summaryrefslogtreecommitdiff
path: root/drivers/tty/n_tty.c
AgeCommit message (Collapse)AuthorFilesLines
2014-11-05tty: Fix missed wakeup from packet mode status updatePeter Hurley1-4/+5
The pty master read() can miss the wake up for a packet mode status change. For example, CPU 0 | CPU 1 n_tty_read() | n_tty_packet_mode_flush() ... | . if (packet & link->ctrl_status) { | . /* no new ctrl_status ATM */ | . | spin_lock | ctrl_status |= TIOCPKT_FLUSHREAD | spin_unlock | wake_up(link->read_wait) } | set_current_state(TASK_INTERRUPTIBLE) | ... | The pty master read() will now sleep (assuming there is no input) having missed the read_wait wakeup. Set the task state before the condition test. Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Reviewed-by: Alan Cox <alan@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-11-05pty: Don't claim slave's ctrl_lock for master's packet modePeter Hurley1-2/+2
The slave's ctrl_lock serializes updates to the ctrl_status field only, whereas the master's ctrl_lock serializes updates to the packet mode enable (ie., the master does not have ctrl_status and the slave does not have packet mode). Thus, claiming the slave's ctrl_lock to access ->packet is useless. Unlocked reads of ->packet are already smp-safe. Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Reviewed-by: Alan Cox <alan@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-11-05tty: Use spin_lock_irq() for ctrl_lock when interrupts enabledPeter Hurley1-3/+2
Interrupts are enabled in the n_tty_read() loop, ioctl(TIOCPKT) and pty driver flush_buffer() routine; no need to save and restore local interrupt state. Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Reviewed-by: Alan Cox <alan@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-10-28sched, tty: Deal with nested sleepsPeter Zijlstra1-12/+5
n_tty_{read,write} are wait loops with sleeps in. Wait loops rely on task_struct::state and sleeps do too, since that's the only means of actually sleeping. Therefore the nested sleeps destroy the wait loop state. Fix this by using the new woken_wake_function and wait_woken() stuff, which registers wakeups in wait and thereby allows shrinking the task_state::state changes to the actual sleep part. Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Jiri Slaby <jslaby@suse.cz> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: tglx@linutronix.de Cc: ilya.dryomov@inktank.com Cc: umgwanakikbuti@gmail.com Cc: oleg@redhat.com Link: http://lkml.kernel.org/r/20140924082242.323011233@infradead.org Signed-off-by: Ingo Molnar <mingo@kernel.org>
2014-09-08tty: Fix spurious poll() wakeupsPeter Hurley1-4/+4
When the N_TTY line discipline receives data and wakes readers to process the input, polling writers are also mistakenly woken. This is because, although readers and writers are differentiated by different wait queues (tty->read_wait & tty->write_wait), both wait queues are polled together. Thus, reader wakeups without poll flags still cause poll(POLLOUT) to wakeup. For received data, wakeup readers with POLLIN. Preserve the unspecific wakeup in n_tty_packet_mode_flush(), as this action should flag both POLLIN and POLLOUT. Fixes epoll_wait() for edge-triggered EPOLLOUT. Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-06-19tty: Correct INPCK handlingPeter Hurley1-9/+10
If INPCK is not set, input parity detection should be disabled. This means parity errors should not be received from the tty driver, and the data received should be treated normally. SUS v3, 11.2.2, General Terminal Interface - Input Modes, states: "If INPCK is set, input parity checking shall be enabled. If INPCK is not set, input parity checking shall be disabled, allowing output parity generation without input parity errors. Note that whether input parity checking is enabled or disabled is independent of whether parity detection is enabled or disabled (see Control Modes). If parity detection is enabled but input parity checking is disabled, the hardware to which the terminal is connected shall recognize the parity bit, but the terminal special file shall not check whether or not this bit is correctly set." Ignore parity errors reported by the tty driver when INPCK is not set, and handle the received data normally. Fixes: Bugzilla #71681, 'Improvement of n_tty_receive_parity_error from n_tty.c' Reported-by: Ivan <athlon_@mail.ru> Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-06-03Merge branch 'locking-core-for-linus' of ↵Linus Torvalds1-1/+1
