1. 19 9月, 2012 1 次提交
  2. 18 7月, 2012 3 次提交
  3. 05 6月, 2012 1 次提交
  4. 09 5月, 2012 1 次提交
  5. 28 3月, 2012 1 次提交
    • J
      Bluetooth: hci_ldisc: fix NULL-pointer dereference on tty_close · 33b69bf8
      Johan Hovold 提交于
      Do not close protocol driver until device has been unregistered.
      
      This fixes a race between tty_close and hci_dev_open which can result in
      a NULL-pointer dereference.
      
      The line discipline closes the protocol driver while we may still have
      hci_dev_open sleeping on the req_lock mutex resulting in a NULL-pointer
      dereference when lock is acquired and hci_init_req called.
      
      Bug is 100% reproducible using hciattach and a disconnected serial port:
      
      0. # hciattach -n ttyO1 any noflow
      
      1. hci_dev_open called from hci_power_on grabs req lock
      2. hci_init_req executes but device fails to initialise (times out
         eventually)
      3. hci_dev_open is called from hci_sock_ioctl and sleeps on req lock
      4. hci_uart_tty_close detaches protocol driver and cancels init req
      5. hci_dev_open (1) releases req lock
      6. hci_dev_open (3) grabs req lock, calls hci_init_req, which triggers oops
         when request is prepared in hci_uart_send_frame
      
      [  137.201263] Unable to handle kernel NULL pointer dereference at virtual address 00000028
      [  137.209838] pgd = c0004000
      [  137.212677] [00000028] *pgd=00000000
      [  137.216430] Internal error: Oops: 17 [#1]
      [  137.220642] Modules linked in:
      [  137.223846] CPU: 0    Tainted: G        W     (3.3.0-rc6-dirty #406)
      [  137.230529] PC is at __lock_acquire+0x5c/0x1ab0
      [  137.235290] LR is at lock_acquire+0x9c/0x128
      [  137.239776] pc : [<c0071490>]    lr : [<c00733f8>]    psr: 20000093
      [  137.239776] sp : cf869dd8  ip : c0529554  fp : c051c730
      [  137.251800] r10: 00000000  r9 : cf8673c0  r8 : 00000080
      [  137.257293] r7 : 00000028  r6 : 00000002  r5 : 00000000  r4 : c053fd70
      [  137.264129] r3 : 00000000  r2 : 00000000  r1 : 00000000  r0 : 00000001
      [  137.270965] Flags: nzCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment kernel
      [  137.278717] Control: 10c5387d  Table: 8f0f4019  DAC: 00000015
      [  137.284729] Process kworker/u:1 (pid: 7, stack limit = 0xcf8682e8)
      [  137.291229] Stack: (0xcf869dd8 to 0xcf86a000)
      [  137.295776] 9dc0:                                                       c0529554 00000000
      [  137.304351] 9de0: cf8673c0 cf868000 d03ea1ef cf868000 000001ef 00000470 00000000 00000002
      [  137.312927] 9e00: cf8673c0 00000001 c051c730 c00716ec 0000000c 00000440 c0529554 00000001
      [  137.321533] 9e20: c051c730 cf868000 d03ea1f3 00000000 c053b978 00000000 00000028 cf868000
      [  137.330078] 9e40: 00000000 00000000 00000002 00000000 00000000 c00733f8 00000002 00000080
      [  137.338684] 9e60: 00000000 c02a1d50 00000000 00000001 60000013 c0969a1c 60000093 c053b96c
      [  137.347259] 9e80: 00000002 00000018 20000013 c02a1d50 cf0ac000 00000000 00000002 cf868000
      [  137.355834] 9ea0: 00000089 c0374130 00000002 00000000 c02a1d50 cf0ac000 0000000c cf0fc540
      [  137.364410] 9ec0: 00000018 c02a1d50 cf0fc540 00000000 cf0fc540 c0282238 c028220c cf178d80
      [  137.372985] 9ee0: 127525d8 c02821cc 9a1fa451 c032727c 9a1fa451 127525d8 cf0fc540 cf0ac4ec
      [  137.381561] 9f00: cf0ac000 cf0fc540 cf0ac584 c03285f4 c0328580 cf0ac4ec cf85c740 c05510cc
      [  137.390136] 9f20: ce825400 c004c914 00000002 00000000 c004c884 ce8254f5 cf869f48 00000000
      [  137.398712] 9f40: c0328580 ce825415 c0a7f914 c061af64 00000000 c048cf3c cf8673c0 cf85c740
      [  137.407287] 9f60: c05510cc c051a66c c05510ec c05510c4 cf85c750 cf868000 00000089 c004d6ac
      [  137.415863] 9f80: 00000000 c0073d14 00000001 cf853ed8 cf85c740 c004d558 00000013 00000000
      [  137.424438] 9fa0: 00000000 00000000 00000000 c00516b0 00000000 00000000 cf85c740 00000000
      [  137.433013] 9fc0: 00000001 dead4ead ffffffff ffffffff c0551674 00000000 00000000 c0450aa4
      [  137.441589] 9fe0: cf869fe0 cf869fe0 cf853ed8 c005162c c0013b30 c0013b30 00ffff00 00ffff00
      [  137.450164] [<c0071490>] (__lock_acquire+0x5c/0x1ab0) from [<c00733f8>] (lock_acquire+0x9c/0x128)
      [  137.459503] [<c00733f8>] (lock_acquire+0x9c/0x128) from [<c0374130>] (_raw_spin_lock_irqsave+0x44/0x58)
      [  137.469360] [<c0374130>] (_raw_spin_lock_irqsave+0x44/0x58) from [<c02a1d50>] (skb_queue_tail+0x18/0x48)
      [  137.479339] [<c02a1d50>] (skb_queue_tail+0x18/0x48) from [<c0282238>] (h4_enqueue+0x2c/0x34)
      [  137.488189] [<c0282238>] (h4_enqueue+0x2c/0x34) from [<c02821cc>] (hci_uart_send_frame+0x34/0x68)
      [  137.497497] [<c02821cc>] (hci_uart_send_frame+0x34/0x68) from [<c032727c>] (hci_send_frame+0x50/0x88)
      [  137.507171] [<c032727c>] (hci_send_frame+0x50/0x88) from [<c03285f4>] (hci_cmd_work+0x74/0xd4)
      [  137.516204] [<c03285f4>] (hci_cmd_work+0x74/0xd4) from [<c004c914>] (process_one_work+0x1a0/0x4ec)
      [  137.525604] [<c004c914>] (process_one_work+0x1a0/0x4ec) from [<c004d6ac>] (worker_thread+0x154/0x344)
      [  137.535278] [<c004d6ac>] (worker_thread+0x154/0x344) from [<c00516b0>] (kthread+0x84/0x90)
      [  137.543975] [<c00516b0>] (kthread+0x84/0x90) from [<c0013b30>] (kernel_thread_exit+0x0/0x8)
      [  137.552734] Code: e59f4e5c e5941000 e3510000 0a000031 (e5971000)
      [  137.559234] ---[ end trace 1b75b31a2719ed1e ]---
      
