Re: [PATCH] tty: add lockdep annotations

[Linus Torvalds]

On Sat, Jun 2, 2012 at 5:30 AM, Eric Dumazet <eric.dumazet@xxxxxxxxx> wrote:
>
> With following debugging patch I now have crashes at every boot, so it
> might be more easy to find the bug :

I'm seeing *something* odd.

We call tty_shutdown() without holding the tty_mutex as far as I can
tell. Which means that we remove the tty from the tty lists with *no*
serialization with looking them up.

The fact that we lock the tty *after* we have found it is kind of
irrelevant. By then it's too late.

And I think this is the fundamental bug that was introduced in commit
d29f3ef39be4 ("tty_lock: Localise the lock"). We *used* to do
tty_lock() before the lookup - early in tty_open(). And we held it
until the very end of tty_release(), so the tty lock actually
protected the lookup of the tty.

That's simply not true any more. The comments for
tty_driver_remove_tty() say "Locking: tty_mutex for now", but that's
just garbage and wishful thinking. The callers don't actually hold
tty_mutex, and never have. Sure, some of them may do so (there's a lot
of potential callers through tty_kref_put()) but most of them
definitely don't. Look at tty_release(), most of the final refcounts
will be dropped after the mutex_unlock(&tty_mutex) afaik.

I'm pretty sure this is the bug. And there's no way we can make
'tty_mutex' protect every tty_kref_put(). So I think we have two
options:

 - revert all the tty locking changes

 - make a new global lock that protects just driver->ops->lookup(),
driver->ttys[idx], and driver->ops->remove()

Hmm?

         Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/