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip into next Pull core locking updates from Ingo Molnar: "The main changes in this cycle were: - reduced/streamlined smp_mb__*() interface that allows more usecases and makes the existing ones less buggy, especially in rarer architectures - add rwsem implementation comments - bump up lockdep limits" * 'locking-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (33 commits) rwsem: Add comments to explain the meaning of the rwsem's count field lockdep: Increase static allocations arch: Mass conversion of smp_mb__*() arch,doc: Convert smp_mb__*() arch,xtensa: Convert smp_mb__*() arch,x86: Convert smp_mb__*() arch,tile: Convert smp_mb__*() arch,sparc: Convert smp_mb__*() arch,sh: Convert smp_mb__*() arch,score: Convert smp_mb__*() arch,s390: Convert smp_mb__*() arch,powerpc: Convert smp_mb__*() arch,parisc: Convert smp_mb__*() arch,openrisc: Convert smp_mb__*() arch,mn10300: Convert smp_mb__*() arch,mips: Convert smp_mb__*() arch,metag: Convert smp_mb__*() arch,m68k: Convert smp_mb__*() arch,m32r: Convert smp_mb__*() arch,ia64: Convert smp_mb__*() ...
2014-05-03n_tty: Fix n_tty_write crash when echoing in raw modePeter Hurley1-0/+4
The tty atomic_write_lock does not provide an exclusion guarantee for the tty driver if the termios settings are LECHO & !OPOST. And since it is unexpected and not allowed to call TTY buffer helpers like tty_insert_flip_string concurrently, this may lead to crashes when concurrect writers call pty_write. In that case the following two writers: * the ECHOing from a workqueue and * pty_write from the process race and can overflow the corresponding TTY buffer like follows. If we look into tty_insert_flip_string_fixed_flag, there is: int space = __tty_buffer_request_room(port, goal, flags); struct tty_buffer *tb = port->buf.tail; ... memcpy(char_buf_ptr(tb, tb->used), chars, space); ... tb->used += space; so the race of the two can result in something like this: A B __tty_buffer_request_room __tty_buffer_request_room memcpy(buf(tb->used), ...) tb->used += space; memcpy(buf(tb->used), ...) ->BOOM B's memcpy is past the tty_buffer due to the previous A's tb->used increment. Since the N_TTY line discipline input processing can output concurrently with a tty write, obtain the N_TTY ldisc output_lock to serialize echo output with normal tty writes. This ensures the tty buffer helper tty_insert_flip_string is not called concurrently and everything is fine. Note that this is nicely reproducible by an ordinary user using forkpty and some setup around that (raw termios + ECHO). And it is present in kernels at least after commit d945cb9cce20ac7143c2de8d88b187f62db99bdc (pty: Rework the pty layer to use the normal buffering logic) in 2.6.31-rc3. js: add more info to the commit log js: switch to bool js: lock unconditionally js: lock only the tty->ops->write call References: CVE-2014-0196 Reported-and-tested-by: Jiri Slaby <jslaby@suse.cz> Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Jiri Slaby <jslaby@suse.cz> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Alan Cox <alan@lxorguk.ukuu.org.uk> Cc: <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-04-18arch: Mass conversion of smp_mb__*()Peter Zijlstra1-1/+1
Mostly scripted conversion of the smp_mb__* barriers. Signed-off-by: Peter Zijlstra <peterz@infradead.org> Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com> Link: http://lkml.kernel.org/n/tip-55dhyhocezdw1dg7u19hmh1u@git.kernel.org Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: linux-arch@vger.kernel.org Signed-off-by: Ingo Molnar <mingo@kernel.org>
2014-02-13n_tty: Simplify input_available_p()Peter Hurley1-7/+4