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: NJohan Hovold <jhovold@gmail.com>
      Acked-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
      33b69bf8
  6. 25 2月, 2012 2 次提交
  7. 13 2月, 2012 3 次提交
  8. 13 1月, 2012 1 次提交
  9. 04 6月, 2011 1 次提交
    • L
      Revert "tty: make receive_buf() return the amout of bytes received" · 55db4c64
      Linus Torvalds 提交于
      This reverts commit b1c43f82.
      
      It was broken in so many ways, and results in random odd pty issues.
      
      It re-introduced the buggy schedule_work() in flush_to_ldisc() that can
      cause endless work-loops (see commit a5660b41: "tty: fix endless
      work loop when the buffer fills up").
      
      It also used an "unsigned int" return value fo the ->receive_buf()
      function, but then made multiple functions return a negative error code,
      and didn't actually check for the error in the caller.
      
      And it didn't actually work at all.  BenH bisected down odd tty behavior
      to it:
        "It looks like the patch is causing some major malfunctions of the X
         server for me, possibly related to PTYs.  For example, cat'ing a
         large file in a gnome terminal hangs the kernel for -minutes- in a
         loop of what looks like flush_to_ldisc/workqueue code, (some ftrace
         data in the quoted bits further down).
      
         ...
      
         Some more data: It -looks- like what happens is that the
         flush_to_ldisc work queue entry constantly re-queues itself (because
         the PTY is full ?) and the workqueue thread will basically loop
         forver calling it without ever scheduling, thus starving the consumer
         process that could have emptied the PTY."
      
      which is pretty much exactly the problem we fixed in a5660b41.
      
