Repeatable kernel crash in tty_io.c (2.5.73 & 2.4.21)

Repeatable kernel crash in tty_io.c (2.5.73 & 2.4.21)

Post by Hiroshi Inou » Fri, 27 Jun 2003 18:20:11



Hi,

I found that kernel 2.5.73 (and also 2.4.21) crashed
in drivers/char/tty_io.c at situation described below.

1. login to tty2 (not tty1)
2. start kon (Kanji cONsole emulator, console which support
   Japanese characters)
3. exit kon
4. logout

This crash is repeatable.
I use Redhat 9 on ThinkPad T20.

These patches (for kernel 2.5.73 and 2.4.21) prevent list_del() when
the list is empty.
In kernel 2.5.73, these applying list_del() to empty list
seems to be occured very often (not only at the above situation).
I think this might be harmful.

Regards,
Hiroshi Inoue

--- /usr/src/linux-2.5.73.orig/drivers/char/tty_io.c    2003-06-25 10:45:30.000000000 +0900

                }
                o_tty->magic = 0;
                o_tty->driver->refcount--;
-               file_list_lock();
-               list_del(&o_tty->tty_files);
-               file_list_unlock();
+               if (o_tty->tty_files.next != &o_tty->tty_files) {
+                       file_list_lock();
+                       list_del(&o_tty->tty_files);
+                       file_list_unlock();
+               }
                free_tty_struct(o_tty);
        }

        }
        tty->magic = 0;
        tty->driver->refcount--;
-       file_list_lock();
-       list_del(&tty->tty_files);
-       file_list_unlock();
+       if (tty->tty_files.next != &tty->tty_files) {
+               file_list_lock();
+               list_del(&tty->tty_files);
+               file_list_unlock();
+       }
        module_put(tty->driver->owner);
        free_tty_struct(tty);

        }

        filp->private_data = tty;
-       file_move(filp, &tty->tty_files);
+       if (filp->f_list.next == &filp->f_list)
+               list_add(&filp->f_list, &tty->tty_files);
+       else
+               file_move(filp, &tty->tty_files);
        check_tty_count(tty, "tty_open");
        if (tty->driver->type == TTY_DRIVER_TYPE_PTY &&
            tty->driver->subtype == PTY_TYPE_MASTER)

--- /usr/src/linux-2.4.21.orig/drivers/char/tty_io.c    2003-06-13 23:51:33.000000000 +0900

                }
                o_tty->magic = 0;
                (*o_tty->driver.refcount)--;
-               list_del(&o_tty->tty_files);
+               if (o_tty->tty_files.next != &o_tty->tty_files)
+                       list_del(&o_tty->tty_files);
                free_tty_struct(o_tty);
        }

        }
        tty->magic = 0;
        (*tty->driver.refcount)--;
-       list_del(&tty->tty_files);
+       if (tty->tty_files.next != &tty->tty_files)
+               list_del(&tty->tty_files);
        free_tty_struct(tty);
 }

 init_dev_done:
 #endif
        filp->private_data = tty;
-       file_move(filp, &tty->tty_files);
+       if (filp->f_list.next == &filp->f_list)
+               list_add(&filp->f_list, &tty->tty_files);
+       else
+               file_move(filp, &tty->tty_files);
        check_tty_count(tty, "tty_open");
        if (tty->driver.type == TTY_DRIVER_TYPE_PTY &&
            tty->driver.subtype == PTY_TYPE_MASTER)

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

 
 
 

Repeatable kernel crash in tty_io.c (2.5.73 & 2.4.21)

Post by YOSHIFUJI Hideaki / 吉藤英 » Fri, 27 Jun 2003 18:30:11



Quote:>            o_tty->driver->refcount--;
> -          file_list_lock();
> -          list_del(&o_tty->tty_files);
> -          file_list_unlock();
> +          if (o_tty->tty_files.next != &o_tty->tty_files) {
> +                  file_list_lock();
> +                  list_del(&o_tty->tty_files);
> +                  file_list_unlock();
> +          }
>            free_tty_struct(o_tty);

I'm not familiar with this area, however,
we should test o_tty->tty_files.next != &o_tty->tty_files
under the lock, shouldn't we?

file_list_lock(o_tty)
if (o_tty->tty_files.next != &o_tty->tty_files)
    list_del(&o_tty->tty_files);
file_list_unlock(o_tty);

--

GPG FP: 9022 65EB 1ECF 3AD1 0BDF  80D8 4807 F894 E062 0EEA
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

 
 
 

Repeatable kernel crash in tty_io.c (2.5.73 & 2.4.21)

Post by Andrew Morto » Fri, 27 Jun 2003 19:10:05



> Hi,

> I found that kernel 2.5.73 (and also 2.4.21) crashed
> in drivers/char/tty_io.c at situation described below.

> 1. login to tty2 (not tty1)
> 2. start kon (Kanji cONsole emulator, console which support
>    Japanese characters)
> 3. exit kon
> 4. logout

> This crash is repeatable.
> I use Redhat 9 on ThinkPad T20.

whee, it dies most gruesomely.

However I fear that your fix may not be addressing the real source of the
problem.  Why do we get to running release_mem() against a tty which isn't
on the list in the first place?  Any ideas?

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

 
 
 

1. Gcov-kernel patch updates for 2.5.73 and 2.4.21

The Linux Kernel GCOV patch has been updated for 2.4.21 and 2.5.73.  The
patches can be downloaded from:
https://sourceforge.net/project/showfiles.php?group_id=3382

Major changes in this release:
* ppc64 support
* untested support for x86-64
* a few bugfixes/cleanups

For more information about this patch, please see:
http://ltp.sourceforge.net/coverage/gcov-kernel.php

Thanks,
Paul Larson

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

2. QT widget

3. 2.4.21-pre7 & 2.4.21-pre5-ac3 IDE resets

4. Upgrading Slackware 96 -> 3.3

5. 2.5.73: Crash in base ACPI

6. how do I fix this; Mandrake6.5 with pctel modem

7. Oops in firewire (2.4.21-pre5 with 2.4.21-pre4 firewire driver)

8. #y2kwatch - irc.openprojects.net

9. 2.4.21-pre3aa1 and RAID0 issue (was: 2.4.21-pre2aa1 - RAID0 issue.)

10. kernel 2.5.73

11. 2.4.21-pre3 kernel crash

12. My 2.5.73 kernel is losing time

13. Kernel Panic in 2.5.73-mm1 OOps part.