Greg, Please note this patch requires n_tty: Fix poll() when TIME_CHAR and MIN_CHAR == 0 Regards, Peter Hurley Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-13n_tty: Fix stale echo outputPeter Hurley1-5/+7
When echoes cannot be flushed to output (usually because the tty has no more write room) and L_ECHO is subsequently turned off, then when L_ECHO is turned back on, stale echoes are output. Output completed echoes regardless of the L_ECHO setting: 1. before normal writes to that tty 2. if the tty was stopped by soft flow control and is being restarted Reported-by: Mikulas Patocka <mpatocka@redhat.com> Cc: <stable@vger.kernel.org> # 3.13.x Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-13n_tty: Fix poll() when TIME_CHAR and MIN_CHAR == 0Peter Hurley1-1/+1
Commit eafbe67f84761d787802e5113d895a316b6292fe, n_tty: Refactor input_available_p() by call site broke poll() when TIME_CHAR(tty) and MIN_CHAR(tty) are both 0. When TIME_CHAR and MIN_CHAR are both 0, input is available if the read_cnt is 1 (not 0). Reported-by: Eric Dumazet <edumazet@google.com> Tested-by: Eric Dumazet <edumazet@google.com> Reported-by: Stephane Eranian <eranian@google.com> Tested-by: David Ahern <dsahern@gmail.com> Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com> Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-12-24Merge 3.13-rc5 into tty-nextGreg Kroah-Hartman1-1/+6
We need the tty fixes in here as well. Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-12-17n_tty: Fix apparent order of echoed outputPeter Hurley1-1/+6
With block processing of echoed output, observed output order is still required. Push completed echoes and echo commands prior to output. Introduce echo_mark echo buffer index, which tracks completed echo commands; ie., those submitted via commit_echoes but which may not have been committed. Ensure that completed echoes are output prior to subsequent terminal writes in process_echoes(). Fixes newline/prompt output order in cooked mode shell. Cc: <stable@vger.kernel.org> # 3.12.x : 39434ab n_tty: Fix missing newline echo Reported-by: Karl Dahlke <eklhad@comcast.net> Reported-by: Mikulas Patocka <mpatocka@redhat.com> Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Tested-by: Karl Dahlke <eklhad@comcast.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-12-17n_tty: Fix buffer overruns with larger-than-4k pastesPeter Hurley1-3/+23
readline() inadvertently triggers an error recovery path when pastes larger than 4k overrun the line discipline buffer. The error recovery path discards input when the line discipline buffer is full and operating in canonical mode and no newline has been received. Because readline() changes the termios to non-canonical mode to read the line char-by-char, the line discipline buffer can become full, and then when readline() restores termios back to canonical mode for the caller, the now-full line discipline buffer triggers the error recovery. When changing termios from non-canon to canon mode and the read buffer contains data, simulate an EOF push _without_ the DISABLED_CHAR in the read buffer. Importantly for the readline() problem, the termios can be changed back to non-canonical mode without changes to the read buffer occurring; ie., as if the previous termios change had not happened (as long as no intervening read took place). Preserve existing userspace behavior which allows '\0's already received in non-canon mode to be read as '\0's in canon mode (rather than trigger add'l EOF pushes or an actual EOF). Patch based on original proposal and discussion here https://bugzilla.kernel.org/show_bug.cgi?id=55991 by Stas Sergeev <stsp@users.sourceforge.net> Reported-by: Margarita Manterola <margamanterola@gmail.com> Cc: Maximiliano Curia <maxy@gnuservers.com.ar> Cc: Pavel Machek <pavel@ucw.cz> Cc: Arkadiusz Miskiewicz <a.miskiewicz@gmail.com> Acked-by: Stas Sergeev <stsp@users.sourceforge.net> Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-12-16Merge 3.13-rc4 into tty-nextGreg Kroah-Hartman1-2/+4
We want the fixes in here as well.
