On 12/15/21 7:49 AM, Jiri Slaby wrote:
> Hi,
>
> much better IMO.
>
> On 14. 12. 21, 18:06, Arnaud Pouliquen wrote:
>> In current implementation the tty_port struct is part of the
>> rpmsg_tty_port structure.The issue is that the rpmsg_tty_port structure is
>> freed on rpmsg_tty_remove but also referenced in the tty_struct.
>> Its release is not predictable due to workqueues.
>>
>> For instance following ftrace shows that rpmsg_tty_close is called after
>> rpmsg_tty_release_cport:
> ...
>> diff --git a/drivers/tty/rpmsg_tty.c b/drivers/tty/rpmsg_tty.c
>> index dae2a4e44f38..69272ad92266 100644
>> --- a/drivers/tty/rpmsg_tty.c
>> +++ b/drivers/tty/rpmsg_tty.c
>> @@ -53,9 +53,19 @@ static int rpmsg_tty_install(struct tty_driver *driver,
>> struct tty_struct *tty)
>> tty->driver_data = cport;
>> + tty_port_get(&cport->port);
>
> Can't this fail? Like when racing with removal?
>
>> return tty_port_install(&cport->port, driver, tty);
>> }
> ...
>> static struct rpmsg_tty_port *rpmsg_tty_alloc_cport(void)
>> @@ -139,6 +156,8 @@ static struct rpmsg_tty_port *rpmsg_tty_alloc_cport(void)
>> static void rpmsg_tty_release_cport(struct rpmsg_tty_port *cport)
>> {
>> + tty_port_destroy(&cport->port);
>> +
>
> You should not call tty_port_destroy when you use refcounting. The port is
> already destroyed when ->destruct() is called. (It has currently no bad effect
> calling it twice on a port though.)
>
>> @@ -146,7 +165,17 @@ static void rpmsg_tty_release_cport(struct rpmsg_tty_port
>> *cport)
>> kfree(cport);
>> }
>> -static const struct tty_port_operations rpmsg_tty_port_ops = { };
>> +static void rpmsg_tty_destruct_port(struct tty_port *port)
>> +{
>> + struct rpmsg_tty_port *cport = container_of(port, struct rpmsg_tty_port,
>> port);
>> +
>> + rpmsg_tty_release_cport(cport);
>> +}
>> +
>> +static const struct tty_port_operations rpmsg_tty_port_ops = {
>> + .destruct = rpmsg_tty_destruct_port,
>> +};
>> +
>> static int rpmsg_tty_probe(struct rpmsg_device *rpdev)
>> {
>> @@ -179,7 +208,6 @@ static int rpmsg_tty_probe(struct rpmsg_device *rpdev)
>> return 0;
>> err_destroy:
>> - tty_port_destroy(&cport->port);
>> rpmsg_tty_release_cport(cport);
>
> Couldn't you just put the port here? And inline rpmsg_tty_release_cport into the
> new rpmsg_tty_destruct_port?
>
Thanks for all the insightful comments, V3 is coming.
> thanks,
