Re: [PATCH v2] tty: rpmsg: Fix race condition releasing tty port

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

much better IMO.

On 14. 12. 21, 18:06, Arnaud Pouliquen wrote:

In current implementation the tty_port struct is part of the
rpmsg_tty_port structure.The issue is that the rpmsg_tty_port structure is
freed on rpmsg_tty_remove but also referenced in the tty_struct.
Its release is not predictable due to workqueues.

For instance following ftrace shows that rpmsg_tty_close is called after
rpmsg_tty_release_cport:

...

diff --git a/drivers/tty/rpmsg_tty.c b/drivers/tty/rpmsg_tty.c
index dae2a4e44f38..69272ad92266 100644
--- a/drivers/tty/rpmsg_tty.c
+++ b/drivers/tty/rpmsg_tty.c
@@ -53,9 +53,19 @@ static int rpmsg_tty_install(struct tty_driver *driver, struct tty_struct *tty)
tty->driver_data = cport; + tty_port_get(&cport->port); 

Can't this fail? Like when racing with removal?


  	return tty_port_install(&cport->port, driver, tty);
  }

...

  static struct rpmsg_tty_port *rpmsg_tty_alloc_cport(void)
@@ -139,6 +156,8 @@ static struct rpmsg_tty_port *rpmsg_tty_alloc_cport(void)
static void rpmsg_tty_release_cport(struct rpmsg_tty_port *cport) 
  {
+	tty_port_destroy(&cport->port);
+
You should not call tty_port_destroy when you use refcounting. The port is already destroyed when ->destruct() is called. (It has currently no bad effect calling it twice on a port though.) 


@@ -146,7 +165,17 @@ static void rpmsg_tty_release_cport(struct rpmsg_tty_port *cport)
  	kfree(cport);
  }
-static const struct tty_port_operations rpmsg_tty_port_ops = { }; 
+static void rpmsg_tty_destruct_port(struct tty_port *port)
+{
+	struct rpmsg_tty_port *cport = container_of(port, struct rpmsg_tty_port, port);
+
+	rpmsg_tty_release_cport(cport);
+}
+
+static const struct tty_port_operations rpmsg_tty_port_ops = {
+	.destruct = rpmsg_tty_destruct_port,
+};
+
static int rpmsg_tty_probe(struct rpmsg_device *rpdev) 
  {
@@ -179,7 +208,6 @@ static int rpmsg_tty_probe(struct rpmsg_device *rpdev)
  	return 0;
err_destroy: 
-	tty_port_destroy(&cport->port);
  	rpmsg_tty_release_cport(cport);
Couldn't you just put the port here? And inline rpmsg_tty_release_cport into the new rpmsg_tty_destruct_port? 

thanks,
--
js
suse labs
[Index of Archives]     [Linux Sound]     [ALSA Users]     [ALSA Devel]     [Linux Audio Users]     [Linux Media]     [Kernel]     [Photo Sharing]     [Gimp]     [Yosemite News]     [Linux Media]

  Powered by Linux