2013-12-08n_tty: Only perform wakeups for waitersPeter Hurley1-6/+12
Only wakeup the _waiting_ reader, polls and/or writer(s). Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-12-08n_tty: Refactor input_available_p() by call sitePeter Hurley1-3/+4
Distinguish if caller is n_tty_poll() or n_tty_read(), and set the read/wakeup threshold accordingly. Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-12-08n_tty: Refactor PARMRK doubling checksPeter Hurley1-9/+5
Perform PARMRK doubling checks explicitly; remove ternary idiom and local variable. Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-12-08n_tty: Un-inline slow-path n_tty_receive_char_closing()Peter Hurley1-2/+1
Although n_tty_receive_char_closing() only has one call-site, let the compiler inline instead. Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-12-08n_tty: Un-inline slow-path n_tty_receive_char()Peter Hurley1-1/+1
Commit e60d27c4d8b33ba20896b76b6558f061bc6460ff, n_tty: Factor LNEXT processing from per-char i/o path, mistakenly inlined the non-inline alias, n_tty_receive_char(), for the inline function, n_tty_receive_char_inline(). As n_tty_receive_char() is intended for slow-path char processing only, un-inline it. Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-12-08n_tty: Merge .receive_buf() flavorsPeter Hurley1-27/+16
N_TTY's direct and flow-controlled flavors of the .receive_buf() method are nearly identical; fold together. Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-11-29n_tty: Fix missing newline echoPeter Hurley1-2/+4
When L_ECHONL is on, newlines are echoed regardless of the L_ECHO state; if set, ensure accumulated echoes are flushed before finishing the current input processing and before more output. Cc: <stable@vger.kernel.org> # 3.12.x Reported-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com Tested-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com> Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-11-25n_tty: Protect minimum_to_wake reset for concurrent readersPeter Hurley1-2/+2
With multiple, concurrent readers (each waiting to acquire the atomic_read_lock mutex), a departing reader may mistakenly reset minimum_to_wake after a new reader has already set a new value. Protect the minimum_to_wake reset with the atomic_read_lock critical section. Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-11-25n_tty: Fix 4096-byte canonical readsPeter Hurley1-1/+4
Although the maximum allowable canonical line is specified to be 255 bytes (MAX_CANON), the practical limit has actually been the size of the line discipline read buffer (N_TTY_BUF_SIZE == 4096). Commit 32f13521ca68bc624ff6effc77f308a52b038bf0, n_tty: Line copy to user buffer in canonical mode, limited the line copy to 4095 bytes. With a completely full line discipline read buffer and a userspace buffer > 4095, _no_ data was copied, and the read() syscall returned 0, indicating EOF. Fix the interval arithmetic to compute the correct number of bytes to copy to userspace in the range [1..4096]. Cc: <stable@vger.kernel.org> # 3.12.x Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-11-25n_tty: Fix echo overrun tail computationPeter Hurley1-1/+1
Commit cbfd0340ae1993378fd47179db949e050e16e697, 'n_tty: Process echoes in blocks', introduced an error when consuming the echo buffer tail to prevent buffer overrun, where the incorrect operation code byte is checked to determine how far to advance the tail to the next echo byte. Check the correct byte for the echo operation code byte. Cc: <stable@vger.kernel.org> # 3.12.x : c476f65 tty: incorrect test of echo_buf() result for ECHO_OP_START Cc: <stable@vger.kernel.org> # 3.12.x Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-11-25n_tty: Ensure reader restarts worker for next readerPeter Hurley1-2/+3
