linux/drivers/char
Christian Borntraeger 000b9151d7 Fix race/oops in tty layer after BKL pushdown
While testing our KVM code for s390 (starting and killall kvm in a loop)
I can reproduce the following oops:

  Unable to handle kernel pointer dereference at virtual kernel address 6b6b6b6b6b6b6000 Oops: 0038 [#1] SMP
  Modules linked in: dm_multipath sunrpc qeth_l3 qeth_l2 dm_mod qeth
  ccwgroup CPU: 1 Not tainted 2.6.27-rc1 #54
  Process kuli (pid: 4409, task: 00000000b6aa5940, ksp: 00000000b7343e10)
  Krnl PSW : 0704e00180000000 00000000002e0b8c
  (disassociate_ctty+0x1c0/0x288) R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3
  CC:2 PM:0 EA:3 Krnl GPRS: 0000000000000000 6b6b6b6b6b6b6b6b
  0000000000000001 00000000000003a6 00000000002e0a46 00000000004b4160
  0000000000000001 00000000bbd79758 00000000b7343e58 00000000b8854148
  00000000bd34dea0 00000000b7343c20 0000000000000001 00000000004b6d08
  00000000002e0a46 00000000b7343c20 Krnl Code: 00000000002e0b7e:
  eb9fb0a00004	lmg	%r9,%r15,160(%r11) 00000000002e0b84:
  07f4		bcr	15,%r4 00000000002e0b86:
  e31090080004	lg	%r1,8(%r9) >00000000002e0b8c:
  d501109cd000	clc	156(2,%r1),0(%r13) 00000000002e0b92:
  a784ff5d		brc	8,2e0a4c 00000000002e0b96:
  b9040029		lgr	%r2,%r9 00000000002e0b9a:
  c0e5fffff9c3	brasl	%r14,2dff20 00000000002e0ba0:
  a7f4ff56		brc	15,2e0a4c Call Trace:
  ([<00000000002e0a46>] disassociate_ctty+0x7a/0x288)
   [<0000000000141fe6>] do_exit+0x212/0x8d4
   [<0000000000142708>] do_group_exit+0x60/0xcc
   [<0000000000150660>] get_signal_to_deliver+0x270/0x3ac
   [<000000000010bfd6>] do_signal+0x8e/0x8dc
   [<0000000000113772>] sysc_sigpending+0xe/0x22
   [<000001ff0000b134>] 0x1ff0000b134
  INFO: lockdep is turned off.
  Last Breaking-Event-Address:
   [<00000000002e0a48>] disassociate_ctty+0x7c/0x288
  Kernel panic - not syncing: Fatal exception: panic_on_oops

It seems that tty was already free in disassocate_ctty when it tries
to dereference tty->driver.

After moving the lock_kernel before the mutex_unlock, I can no longer
reproduce the problem.

[ This is a temporary partial fix for the documented and long standing
  race in disassociate_tty.  This stops most problem cases for now.

  For the next release the -next tree has an initial implementation of
  kref counting for tty structures and this quickfix will be dropped.

                                                              - Alan ]

Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by; Alan Cox <alan@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-08-11 10:37:34 -07:00
..
agp Merge branch 'generic-ipi' into generic-ipi-for-linus 2008-07-15 21:55:59 +02:00
hw_random [ARM] Move include/asm-arm/arch-* to arch/arm/*/include/mach 2008-08-07 09:55:48 +01:00
ip2 ip2: push BKL down for the firmware interface 2008-07-25 10:53:43 -07:00
ipmi ipmi/powerpc: Use linux/of_{device,platform}.h instead of asm 2008-07-30 15:26:53 +10:00
mwave mwave: ioctl BKL pushdown 2008-07-25 10:53:43 -07:00
pcmcia Merge branch 'for-jeff' of git://git.kernel.org/pub/scm/linux/kernel/git/chris/linux-2.6 into tmp 2008-08-07 04:05:46 -04:00
rio rio: push down the BKL into the firmware ioctl handler 2008-07-25 10:53:43 -07:00
tpm tpm: Use correct data types for sizes in tpm_write() and tpm_read() 2008-07-26 12:00:04 -07:00
xilinx_hwicap char/xilinx_hwicap/xilinx_hwicap.c: Removed duplicated include 2008-07-25 09:23:31 -07:00
.gitignore
amiserial.c m68k/amiserial: fix fallout of tty break handling rework 2008-08-06 13:24:41 -07:00
apm-emulation.c APM emulation: Notify about all suspend events, not just APM invoked ones (v2) 2008-07-16 23:27:02 +02:00
applicom.c char serial: switch drivers to ioremap_nocache 2008-04-30 08:29:48 -07:00
applicom.h
bfin-otp.c
briq_panel.c briq_panel: BKL pushdown 2008-06-20 14:05:55 -06:00
bsr.c powerpc: Add driver for Barrier Synchronization Register 2008-07-15 12:24:55 +10:00
cd1865.h
ChangeLog
consolemap.c Basic braille screen reader support 2008-04-30 08:29:52 -07:00
cp437.uni
cs5535_gpio.c Add a bunch of cycle_kernel_lock() calls 2008-06-20 14:05:53 -06:00
cyclades.c tty: rework break handling 2008-07-22 13:03:28 -07:00
defkeymap.c_shipped
defkeymap.map
digi1.h
digiFep1.h
digiPCI.h
ds1286.c ds1286: BKL pushdown 2008-06-20 14:05:56 -06:00
ds1302.c ds1302: push down the BKL into the driver ioctl code 2008-07-25 10:53:43 -07:00
ds1620.c [ARM] Move include/asm-arm/arch-* to arch/arm/*/include/mach 2008-08-07 09:55:48 +01:00
dsp56k.c dsp56k: Fix BKL pushdown 2008-07-26 13:22:56 -07:00
dtlk.c Add a bunch of cycle_kernel_lock() calls 2008-06-20 14:05:53 -06:00
efirtc.c drivers/char/efirtc.c: removed duplicated #include 2008-08-04 16:59:56 -07:00
epca.c Fix the epca driver to permit epca_setup() to be invoked from the kernel cmdline 2008-07-22 13:03:28 -07:00
epca.h epca: use tty_port 2008-07-20 17:12:36 -07:00
epcaconfig.h
esp.c tty: rework break handling 2008-07-22 13:03:28 -07:00
generic_nvram.c driver/char/generic_nvram: fix banner 2008-06-12 18:05:41 -07:00
generic_serial.c gs: use tty_port 2008-07-20 17:12:36 -07:00
genrtc.c genrtc: BKL pushdown 2008-06-20 14:05:57 -06:00
hangcheck-timer.c
hpet.c #if 0 hpet_unregister() 2008-07-25 10:53:43 -07:00
hvc_beat.c
hvc_console.c virtio: console as a config option 2008-07-25 12:06:07 +10:00
hvc_console.h powerpc: Move include files to arch/powerpc/include/asm 2008-08-04 12:02:00 +10:00
hvc_irq.c hvc_console: rework setup to replace irq functions with callbacks 2008-07-25 12:06:06 +10:00
hvc_iseries.c hvc_console: rework setup to replace irq functions with callbacks 2008-07-25 12:06:06 +10:00
hvc_rtas.c
hvc_vio.c hvc_console: rework setup to replace irq functions with callbacks 2008-07-25 12:06:06 +10:00
hvc_xen.c hvc_console: rework setup to replace irq functions with callbacks 2008-07-25 12:06:06 +10:00
hvcs.c powerpc: Move include files to arch/powerpc/include/asm 2008-08-04 12:02:00 +10:00
hvsi.c drivers/char: replace remaining __FUNCTION__ occurrences 2008-04-30 08:29:54 -07:00
i8k.c i8k: make fan multiplier tunable with a module parameter 2008-05-01 08:04:00 -07:00
ip27-rtc.c ip27-rtc: BKL pushdown 2008-06-20 14:05:57 -06:00
isicom.c isicom: restore using hardware break support 2008-07-22 13:03:28 -07:00
istallion.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core-2.6 2008-07-22 13:13:47 -07:00
Kconfig powerpc/iseries: remove the old viocons driver 2008-08-07 18:07:10 -07:00
keyboard.c Merge master.kernel.org:/pub/scm/linux/kernel/git/torvalds/linux-2.6 into next 2008-07-21 00:55:14 -04:00
lp.c device create: char: convert device_create to device_create_drvdata 2008-07-21 21:54:41 -07:00
Makefile powerpc/iseries: remove the old viocons driver 2008-08-07 18:07:10 -07:00
mbcs.c mbcs: cdev lock_kernel() pushdown 2008-06-20 14:05:48 -06:00
mbcs.h
mem.c use generic_access_phys for /dev/mem mappings 2008-07-24 10:47:15 -07:00
