From e1a2509023785bd3199ac068ab80155aeba01265 Mon Sep 17 00:00:00 2001 From: Andrew Morton Date: Mon, 10 Apr 2006 22:54:05 -0700 Subject: [PATCH] make tty_insert_flip_string_flags() a non gpl export We changed the wrong symbol. It's tty_insert_flip_string_flags() which is called from the previously-non-GPL'ed now-inlined tty_insert_flip_char(). Fix that up, and uninline tty_schedule_flip() while we're there. Cc: Tobias Powalowski Cc: Alan Cox Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- drivers/char/tty_io.c | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) (limited to 'drivers/char/tty_io.c') diff --git a/drivers/char/tty_io.c b/drivers/char/tty_io.c index 98b126c2ded..6f58cacec34 100644 --- a/drivers/char/tty_io.c +++ b/drivers/char/tty_io.c @@ -351,10 +351,10 @@ int tty_buffer_request_room(struct tty_struct *tty, size_t size) spin_unlock_irqrestore(&tty->buf.lock, flags); return size; } - EXPORT_SYMBOL_GPL(tty_buffer_request_room); -int tty_insert_flip_string(struct tty_struct *tty, const unsigned char *chars, size_t size) +int tty_insert_flip_string(struct tty_struct *tty, const unsigned char *chars, + size_t size) { int copied = 0; do { @@ -368,17 +368,16 @@ int tty_insert_flip_string(struct tty_struct *tty, const unsigned char *chars, s tb->used += space; copied += space; chars += space; -/* printk("Flip insert %d.\n", space); */ } /* There is a small chance that we need to split the data over several buffers. If this is the case we must loop */ while (unlikely(size > copied)); return copied; } - EXPORT_SYMBOL(tty_insert_flip_string); -int tty_insert_flip_string_flags(struct tty_struct *tty, const unsigned char *chars, const char *flags, size_t size) +int tty_insert_flip_string_flags(struct tty_struct *tty, + const unsigned char *chars, const char *flags, size_t size) { int copied = 0; do { @@ -399,9 +398,20 @@ int tty_insert_flip_string_flags(struct tty_struct *tty, const unsigned char *ch while (unlikely(size > copied)); return copied; } - EXPORT_SYMBOL_GPL(tty_insert_flip_string_flags); +void tty_schedule_flip(struct tty_struct *tty) +{ + unsigned long flags; + spin_lock_irqsave(&tty->buf.lock, flags); + if (tty->buf.tail != NULL) { + tty->buf.tail->active = 0; + tty->buf.tail->commit = tty->buf.tail->used; + } + spin_unlock_irqrestore(&tty->buf.lock, flags); + schedule_delayed_work(&tty->buf.work, 1); +} +EXPORT_SYMBOL(tty_schedule_flip); /* * Prepare a block of space in the buffer for data. Returns the length -- cgit v1.2.3 From 9453a5adaf32aa0b31d1491819a083d403f645c1 Mon Sep 17 00:00:00 2001 From: Paul Fulghum Date: Mon, 10 Apr 2006 22:54:18 -0700 Subject: [PATCH] ptmx: fix duplicate idr_remove Remove duplicate call to idr_remove() in ptmx_open. Error during open can result in call to release_dev() followed by call to idr_remove(). release_dev already calls idr_remove so the second call can cause a stack dump in idr_remove()->sub_remove() flagging an attempt to release an already released entry. I reproduces this on a machine with a misconfigured X server (attempting to restart multiple times rapidly) getting the same error as the 1st link below. This also seems to be related to: http://marc.theaimsgroup.com/?l=selinux&m=110536513426735&w=2 http://marc.theaimsgroup.com/?l=selinux&m=110596994916785&w=2 The stack dump can occur on close (as well as open) as shown in the 1st instance above, possible from something like: process A - open (index=0), open fail to out1, release_dev calls idr_remove (index 0), down(sem) sleeps process B - open (index=0), open OK (idr allocated) process A - wake and call idr_remove on index 0 ... process B - close, release_dev, stack dump on idr_remove (index=0) because entry already removed Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- drivers/char/tty_io.c | 1 + 1 file changed, 1 insertion(+) (limited to 'drivers/char/tty_io.c') diff --git a/drivers/char/tty_io.c b/drivers/char/tty_io.c