A departing reader must restart a flush_to_ldisc() worker _before_ the next reader enters the read loop; this is to avoid the new reader concluding no more i/o is available and prematurely exiting, when the old reader simply hasn't re-started the worker yet. Cc: stable <stable@vger.kernel.org> # 3.12 Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-10-16tty: incorrect test of echo_buf() result for ECHO_OP_STARTRoel Kluin1-1/+1
test echo_buf() result for ECHO_OP_START Signed-off-by: Roel Kluin <roel.kluin@gmail.com> Acked-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-10-06Merge 3.12-rc4 into tty-nextGreg Kroah-Hartman1-20/+26
We want the tty fixes in this branch as well. Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-09-30tty: Fix pty master read() after slave closesPeter Hurley1-20/+26
Commit f95499c3030fe1bfad57745f2db1959c5b43dca8, n_tty: Don't wait for buffer work in read() loop creates a race window which can cause a pty master read() to miss the last pty slave write(s) and return -EIO instead, thus signalling the pty slave is closed. This can happen when the pty slave is written and immediately closed but before the tty buffer i/o loop receives the new input; the pty master read() is scheduled, sees its read buffer is empty and the pty slave has been closed, and exits. Because tty_flush_to_ldisc() has significant performance impact for parallel i/o, rather than revert the commit, special case this condition (ie., when the read buffer is empty and the 'other' pty has been closed) and, only then, wait for buffer work to complete before re-testing if the read buffer is still empty. As before, subsequent pty master reads return any available data until no more data is available, and then returns -EIO to indicate the pty slave has closed. Reported-by: Mikael Pettersson <mikpelinux@gmail.com> Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Tested-by: Mikael Pettersson <mikpelinux@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-09-29Merge 3.12-rc3 into tty-nextGreg Kroah-Hartman1-2/+1
We want the tty/serial fixes in here as well. Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-09-25n_tty: Style fix in n_tty_set_termiosPeter Hurley1-2/+1
Remove braces from single-statement conditional in n_tty_set_termios. Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-09-25n_tty: Remove unnecessary local variablePeter Hurley1-4/+1
Flatten conditional evaluation in n_tty_set_termios; remove canon_change. Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-09-25n_tty: Remove superfluous reader wakeupPeter Hurley1-3/+0
n_tty's .set_termios method unconditionally performs reader wakeup; remove extra reader wakeup for canonical mode changes. Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-09-17n_tty: Fix EOF push index when termios changesPeter Hurley1-2/+1
Commit 40d5e0905a03601d40cd4e46b8690093c2355d03, 'n_tty: Fix EOF push handling' introduced a subtle state change error wrt EOF push handling when the termios is changed from non-canonical to canonical mode. Reset line_start to the current read_tail index, not 0. Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-08-12n_tty: Fix termios_rwsem lockdep false positivePeter Hurley1-14/+11
Lockdep reports a circular lock dependency between atomic_read_lock and termios_rwsem [1]. However, a lock order deadlock is not possible since CPU1 only holds a read lock which cannot prevent CPU0 from also acquiring a read lock on the same r/w semaphore. Unfortunately, lockdep cannot currently distinguish whether the locks are read or write for any particular lock graph, merely that the locks _were_ previously read and/or write. Until lockdep is fixed, re-order atomic_read_lock so termios_rwsem can be dropped and reacquired without triggering lockdep. Patch based on original posted here https://lkml.org/lkml/2013/8/1/510 by Sergey Senozhatsky <sergey.senozhatsky@gmail.com> [1] Initial lockdep report from Artem Savkov <artem.savkov@gmail.com> ====================================================== [ INFO: possible circular locking dependency detected ] 3.11.0-rc3-next-20130730+ #140 Tainted: G W ------------------------------------------------------- bash/1198 is trying to acquire lock: (&tty->termios_rwsem){++++..