      Milton Miller pointed out the 'unsigned int' issue.
      Reported-by: NBenjamin Herrenschmidt <benh@kernel.crashing.org>
      Reported-by: NMilton Miller <miltonm@bga.com>
      Cc: Stefan Bigler <stefan.bigler@keymile.com>
      Cc: Toby Gray <toby.gray@realvnc.com>
      Cc: Felipe Balbi <balbi@ti.com>
      Cc: Greg Kroah-Hartman <gregkh@suse.de>
      Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      55db4c64
  10. 23 4月, 2011 1 次提交
  11. 13 4月, 2011 1 次提交
  12. 17 2月, 2011 1 次提交
  13. 08 12月, 2010 1 次提交
  14. 22 10月, 2010 1 次提交
  15. 12 10月, 2010 1 次提交
  16. 22 7月, 2010 3 次提交
  17. 27 2月, 2010 1 次提交
  18. 04 12月, 2009 1 次提交
  19. 11 6月, 2009 2 次提交
    • A
      tty: fix bluetooth scribbling on low latency flags · 7f8d09ea
      Alan Cox 提交于
      Bluetooth shouldn't be doing this as most drivers don't support the flag,
      furthermore it shouldn't be needed with newer buffering. This becomes rather
      more visible as the locking fixes make the abuse of low_latency visible as
      spew on the users console/dmesg.
      Signed-off-by: NAlan Cox <alan@linux.intel.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      7f8d09ea
    • A
      tty: rewrite the ldisc locking · c65c9bc3
      Alan Cox 提交于
      There are several pretty much unfixable races in the old ldisc code, especially
      with respect to pty behaviour and also to hangup. It's easier to rewrite the
      code than simply try and patch it up.
      
      This patch
      - splits the ldisc from the tty (so we will be able to refcount it more cleanly
        later)
      - introduces a mutex lock for ldisc changing on an active device
      - fixes the complete mess that hangup caused
      - implements hopefully correct setldisc/close/hangup locking
      
      There are still some problems around pty pairs that have always been there but
      at least it is now possible to understand the code and fix further problems.
      
      This fixes the following known bugs
      - hang up can leak ldisc references
      - hang up may not call open/close on ldisc in a matched way
      - pty/tty pairs can deadlock during an ldisc change
      - reading the ldisc proc files can cause every ldisc to be loaded
      
      and probably a few other of the mysterious ldisc race reports.
      
      I'm sure it also adds the odd new one.
      Signed-off-by: NAlan Cox <alan@linux.intel.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      c65c9bc3
  20. 30 11月, 2008 2 次提交
    • M
      Bluetooth: Enable per-module dynamic debug messages · a418b893
      Marcel Holtmann 提交于
      With the introduction of CONFIG_DYNAMIC_PRINTK_DEBUG it is possible to
      allow debugging without having to recompile the kernel. This patch turns
      all BT_DBG() calls into pr_debug() to support dynamic debug messages.
      
      As a side effect all CONFIG_BT_*_DEBUG statements are now removed and
      some broken debug entries have been fixed.
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      a418b893
    • M
      Bluetooth: Send HCI Reset command by default on device initialization · 7a9d4020
      Marcel Holtmann 提交于
      The Bluetooth subsystem was not using the HCI Reset command when doing
      device initialization. The Bluetooth 1.0b specification was ambiguous
      on how the device firmware was suppose to handle it. Almost every device
      was triggering a transport reset at the same time. In case of USB this
      ended up in disconnects from the bus.
      
      All modern Bluetooth dongles handle this perfectly fine and a lot of
      them actually require that HCI Reset is sent. If not then they are
      either stuck in their HID Proxy mode or their internal structures for
      inquiry and paging are not correctly setup.
      
      To handle old and new devices smoothly the Bluetooth subsystem contains
      a quirk to force the HCI Reset on initialization. However maintaining
      such a quirk becomes more and more complicated. This patch turns the
      logic around and lets the old devices disable the HCI Reset command.
      
      The only device where the HCI_QUIRK_NO_RESET is still needed are the
      original Digianswer devices and dongles with an early CSR firmware.
      
