[PATCH v2 00/19] Fix driver crashes on hangup

From: Peter Hurley
Date: Sat Jan 09 2016 - 23:41:52 EST


Changes for v2:
Rebased on top of current tty-next
Reduced changes/re-titled patch 19

NB: Marcel already picked up "bluetooth: hci_ldisc: Remove dead code" for
bluetooth-next

---
Hi Greg,

This series fixes the underlying design problem that leads to driver crashes
during hangup (eg., Andi Kleen's report https://lkml.org/lkml/2015/11/9/786).

Quoting from patch 17/19:

Currently, when the tty is hungup, the ldisc is re-instanced; ie., the
current instance is destroyed and a new instance is created. The purpose
of this design was to guarantee a valid, open ldisc for the lifetime of
the tty.

However, now that tty buffers are owned by and have lifetime equivalent
to the tty_port (since v3.10), any data received immediately after the
ldisc is re-instanced may cause continued driver i/o operations
concurrently with the driver's hangup() operation. For drivers that
shutdown h/w on hangup, this is unexpected and usually bad. For example,
the serial core may free the xmit buffer page concurrently with an
in-progress write() operation (triggered by echo).

With the existing stable and robust ldisc reference handling, the
cleaned-up tty_reopen(), the straggling unsafe ldisc use cleaned up, and
the preparation to properly handle a NULL tty->ldisc, the ldisc instance
can be destroyed and only re-instanced when the tty is re-opened.

With this patch series, the tty core now guarantees no further driver/ldisc
interactions after hangup.

Patch 1-4 remove direct tty->ldisc access outside the tty core.
Patch 5 removes the defunct chars_in_buffer() ldisc method (which has been
deprecated since 3.12)
Patch 6 & 7 fix unsafe ldisc uses which coincidentally have been discovered
to cause crashes (https://lkml.org/lkml/2015/11/26/173 and
https://lkml.org/lkml/2015/11/26/253). These have been tagged for
-stable.
Patch 8-16 are preparations; documenting existing functions and refactoring.
Patch 12 adds handling for the possibility of NULL ldisc references
after tty_ldisc_ref_wait(); that commit log details the logic of
why/how that works.
Patch 17 implements the fix: the ldisc instance is killed and left dead.
At tty_reopen() if the tty->ldisc is NULL, a new ldisc is instanced.
Patch 18-19 are minor add-ons.

Regards,

Peter Hurley (19):
staging: digi: Replace open-coded tty_wakeup()
serial: 68328: Remove bogus ldisc reset
bluetooth: hci_ldisc: Remove dead code
NFC: nci: Remove dead code
tty: Remove chars_in_buffer() line discipline method
tty: Fix unsafe ldisc reference via ioctl(TIOCGETD)
n_tty: Fix unsafe reference to "other" ldisc
tty: Reset c_line from driver's init_termios
staging/speakup: Use tty_ldisc_ref() for paste kworker
tty: Fix comments for tty_ldisc_get()
tty: Fix comments for tty_ldisc_release()
tty: Prepare for destroying line discipline on hangup
tty: Handle NULL tty->ldisc
tty: Move tty_ldisc_kill()
tty: Use 'disc' for line discipline index name
tty: Refactor tty_ldisc_reinit() for reuse
tty: Destroy ldisc instance on hangup
tty: Document c_line == N_TTY initial condition
tty: Avoid unnecessary temporaries for tty->ldisc

Documentation/serial/tty.txt | 3 -
drivers/bluetooth/hci_ldisc.c | 8 +-
drivers/staging/dgap/dgap.c | 28 ++----
drivers/staging/dgnc/dgnc_tty.c | 18 +---
drivers/staging/speakup/selection.c | 4 +-
drivers/tty/amiserial.c | 6 +-
drivers/tty/cyclades.c | 8 +-
drivers/tty/n_gsm.c | 16 ----
drivers/tty/n_tty.c | 30 +------
drivers/tty/rocket.c | 6 +-
drivers/tty/serial/68328serial.c | 12 +--
drivers/tty/serial/crisv10.c | 12 ++-
drivers/tty/tty_io.c | 64 +++++++++++---
drivers/tty/tty_ldisc.c | 171 ++++++++++++++++++++----------------
drivers/tty/vt/selection.c | 2 +
include/linux/tty.h | 5 +-
include/linux/tty_ldisc.h | 7 --
net/nfc/nci/uart.c | 9 +-
18 files changed, 179 insertions(+), 230 deletions(-)

--
2.7.0