}, at: [<ffffffff816aa3bb>] n_tty_read+0x49b/0x660 but task is already holding lock: (&ldata->atomic_read_lock){+.+...}, at: [<ffffffff816aa0f0>] n_tty_read+0x1d0/0x660 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&ldata->atomic_read_lock){+.+...}: [<ffffffff811111cc>] validate_chain+0x73c/0x850 [<ffffffff811117e0>] __lock_acquire+0x500/0x5d0 [<ffffffff81111a29>] lock_acquire+0x179/0x1d0 [<ffffffff81d34b9c>] mutex_lock_interruptible_nested+0x7c/0x540 [<ffffffff816aa0f0>] n_tty_read+0x1d0/0x660 [<ffffffff816a3bb6>] tty_read+0x86/0xf0 [<ffffffff811f21d3>] vfs_read+0xc3/0x130 [<ffffffff811f2702>] SyS_read+0x62/0xa0 [<ffffffff81d45259>] system_call_fastpath+0x16/0x1b -> #0 (&tty->termios_rwsem){++++..}: [<ffffffff8111064f>] check_prev_add+0x14f/0x590 [<ffffffff811111cc>] validate_chain+0x73c/0x850 [<ffffffff811117e0>] __lock_acquire+0x500/0x5d0 [<ffffffff81111a29>] lock_acquire+0x179/0x1d0 [<ffffffff81d372c1>] down_read+0x51/0xa0 [<ffffffff816aa3bb>] n_tty_read+0x49b/0x660 [<ffffffff816a3bb6>] tty_read+0x86/0xf0 [<ffffffff811f21d3>] vfs_read+0xc3/0x130 [<ffffffff811f2702>] SyS_read+0x62/0xa0 [<ffffffff81d45259>] system_call_fastpath+0x16/0x1b other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&ldata->atomic_read_lock); lock(&tty->termios_rwsem); lock(&ldata->atomic_read_lock); lock(&tty->termios_rwsem); *** DEADLOCK *** 2 locks held by bash/1198: #0: (&tty->ldisc_sem){.+.+.+}, at: [<ffffffff816ade04>] tty_ldisc_ref_wait+0x24/0x60 #1: (&ldata->atomic_read_lock){+.+...}, at: [<ffffffff816aa0f0>] n_tty_read+0x1d0/0x660 stack backtrace: CPU: 1 PID: 1198 Comm: bash Tainted: G W 3.11.0-rc3-next-20130730+ #140 Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007 0000000000000000 ffff880019acdb28 ffffffff81d34074 0000000000000002 0000000000000000 ffff880019acdb78 ffffffff8110ed75 ffff880019acdb98 ffff880019fd0000 ffff880019acdb78 ffff880019fd0638 ffff880019fd0670 Call Trace: [<ffffffff81d34074>] dump_stack+0x59/0x7d [<ffffffff8110ed75>] print_circular_bug+0x105/0x120 [<ffffffff8111064f>] check_prev_add+0x14f/0x590 [<ffffffff81d3ab5f>] ? _raw_spin_unlock_irq+0x4f/0x70 [<ffffffff811111cc>] validate_chain+0x73c/0x850 [<ffffffff8110ae0f>] ? trace_hardirqs_off_caller+0x1f/0x190 [<ffffffff811117e0>] __lock_acquire+0x500/0x5d0 [<ffffffff81111a29>] lock_acquire+0x179/0x1d0 [<ffffffff816aa3bb>] ? n_tty_read+0x49b/0x660 [<ffffffff81d372c1>] down_read+0x51/0xa0 [<ffffffff816aa3bb>] ? n_tty_read+0x49b/0x660 [<ffffffff816aa3bb>] n_tty_read+0x49b/0x660 [<ffffffff810e4130>] ? try_to_wake_up+0x210/0x210 [<ffffffff816a3bb6>] tty_read+0x86/0xf0 [<ffffffff811f21d3>] vfs_read+0xc3/0x130 [<ffffffff811f2702>] SyS_read+0x62/0xa0 [<ffffffff815e24ee>] ? trace_hardirqs_on_thunk+0x3a/0x3f [<ffffffff81d45259>] system_call_fastpath+0x16/0x1b Reported-by: Artem Savkov <artem.savkov@gmail.com> Reported-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com> Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-07-24n_tty: Factor LNEXT processing from per-char i/o pathPeter Hurley1-72/+94
LNEXT processing accounts for ~15% of total cpu time in end-to-end tty i/o; factor the lnext test/clear from the per-char i/o path. Instead, attempt to immediately handle the literal next char if not at the end of this received buffer; otherwise, handle the first char of the next received buffer as the literal next char, then continue with normal i/o. Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-07-24n_tty: Un-inline single-use functionsPeter Hurley1-6/+5