index 6f58cacec34..b1f9a1582dd 100644 --- a/drivers/char/tty_io.c +++ b/drivers/char/tty_io.c @@ -2195,6 +2195,7 @@ static int ptmx_open(struct inode * inode, struct file * filp) return 0; out1: release_dev(filp); + return retval; out: down(&allocated_ptys_lock); idr_remove(&allocated_ptys, index); -- cgit v1.2.3 From 14a6283eb5c1c70e6deee985c85dcce884150737 Mon Sep 17 00:00:00 2001 From: Paul Fulghum Date: Mon, 10 Apr 2006 22:54:19 -0700 Subject: [PATCH] tty release_dev(): remove dead code Remove dead code from tty_io.c release_dev() Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- drivers/char/tty_io.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'drivers/char/tty_io.c') diff --git a/drivers/char/tty_io.c b/drivers/char/tty_io.c index b1f9a1582dd..f70a47eadb5 100644 --- a/drivers/char/tty_io.c +++ b/drivers/char/tty_io.c @@ -1740,7 +1740,7 @@ static void release_dev(struct file * filp) { struct tty_struct *tty, *o_tty; int pty_master, tty_closing, o_tty_closing, do_sleep; - int devpts_master, devpts; + int devpts; int idx; char buf[64]; unsigned long flags; @@ -1757,7 +1757,6 @@ static void release_dev(struct file * filp) pty_master = (tty->driver->type == TTY_DRIVER_TYPE_PTY && tty->driver->subtype == PTY_TYPE_MASTER); devpts = (tty->driver->flags & TTY_DRIVER_DEVPTS_MEM) != 0; - devpts_master = pty_master && devpts; o_tty = tty->link; #ifdef TTY_PARANOIA_CHECK -- cgit v1.2.3 From 20ac94378de59d61dc39f10ed5530485e4ac8c07 Mon Sep 17 00:00:00 2001 From: "Eric W. Biederman" Date: Thu, 13 Apr 2006 04:49:07 -0600 Subject: [PATCH] do_SAK: Don't recursively take the tasklist_lock By calling send_sig do_SAK is recursively taking the tasklist_lock, which is silly. In addition I just audited the kernel and this was the only place where tasklist_lock is taken inside of task_lock. So this one line change is a general worthwhile cleanup and it increases our options on how to fix the ptrace_attach races. Signed-off-by: Linus Torvalds --- drivers/char/tty_io.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers/char/tty_io.c') diff --git a/drivers/char/tty_io.c b/drivers/char/tty_io.c index f70a47eadb5..841f0bd3eaa 100644 --- a/drivers/char/tty_io.c +++ b/drivers/char/tty_io.c @@ -2734,7 +2734,7 @@ static void __do_SAK(void *arg) printk(KERN_NOTICE "SAK: killed process %d" " (%s): fd#%d opened to the tty\n", p->pid, p->comm, i); - send_sig(SIGKILL, p, 1); + force_sig(SIGKILL, p); break; } } -- cgit v1.2.3 From ca99c1da080345e227cfb083c330a184d42e27f3 Mon Sep 17 00:00:00 2001 From: Dipankar Sarma Date: Tue, 18 Apr 2006 22:21:46 -0700 Subject: [PATCH] Fix file lookup without ref There are places in the kernel where we look up files in fd tables and access the file structure without holding refereces to the file. So, we need special care to avoid the race between looking up files in the fd table and tearing down of the file in another CPU. Otherwise, one might see a NULL f_dentry or such torn down version of the file. This patch fixes those special places where such a race may happen. Signed-off-by: Dipankar Sarma Acked-by: "Paul E. McKenney" Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- drivers/char/tty_io.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'drivers/char/tty_io.c') diff --git a/drivers/char/tty_io.c b/drivers/char/tty_io.c index 841f0bd3eaa..f07637a8f88 100644 --- a/drivers/char/tty_io.c +++ b/drivers/char/tty_io.c @@ -2723,7 +2723,11 @@ static void __do_SAK(void *arg) } task_lock(p); if (p->files) { - rcu_read_lock(); + /* + * We don't take a ref to the file, so we must + * hold ->file_lock instead. + */ + spin_lock(&p->files->file_lock); fdt = files_fdtable(p->files); for (i=0; i < fdt->max_fds; i++) { filp = fcheck_files(p->files, i); @@ -2738,7 +2742,7 @@ static void __do_SAK(void *arg) break; } } - rcu_read_unlock(); + spin_unlock(&p->files->file_lock); } task_unlock(p); } while_each_thread(g, p); -- cgit v1.2.3