linux/drivers, branch v2.6.16.49

tty_io: fix race in master pty close/slave pty close path

2007-04-20T22:18:01Z

This patch fixes a possible race that leads to double freeing an idr index. When the master begin to close, release_dev() is called and then pty_close() is called: if (tty->driver->close) tty->driver->close(tty, filp); This is done without helding any locks other than BKL. Inside pty_close(), being a master close, the devpts entry will be removed: #ifdef CONFIG_UNIX98_PTYS if (tty->driver == ptm_driver) devpts_pty_kill(tty->index); #endif But devpts_pty_kill() will call get_node() that may sleep while waiting for &devpts_root->d_inode->i_sem. When this happens and the slave is being opened, tty_open() just found the driver and index: driver = get_tty_driver(device, &index); if (!driver) { mutex_unlock(&tty_mutex); return -ENODEV; } This part of the code is already protected under tty_mute. The problem is that the slave close already got an index. Then init_dev() is called and blocks waiting for the same &devpts_root->d_inode->i_sem. When the master close resumes, it removes the devpts entry, and the relation between idr index and the tty is gone. The master then sleeps waiting for the tty_mutex on release_dev(). Slave open resumes and found no tty for that index. As result, a NULL tty is returned and init_dev() doesn't flow to fast_track: /* check whether we're reopening an existing tty */ if (driver->flags & TTY_DRIVER_DEVPTS_MEM) { tty = devpts_get_tty(idx); if (tty && driver->subtype == PTY_TYPE_MASTER) tty = tty->link; } else { tty = driver->ttys[idx]; } if (tty) goto fast_track; The result of this, is that a new tty will be created and init_dev() returns sucessfull. After returning, tty_mutex is dropped and master close may resume. Master close finds it's the only use and both sides are closing, then releases the tty and the index. At this point, the idr index is free, but slave still has it. Slave open then calls pty_open() and finds that tty->link->count is 0, because there's no master and returns error. Then tty_open() calls release_dev() which executes without any warning, as it was a case of last slave close when the master is already closed (master->count == 0, slave->count == 1). The tty is then released with the already released idr index. This normally would only issue a warning on idr_remove() but in case of a customer's critical application, it's never too simple: thread1: opens master, gets index X thread1: begin closing master thread2: begin opening slave with index X thread1: finishes closing master, index X released thread3: opens master, gets index X, just released thread2: fails opening slave, releases index X <---- thread4: opens master, gets index X, init_dev() then find an already in use and healthy tty and fails If no more indexes are released, ptmx_open() will keep failing, as the first free index available is X, and it will make init_dev() fail because you're trying to "reopen a master" which isn't valid. The patch notices when this race happens and make init_dev() fail imediately. The init_dev() function is called with tty_mutex held, so it's safe to continue with tty till the end of function because release_dev() won't make any further changes without grabbing the tty_mutex. Without the patch, on some machines it's possible get easily idr warnings like this one: idr_remove called for id=15 which is not allocated. [] idr_remove+0x139/0x170 [] release_mem+0x182/0x230 [] release_dev+0x4b7/0x700 [] tty_ldisc_enable+0x27/0x30 [] init_dev+0x254/0x580 [] check_tty_count+0x14/0xb0 [] tty_open+0x1c5/0x340 [] tty_open+0x0/0x340 [] chrdev_open+0xaf/0x180 [] open_namei+0x8c/0x760 [] chrdev_open+0x0/0x180 [] __dentry_open+0xc9/0x210 [] do_filp_open+0x5c/0x70 [] get_unused_fd+0x61/0xd0 [] do_sys_open+0x53/0x100 [] sys_open+0x27/0x30 [] syscall_call+0x7/0xb using this test application available on: http://www.ruivo.org/~aris/pty_sodomizer.c Signed-off-by: Aristeu Sergio Rozanski Filho Signed-off-by: Adrian Bunk

hwmon/w83627ehf: Fix the fan5 clock divider write

2007-04-19T23:43:12Z

Users have been complaining about the w83627ehf driver flooding their logs with debug messages like: w83627ehf 9191-0a10: Increasing fan 4 clock divider from 64 to 128 or: w83627ehf 9191-0290: Increasing fan 4 clock divider from 4 to 8 The reason is that we failed to actually write the LSB of the encoded clock divider value for that fan, causing the next read to report the same old value again and again. Additionally, the fan number was improperly reported, making the bug harder to find. Signed-off-by: Jean Delvare Signed-off-by: Adrian Bunk

[SCSI] QLOGICPTI: Do not unmap DMA unless we actually mapped something.

2007-04-19T23:31:17Z

We only map DMA when cmd->request_bufflen is non-zero for non-sg buffers, we thus should make the same check when unmapping. Based upon a report from Pasi Pirhonen. Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk

V4L/DVB: Pluto2: fix incorrect TSCR register setting

2007-04-13T20:58:25Z

The ADEF bits in the TSCR register have different meanings in read and write mode. For this reason ADEF has to be reset on every read-modify-write operation. This patch introduces a special write function for this register, which takes care of it. Thanks to Holger Magnussen for pointing my nose at this problem. Signed-off-by: Andreas Oberritter Signed-off-by: Adrian Bunk

V4L: radio: Fix error in Kbuild file

2007-04-13T20:58:24Z

All the radio drivers need video_dev, but they were depending on VIDEO_DEV!=n. That meant that one could try to compile the driver into the kernel when VIDEO_DEV=m, which will not work. If video_dev is a module, then the radio drivers must be modules too. (cherry picked from commit b10fece583fdfdb3d2f29b0da3896ec58b8fe122) Signed-off-by: Trent Piepho Signed-off-by: Michael Krufky Signed-off-by: Adrian Bunk

V4L: tveeprom: autodetect LG TAPC G701D as tuner type 37

2007-04-13T20:58:24Z

Autodetect LG TAPC G701D as tuner type 37, fixing mis-detected tuners in some Hauppauge tv tuner cards. Thanks to Adonis Papas, for pointing this out. (cherry picked from commit 1323fbda1343f50f198bc8bd6d1d59c8b7fc45bf) Signed-off-by: Michael Krufky Signed-off-by: Adrian Bunk

sky2: turn on clocks when doing resume

2007-04-13T20:58:24Z

Some of these chips are disabled until clock is enabled. This fixes: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=404107 Signed-off-by: Stephen Hemminger Signed-off-by: Adrian Bunk

sky2: turn carrier off when down

2007-04-13T20:58:23Z

Driver needs to turn off carrier when down. Signed-off-by: Stephen Hemminger Signed-off-by: Adrian Bunk

skge: turn carrier off when down

2007-04-13T20:58:23Z

Driver needs to turn off carrier when down, otherwise it can confuse bonding and bridging and looks like carrier is on immediately when it is brought back up. Signed-off-by: Stephen Hemminger Signed-off-by: Adrian Bunk

r8169: issue request_irq after the private data are completely initialized

2007-04-13T20:57:48Z

The irq handler schedules a NAPI poll request unconditionally as soon as the status register is not clean. It has been there - and wrong - for ages but a recent timing change made it apparently easier to trigger. Adrian Bunk: backported to 2.6.16 Signed-off-by: Francois Romieu Signed-off-by: Adrian Bunk