misc.c device create: char: convert device_create to device_create_drvdata 2008-07-21 21:54:41 -07:00
mmtimer.c mmtimer: Push BKL down into the ioctl handler 2008-07-17 11:34:49 -07:00
moxa.c tty: rework break handling 2008-07-22 13:03:28 -07:00
moxa.h Char: moxa, cleanup rx/tx 2008-04-30 08:29:43 -07:00
mspec.c mspec: convert nopfn to fault 2008-07-24 10:47:14 -07:00
mxser.c Char: mxser, ratelimit ioctl warning 2008-07-30 09:41:45 -07:00
mxser.h mxser: convert large macros to functions 2008-04-30 08:29:49 -07:00
n_hdlc.c n_hdlc: honor O_NONBLOCK on write 2008-07-22 13:03:28 -07:00
n_r3964.c tty: Ldisc revamp 2008-07-20 17:12:34 -07:00
n_tty.c tty: Ldisc revamp 2008-07-20 17:12:34 -07:00
nozomi.c drivers/char: replace remaining __FUNCTION__ occurrences 2008-04-30 08:29:54 -07:00
nsc_gpio.c
nvram.c drivers/char/nvram.c: Removed duplicated include 2008-07-23 09:36:23 -07:00
nwbutton.c
nwbutton.h
nwflash.c [ARM] fix nwflash.c: 6ee8928d94 2008-07-26 16:29:24 +01:00
pc8736x_gpio.c Add a bunch of cycle_kernel_lock() calls 2008-06-20 14:05:53 -06:00
ppdev.c ppdev: wrap ioctl handler in driver and push lock down 2008-07-25 10:53:43 -07:00
ps3flash.c
pty.c tty: Ldisc revamp 2008-07-20 17:12:34 -07:00
random.c PAGE_ALIGN(): correctly handle 64-bit values on 32-bit architectures 2008-07-24 10:47:21 -07:00
raw.c device create: char: convert device_create to device_create_drvdata 2008-07-21 21:54:41 -07:00
riscom8_reg.h
riscom8.c riscom8: Restore driver using new break functionality 2008-07-22 13:03:28 -07:00
riscom8.h tty: add more tty_port fields 2008-07-20 17:12:38 -07:00
rocket_int.h tty: add more tty_port fields 2008-07-20 17:12:38 -07:00
rocket.c tty: rework break handling 2008-07-22 13:03:28 -07:00
rocket.h tty: add more tty_port fields 2008-07-20 17:12:38 -07:00
rtc.c drivers/char/rtc.c: make 2 functions static 2008-07-26 12:00:12 -07:00
scc.h
scx200_gpio.c Add a bunch of cycle_kernel_lock() calls 2008-06-20 14:05:53 -06:00
selection.c tty: Ldisc revamp 2008-07-20 17:12:34 -07:00
ser_a2232.c m68k: gs: use tty_port fixes 2008-07-26 20:29:03 -07:00
ser_a2232.h
ser_a2232fw.ax
ser_a2232fw.h
serial167.c m68k: serial167 missing return value in cy_put_char() 2008-05-05 12:37:02 -07:00
snsc_event.c byteorder: don't directly include linux/byteorder/generic.h 2008-05-16 12:01:45 -07:00
snsc.c device create: char: convert device_create to device_create_drvdata 2008-07-21 21:54:41 -07:00
snsc.h
sonypi.c sonypi: BKL pushdown 2008-07-02 15:06:25 -06:00
specialix_io8.h tty: add more tty_port fields 2008-07-20 17:12:38 -07:00
specialix.c specialix: restore driver using new break functionality 2008-07-22 13:03:28 -07:00
stallion.c stallion: removed unused variable 2008-07-24 10:47:30 -07:00
sx.c sx: push BKL down into the firmware ioctl handler 2008-07-25 10:53:43 -07:00
sx.h
sxboards.h
sxwindow.h
synclink_gt.c Merge branch 'for-jeff' of git://git.kernel.org/pub/scm/linux/kernel/git/chris/linux-2.6 into tmp 2008-08-07 04:05:46 -04:00
synclink.c Merge branch 'for-jeff' of git://git.kernel.org/pub/scm/linux/kernel/git/chris/linux-2.6 into tmp 2008-08-07 04:05:46 -04:00
synclinkmp.c Merge branch 'for-jeff' of git://git.kernel.org/pub/scm/linux/kernel/git/chris/linux-2.6 into tmp 2008-08-07 04:05:46 -04:00
sysrq.c fix: "smp_call_function: get rid of the unused nonatomic/retry argument" 2008-06-27 11:52:45 +02:00
tb0219.c Add a bunch of cycle_kernel_lock() calls 2008-06-20 14:05:53 -06:00
tlclk.c tlckl: BKL pushdown 2008-06-20 14:05:51 -06:00
toshiba.c toshiba: use ioremap_cached 2008-04-30 23:15:34 +02:00
tty_audit.c [PATCH] split linux/file.h 2008-05-01 13:08:16 -04:00
tty_io.c Fix race/oops in tty layer after BKL pushdown 2008-08-11 10:37:34 -07:00
tty_ioctl.c tty: Ldisc revamp 2008-07-20 17:12:34 -07:00
tty_ldisc.c try harder to load tty ldisc driver 2008-08-01 12:50:15 -07:00
vc_screen.c device create: char: convert device_create to device_create_drvdata 2008-07-21 21:54:41 -07:00
viotape.c device create: char: convert device_create to device_create_drvdata 2008-07-21 21:54:41 -07:00
virtio_console.c virtio_console: use virtqueue notification for hvc_console 2008-07-25 12:06:06 +10:00
vme_scc.c m68k: gs: use tty_port fixes 2008-07-26 20:29:03 -07:00
vr41xx_giu.c Add a bunch of cycle_kernel_lock() calls 2008-06-20 14:05:53 -06:00
vt_ioctl.c vt_ioctl: Prepare for BKL push down 2008-04-30 08:29:40 -07:00
vt.c vt: Deadlock workaround 2008-08-04 17:12:07 -07:00