      CSR reported that they fixed this for version 12 firmware. The last
      official release of version 11 firmware is build ID 115. The first
      version 12 candidate was build ID 117.
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      7a9d4020
  21. 14 10月, 2008 1 次提交
  22. 18 8月, 2008 1 次提交
    • M
      [Bluetooth] Consolidate maintainers information · 63fbd24e
      Marcel Holtmann 提交于
      The Bluetooth entries for the MAINTAINERS file are a little bit too
      much. Consolidate them into two entries. One for Bluetooth drivers and
      another one for the Bluetooth subsystem.
      
      Also the MODULE_AUTHOR should indicate the current maintainer of the
      module and actually not the original author. Fix all Bluetooth modules
      to provide current maintainer information.
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      63fbd24e
  23. 21 7月, 2008 1 次提交
    • A
      tty: Ldisc revamp · a352def2
      Alan Cox 提交于
      Move the line disciplines towards a conventional ->ops arrangement.  For
      the moment the actual 'tty_ldisc' struct in the tty is kept as part of
      the tty struct but this can then be changed if it turns out that when it
      all settles down we want to refcount ldiscs separately to the tty.
      
      Pull the ldisc code out of /proc and put it with our ldisc code.
      Signed-off-by: NAlan Cox <alan@redhat.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      a352def2
  24. 30 4月, 2008 2 次提交
  25. 13 2月, 2008 1 次提交
    • D
      hci_ldisc: fix null pointer deref · 3611f4d2
      David Newall 提交于
      Arjan:
      
        With the help of kerneloops.org I've spotted a nice little interaction
        between the TTY layer and the bluetooth code, however the tty layer is not
        something I'm all too familiar with so I rather ask than brute-force fix the
        code incorrectly.
      
        The raw details are at:
        http://www.kerneloops.org/search.php?search=uart_flush_buffer
      
        What happens is that, on closing the bluetooth tty, the tty layer goes
        into the release_dev() function, which first does a bunch of stuff, then
        sets the file->private_data to NULL, does some more stuff and then calls the
        ldisc close function.  Which in this case, is hci_uart_tty_close().
      
        Now, hci_uart_tty_close() calls hci_uart_close() which clears some
        internal bit, and then calls hci_uart_flush()...  which calls back to the
        tty layers' uart_flush_buffer() function.  (in drivers/bluetooth/hci_tty.c
        around line 194) Which then WARN_ON()'s because that's not allowed/supposed
        to be called this late in the shutdown of the port....
      
        Should the bluetooth driver even call this flush function at all??
      
      David:
      
        This seems to be what happens: Hci_uart_close() flushes using
        hci_uart_flush().  Subsequently, in hci_dev_do_close(), (one step in
        hci_unregister_dev()), hci_uart_flush() is called again.  The comment in
        uart_flush_buffer(), relating to the WARN_ON(), indicates you can't flush
        after the port is closed; which sounds reasonable.  I think hci_uart_close()
        should set hdev->flush to NULL before returning.  Hci_dev_do_close() does
        check for this.  The code path is rather involved and I'm not entirely clear
        of all steps, but I think that's what should be done.
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3611f4d2
  26. 22 10月, 2007 1 次提交
  27. 11 5月, 2007 3 次提交
  28. 15 2月, 2007 1 次提交
    • T
      [PATCH] remove many unneeded #includes of sched.h · cd354f1a
      Tim Schmielau 提交于
      After Al Viro (finally) succeeded in removing the sched.h #include in module.h
      recently, it makes sense again to remove other superfluous sched.h includes.
      There are quite a lot of files which include it but don't actually need
      anything defined in there.  Presumably these includes were once needed for
      macros that used to live in sched.h, but moved to other header files in the
      course of cleaning it up.
      
      To ease the pain, this time I did not fiddle with any header files and only
      removed #includes from .c-files, which tend to cause less trouble.
      
      Compile tested against 2.6.20-rc2 and 2.6.20-rc2-mm2 (with offsets) on alpha,
      arm, i386, ia64, mips, powerpc, and x86_64 with allnoconfig, defconfig,
      allmodconfig, and allyesconfig as well as a few randconfigs on x86_64 and all
      configs in arch/arm/configs on arm.  I also checked that no new warnings were
      introduced by the patch (actually, some warnings are removed that were emitted
      by unnecessarily included header files).
      Signed-off-by: NTim Schmielau <tim@physik3.uni-rostock.de>
      Acked-by: NRussell King <rmk+kernel@arm.linux.org.uk>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      cd354f1a