09-25 18:08:34 -07:00