__tty_open could return (to userspace) holding the tty_mutex thanks to a
regression introduced by 4a2b5fddd5 ("Move
tty lookup/reopen to caller").
This was found by bisecting an fsfuzzer problem. Admittedly I have no
idea how it managed to tickle this 100% reliably, but it is clearly a
regression and when hit leaves the box in a completely unusable state.
This patch lets the fsfuzzer test complete every time.
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This patch removes the tty->low_latency setting.
For irq based hvc_console backends the tty->low_latency must be set to 0,
because the tty_flip_buffer_push() function must not be called from IRQ context
(see drivers/char/tty_buffer.c).
For polled backends, the low_latency setting causes the bug trace below, because
tty_flip_buffer_push() is called within an atomic context and subsequent calls
might sleep due to mutex_lock.
BUG: sleeping function called from invalid context at /root/cvs/linux-2.6.git/kernel/mutex.c:207
in_atomic(): 1, irqs_disabled(): 0, pid: 748, name: khvcd
1 lock held by khvcd/748:
#0: (hvc_structs_lock){--..}, at: [<00000000002ceb50>] khvcd+0x58/0x12c
CPU: 0 Not tainted 2.6.29-rc1git #29
Process khvcd (pid: 748, task: 000000002fb9a480, ksp: 000000002f66bd78)
070000000000000a 000000002f66ba00 0000000000000002 (null)
000000002f66baa0 000000002f66ba18 000000002f66ba18 0000000000104f08
ffffffffffffc000 000000002f66bd78 (null) (null)
000000002f66ba00 000000000000000c 000000002f66ba00 000000002f66ba70
0000000000466af8 0000000000104f08 000000002f66ba00 000000002f66ba50
Call Trace:
([<0000000000104e7c>] show_trace+0x138/0x158)
[<0000000000104f62>] show_stack+0xc6/0xf8
[<0000000000105740>] dump_stack+0xb0/0xc0
[<000000000013144a>] __might_sleep+0x14e/0x17c
[<000000000045e226>] mutex_lock_nested+0x42/0x3b4
[<00000000002c443e>] echo_char_raw+0x3a/0x9c
[<00000000002c688c>] n_tty_receive_buf+0x1154/0x1208
[<00000000002ca0a2>] flush_to_ldisc+0x152/0x220
[<00000000002ca1da>] tty_flip_buffer_push+0x6a/0x90
[<00000000002cea74>] hvc_poll+0x244/0x2c8
[<00000000002ceb68>] khvcd+0x70/0x12c
[<000000000015bbd0>] kthread+0x68/0xa0
[<0000000000109d5a>] kernel_thread_starter+0x6/0xc
[<0000000000109d54>] kernel_thread_starter+0x0/0xc
1 lock held by khvcd/748:
#0: (hvc_structs_lock){--..}, at: [<00000000002ceb50>] khvcd+0x58/0x12c
Signed-off-by: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
If you issue an ioctl to flush a tty as the line discipline is changing or
otherwise unplugged you can get a crash. The bug is very old but the rest
of the BKL lock dropping and some very "good" luck on Ingo's part caught
an example.
Use the correct ldisc_ref form so that we wait for the ldisc change to
complete and then flush
Signed-off-by: Alan Cox <alan@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Replace kmalloc() + memset() with kzalloc().
Signed-off-by: Milton Miller <miltonm@bga.com>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
hvc_console is setting low_latency unconditionally, but some clients are
interrupt driven and will call hvc_poll from irq context. This will cause
tty_flip_buffer_push to be called from irq context, and it very clearly
states it must not be called from IRQ when low_latency is specified.
Looking back through history:
v2.6.16-rc1 via 33f0f88f1c
[PATCH] TTY layer buffering revamp
added this new api.
v2.6.16-rc3 via 8977d929e4
[PATCH] tty buffering stall fix
claims to fix a stall discovered with hvc_console
v2.6.16-rc5 via fb5c594c2a
[PATCH] Fix race condition in hvc console.
said set this flag to avoid a stall problem, and was merged through
the powerpc arch tree.
Without searching for email discussions, it would appear to be an
overlapping "fix", but one that did not consider all users.
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Only call free_irq if we marked the request_irq has having succeeded
instead of whenever the the sub-driver identified the interrupt to use.
Signed-off-by: Milton Miller <miltonm@bga.com>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
I remember some history on this barrier. There was a race between
open via /dev/console and the tty being fully setup. Its also why
there is a temporary variable and the global is assigned at the end
of the function.
Signed-off-by: Milton Miller <miltonm@bga.com>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
The pty changes and updates for window sizing forgot to correct the
kerneldoc
Signed-off-by: Alan Cox <alan@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
warning: ignoring return value of 'request_irq', declared with attribute
warn_unused_result
and clean up the error path handling.
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Acked-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
warning: ignoring return value of 'request_irq', declared with attribute
warn_unused_result
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Acked-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
warning: ignoring return value of 'request_irq', declared with attribute
warn_unused_result
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Acked-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
* 'for-linus' of git://git390.osdl.marist.edu/pub/scm/linux-2.6:
[S390] update documentation for hvc_iucv kernel parameter.
[S390] hvc_iucv: Special handling of IUCV HVC devices
[S390] hvc_iucv: Refactor console and device initialization
[S390] hvc_iucv: Update function documentation
[S390] hvc_iucv: Limit rate of outgoing IUCV messages
[S390] hvc_iucv: Change IUCV term id and use one device as default
[S390] Use unsigned long long for u64 on 64bit.
[S390] qdio: fix broken pointer in case of CONFIG_DEBUG_FS is disabled
[S390] vdso: compile fix
[S390] remove code for oldselect system call
[S390] types: add/fix types.h include in header files
[S390] dasd: add device attribute to disable blocking on lost paths
[S390] dasd: send change uevents for dasd block devices
[S390] tape block: fix dependencies
[S390] asm-s390/posix_types.h: drop __USE_ALL usage
[S390] gettimeofday.S: removed duplicated #includes
[S390] ptrace: no extern declarations for userspace
This patch introduces special handling of the IUCV HVC console device.
If the first IUCV HVC terminal is used as (preferred) Linux console, and
needs some special handling for hangup.
The hvc_iucv_private structure contains a flag to indicate whether a IUCV
HVC device is used as a console.
A terminal acting as "console" behaves different if a tty hangup occurs:
If the iucv communication path is severed, a tty hangup is not
triggered (because the HVC layer does not notify its back-end in that case).
Instead, the console session is left unchanged and the IUCV HVC device is
reset to allow re-connects.
Note: Any output between the disconnect and a re-connect is discarded.
Signed-off-by: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
The console_initcall() order might pick up the hvc_iucv device as preferred
console even if it is not yet initialized.
Move HVC console instantiation to hvc_iucv_init() and cleanup device driver
initialization.
Signed-off-by: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
This patch introduces a send buffer to limit outgoing IUCV messages up to
a maximum of 25 IUCV messages per second.
If no communication path to a IUCV HVC terminal exist, any data written to
the terminal is discarded.
Signed-off-by: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
The patch renames the IUCV application ID from "ihvc" to "lnxhvc".
The device driver allocates one IUCV terminal device (lnxhvc0) as default.
Signed-off-by: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
