Re: [PATCH v2] tty: rpmsg: Fix race condition releasing tty port

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 12/15/21 7:49 AM, Jiri Slaby wrote:
> Hi,
> 
> much better IMO.
> 
> On 14. 12. 21, 18:06, Arnaud Pouliquen wrote:
>> In current implementation the tty_port struct is part of the
>> rpmsg_tty_port structure.The issue is that the rpmsg_tty_port structure is
>> freed on rpmsg_tty_remove but also referenced in the tty_struct.
>> Its release is not predictable due to workqueues.
>>
>> For instance following ftrace shows that rpmsg_tty_close is called after
>> rpmsg_tty_release_cport:
> ...
>> diff --git a/drivers/tty/rpmsg_tty.c b/drivers/tty/rpmsg_tty.c
>> index dae2a4e44f38..69272ad92266 100644
>> --- a/drivers/tty/rpmsg_tty.c
>> +++ b/drivers/tty/rpmsg_tty.c
>> @@ -53,9 +53,19 @@ static int rpmsg_tty_install(struct tty_driver *driver,
>> struct tty_struct *tty)
>>         tty->driver_data = cport;
>>   +    tty_port_get(&cport->port);
> 
> Can't this fail? Like when racing with removal?
> 
>>       return tty_port_install(&cport->port, driver, tty);
>>   }
> ...
>>   static struct rpmsg_tty_port *rpmsg_tty_alloc_cport(void)
>> @@ -139,6 +156,8 @@ static struct rpmsg_tty_port *rpmsg_tty_alloc_cport(void)
>>     static void rpmsg_tty_release_cport(struct rpmsg_tty_port *cport)
>>   {
>> +    tty_port_destroy(&cport->port);
>> +
> 
> You should not call tty_port_destroy when you use refcounting. The port is
> already destroyed when ->destruct() is called. (It has currently no bad effect
> calling it twice on a port though.)
> 
>> @@ -146,7 +165,17 @@ static void rpmsg_tty_release_cport(struct rpmsg_tty_port
>> *cport)
>>       kfree(cport);
>>   }
>>   -static const struct tty_port_operations rpmsg_tty_port_ops = { };
>> +static void rpmsg_tty_destruct_port(struct tty_port *port)
>> +{
>> +    struct rpmsg_tty_port *cport = container_of(port, struct rpmsg_tty_port,
>> port);
>> +
>> +    rpmsg_tty_release_cport(cport);
>> +}
>> +
>> +static const struct tty_port_operations rpmsg_tty_port_ops = {
>> +    .destruct = rpmsg_tty_destruct_port,
>> +};
>> +
>>     static int rpmsg_tty_probe(struct rpmsg_device *rpdev)
>>   {
>> @@ -179,7 +208,6 @@ static int rpmsg_tty_probe(struct rpmsg_device *rpdev)
>>       return 0;
>>     err_destroy:
>> -    tty_port_destroy(&cport->port);
>>       rpmsg_tty_release_cport(cport);
> 
> Couldn't you just put the port here? And inline rpmsg_tty_release_cport into the
> new rpmsg_tty_destruct_port?
> 

Thanks for all the insightful comments, V3 is coming.

> thanks,



[Index of Archives]     [Linux Sound]     [ALSA Users]     [ALSA Devel]     [Linux Audio Users]     [Linux Media]     [Kernel]     [Photo Sharing]     [Gimp]     [Yosemite News]     [Linux Media]

  Powered by Linux