gcc will likely inline these single-use functions anyway; remove inline modifier. Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-07-24n_tty: Remove overflow tests from receive_buf() pathPeter Hurley1-48/+37
Always pre-figure the space available in the read_buf and limit the inbound receive request to that amount. For compatibility reasons with the non-flow-controlled interface, n_tty_receive_buf() will continue filling read_buf until all data has been received or receive_room() returns 0. Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-07-24n_tty: Factor PARMRK from normal per-char i/oPeter Hurley1-2/+43
Handle PARMRK processing on the slow per-char i/o path. Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-07-24n_tty: Factor ISTRIP and IUCLC receive_buf into separate fnPeter Hurley1-12/+32
Convert to modal receive_buf processing; factor char receive processing for unusual termios settings out of normal per-char i/o path. Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-07-24n_tty: Split n_tty_receive_char()Peter Hurley1-47/+56
Factor 'special' per-char processing into standalone fn, n_tty_receive_char_special(), which handles processing for chars marked in the char_map. Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-07-24n_tty: Eliminate char tests from IXANY restart testPeter Hurley1-7/+12
Relocate the IXANY restart tty test to code paths where the the received char is not START_CHAR, STOP_CHAR, INTR_CHAR, QUIT_CHAR or SUSP_CHAR. Fixes the condition when ISIG if off and one of INTR_CHAR, QUIT_CHAR or SUSP_CHAR does not restart i/o. Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-07-24n_tty: Factor standard per-char i/o into separate fnPeter Hurley1-10/+17
Simplify __receive_buf() into a dispatch function; perform per-char processing for all other modes not already handled. Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-07-24n_tty: Fix build breakage on ppc64Peter Hurley1-0/+1
Commit 20bafb3d23d108bc0a896eb8b7c1501f4f649b77 'n_tty: Move buffers into n_tty_data' broke the ppc64 build. Include vmalloc.h for the required function declarations. Reported-by: Stephen Rothwell <sfr@canb.auug.org.au> Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-07-23n_tty: Factor tty->closing receive_buf() into separate fnPeter Hurley1-11/+39
Convert to modal receive_buf() processing; factor receive char processing when tty->closing into n_tty_receive_buf_closing(). Note that EXTPROC when ISTRIP or IUCLC is set continues to be handled by n_tty_receive_char(). Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-07-23n_tty: Special case EXTPROC receive_buf() as raw modePeter Hurley1-1/+2
When EXTPROC is set without ISTRIP or IUCLC, processing is identical to raw mode; handle this receiving mode as a special-case of raw mode. Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-07-23n_tty: Factor raw mode receive_buf() into separate fnPeter Hurley1-5/+19
Convert to modal receive_buf() processing; factor raw mode per-char i/o into n_tty_receive_buf_raw(). Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-07-23n_tty: Factor flagged char handling into separate fnPeter Hurley1-21/+29
Prepare for modal receive_buf() handling; factor handling for TTY_BREAK, TTY_PARITY, TTY_FRAME and TTY_OVERRUN into n_tty_receive_char_flagged(). Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-07-23n_tty: Factor signal char handling into separate fnPeter Hurley1-24/+28
Reduce the monolithic n_tty_receive_char() complexity; factor the handling of INTR_CHAR, QUIT_CHAR and SUSP_CHAR into n_tty_receive_signal_char(). Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>