[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20090721202123.404339aa@lxorguk.ukuu.org.uk>
Date: Tue, 21 Jul 2009 20:21:23 +0100
From: Alan Cox <alan@...rguk.ukuu.org.uk>
To: Alan Stern <stern@...land.harvard.edu>
Cc: Daniel Mack <daniel@...aq.de>,
Kernel development list <linux-kernel@...r.kernel.org>,
USB list <linux-usb@...r.kernel.org>
Subject: Re: [PATCH] [usb-serial] fix Ooops on uplug
> > file->f_ops = &hung_up_tty_ops;
> >
> > (so the USB close will never be called)
>
> That doesn't make sense. The driver's open method has been called, so
> of course the driver expects its close method to be called.
The driver close method yes - but that uses tty_port_close_start() which
sees the port was hung up and leaves well alone.
> > ldisc hangup
> > tty->ops->hangup (no-op on USB serial)
>
> What do you mean? There is a serial_hangup method in usb-serial.c
> and it does get called; see below.
Thats me not reading carefully. It isn't just a resource free it does
stuff. That calls drv->close() so in fact the USB layer for want of a
better word "fakes" the close.
> [ 283.624088] [<f08b09d7>] serial_hangup+0x45/0x66 [usbserial]
> [ 283.624187] [<c112018c>] do_tty_hangup+0x28c/0x2b9
So we passed
/* This breaks for file handles being sent over AF_UNIX sockets ?
*/ list_for_each_entry(filp, &tty->tty_files, f_u.fu_list) {
if (filp->f_op->write == redirected_tty_write)
cons_filp = filp;
if (filp->f_op->write != tty_write)
continue;
closecount++;
tty_fasync(-1, filp, 0); /* can't block */
filp->f_op = &hung_up_tty_fops;
}
and changed the fops. As you say my theory was completely wrong
> Close the open file descriptor:
> [ 291.227977] tty_release_dev of tty2 (tty count=2)...
> [ 291.230492] tty_release_dev of ttyUSB0 (tty count=1)...
> [ 291.230630] serial_close port 107 (ef7fd920)
>
> That line was inserted in serial_close. As you can see, the port
> number is wrong because the port structure has already been
> deallocated by port_free. And that leads to the following corruption.
Bingo - and that in turn means that the tty layer doesn't realise the
port has been hung up which makes tty_port_close_start do random things
which causes us to double free.
So in fact we need to delay the resource free until the tty layer has
really finished with it as the port resource contains the tty layer port.
We can't just skip freeing the resources in the hangup method as
tty_port_close_start() will return 0 and leak them on a hangup.
Alan: does this make sense
Take an extra tty layer reference to the usb_serial at open time
Put that reference in the tty shutdown() hook which is called
when the tty struct gets its final kref_put (ie after the close,
and if there is any outstanding other use eg in an IRQ handler on
another processor).
Am I understanding the usb_serial_port lifetime correctly ?
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists