A -next commit "TTY: HVC, use tty from tty_port" switched the driver
to use tty_port helper for tty refcounting. But it omitted to remove
manual tty refcounting from open, close and hangup. So now we are
getting random crashes caused by use-after-free:
Unable to handle kernel paging request for data at address 0xc0000003f9d550
Faulting instruction address: 0xc0000000001b7f40
Oops: Kernel access of bad area, sig: 11 [#1]
...
NIP: c0000000001b7f40 LR: c0000000001b7f14 CTR: c0000000000e04f0
...
NIP [c0000000001b7f40] .__kmalloc+0x70/0x230
LR [c0000000001b7f14] .__kmalloc+0x44/0x230
Call Trace:
[c0000003f68bf930] [c0000003f68bf9b0] 0xc0000003f68bf9b0 (unreliable)
[c0000003f68bf9e0] [c0000000001e5424] .alloc_fdmem+0x24/0x70
[c0000003f68bfa60] [c0000000001e54f8] .alloc_fdtable+0x88/0x130
[c0000003f68bfaf0] [c0000000001e5924] .dup_fd+0x384/0x450
[c0000003f68bfbd0] [c00000000009a310] .copy_process+0x880/0x11d0
[c0000003f68bfcd0] [c00000000009aee0] .do_fork+0x70/0x400
[c0000003f68bfdc0] [c0000000000141c4] .sys_clone+0x54/0x70
[c0000003f68bfe30] [c000000000009aa0] .ppc_clone+0x8/0xc
Fix that by complete removal of tty_kref_get/put in open/close/hangup
paths.
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Reported-and-tested-by: Michael Neuling <mikey@neuling.org>
Cc: Stephen Rothwell <sfr@canb.auug.org.au>
Cc: ppc-dev <linuxppc-dev@lists.ozlabs.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Pull tty and serial fixes from Greg KH:
"Here are some tty and serial fixes for 3.4-rc2.
Most important here is the pl011 fix, which has been reported by about
100 different people, which means more people use it than I expected
:)
There are also some 8250 driver reverts due to some problems reported
by them. And other minor fixes as well.
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>"
* tag 'tty-3.4-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
pch_uart: Add Kontron COMe-mTT10 uart clock quirk
pch_uart: Fix MSI setting issue
serial/8250_pci: add a "force background timer" flag and use it for the "kt" serial port
Revert "serial/8250_pci: setup-quirk workaround for the kt serial controller"
Revert "serial/8250_pci: init-quirk msi support for kt serial controller"
tty/serial/omap: console can only be built-in
serial: samsung: fix omission initialize ulcon in reset port fn()
printk(): add KERN_CONT where needed in hpet and vt code
tty/serial: atmel_serial: fix RS485 half-duplex problem
tty: serial: altera_uart: Check for NULL platform_data in probe.
isdn/gigaset: use gig_dbg() for debugging output
omap-serial: Fix the error handling in the omap_serial probe
serial: PL011: move interrupt clearing
This updates the earlier break_ctl support regardless of regtype so long
as the requisite SCSPTR exists. This is the same approach used by
sci_init_pins() for providing a generic solution now that we're able to
detect register capabilities on a per-port basis.
Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: Paul Mundt <lethal@linux-sh.org>
tty_buffer_request_room is well protected, but while after it returns,
it releases the port->lock. tty->buf.tail might be modified
by either irq handler or other threads. The patch adds more protection
by holding the lock across tty buffer finding and buffer filling.
Signed-off-by: Alek Du <alek.du@intel.com>
Signed-off-by: Xiaobing Tu <xiaobing.tu@intel.com>
Cc: Jiri Slaby <jslaby@suse.cz>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
set_get_cmap() ignored the result of {get,put}_user(), causing ioctl(vt,
{G,P}IO_CMAP, 0xdeadbeef) to silently fail.
Another side effect of this: calling the PIO_CMAP ioctl with an invalid
buffer would zero the default colormap and the palette for all vts (all
colors set to black).
Leave the default colormap intact and return -EFAULT when
reading/writing to the userspace buffer fails.
Signed-off-by: Michael Gehring <mg@ebfe.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Currently, occurring line status interrupt,
returned value is not set in interrupt handler function.
As a result, 0 can be returned.
This patch adds setting returned value.
Signed-off-by: Tomoya MORINAGA <tomoya.rohm@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Target uart register access size is 8bit.
However, 32bit is used at 2 points.
This patch modifies type "unsigned int" to "unsigned char".
Signed-off-by: Tomoya MORINAGA <tomoya.rohm@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Since the code is identical, use the tty_port_block_til_ready helper
instead of re-implemented variant.
The code does not perform rtsdts handling, hence we do not need to
provide tty port hooks for them. The default ones will be used
instead. The only necessary thing is to provide tty_port_operations.
It is empty, but has to be there...
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: linux-m68k@lists.linux-m68k.org
Acked-by: Greg Ungerer <gerg@uclinux.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
flags passed to local_irq_save/restore should be ulong. Switch tehem
to that. Otherwise we get compilation warnings:
.../68328serial.c:248:9: warning: comparison of distinct pointer types lacks a cast [enabled by default]
.../68328serial.c:257:9: warning: comparison of distinct pointer types lacks a cast [enabled by default]
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: linux-m68k@lists.linux-m68k.org
Acked-by: Greg Ungerer <gerg@uclinux.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Not everything from struct m68k_serial is really used. So remove
unused or only-set members of that structure. Next step is to move it
to 68328serial.c and remove 68328serial.h completely.
This change also takes status_handle and batten_down_hatches away
since they use break_abort but do nothing.
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: linux-m68k@lists.linux-m68k.org
Acked-by: Greg Ungerer <gerg@uclinux.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
It does not make the driver less racy though. Close and hangup should
be rewritten and tty refcounting used properly.
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Jiri Kosina <jkosina@suse.cz>
Acked-by: David Sterba <dsterba@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jiri Slaby
Linus Torvalds
Shimoda, Yoshihiro
Xiaobing Tu
Michael Gehring
Tomoya MORINAGA