unaddressed issues around tty_open_by_driver

Okash Khawaja okash.khawaja at gmail.com
Sun Jun 25 05:21:26 EDT 2017 

Hi,

Raising this here but I think we will ultimately discuss this on a wider
mailing list.

There are three issues I can see with the way we open tty from speakup
(and others will also have similar problems if they use
tty_open_by_kernel).

1. user space opens tty which is already opened by kernel
2. kernel opens tty that is already opened by user
3. user space opens tty kernel has stopped using

First two may be addressed by checking flags before opening and
setting and unsetting those flags after opening and before closing.

Third one is interesting. I haven't investigated it yet, but it seems to
throw a kernel oops from tty_ldisc_reinit. I have attached relevant bit
from kernel log - please see from line at 08:37:03 onwards. I ran `echo
foo > /dev/ttyUSB0` after unloading speakup and speakup_apollo which
were loaded with dev=ttyUSB0.

We can avoid 2 and 3 above by calling tty_open_by_driver only when
speakup is built into kernel and not when loaded as module. Which of
course means we need to work out what to do when loading speakup as
module.

Thanks,
Okash
-------------- next part --------------
[Sun Jun 25 08:33:07 2017] speakup: loading out-of-tree module taints kernel.
[Sun Jun 25 08:33:07 2017] speakup: module is from the staging directory, the quality is unknown, you have been warned.
[Sun Jun 25 08:33:07 2017] input: Speakup as /devices/virtual/input/input19
[Sun Jun 25 08:33:07 2017] initialized device: /dev/synth, node (MAJOR 10, MINOR 25)
[Sun Jun 25 08:33:07 2017] speakup 3.1.6: initialized
[Sun Jun 25 08:33:07 2017] synth name on entry is: (null)
[Sun Jun 25 08:33:29 2017] speakup_apollo: module is from the staging directory, the quality is unknown, you have been warned.
[Sun Jun 25 08:33:29 2017] synth probe
[Sun Jun 25 08:34:16 2017] ttyUSB ttyUSB0: tty_open: tty->count(2) != #fd's(1)
[Sun Jun 25 08:34:16 2017] ttyUSB ttyUSB0: tty_release: tty->count(2) != #fd's(1)
[Sun Jun 25 08:36:19 2017] releasing synth apollo
[Sun Jun 25 08:36:22 2017] speakup: unregistering synth device /dev/synth
[Sun Jun 25 08:37:03 2017] BUG: unable to handle kernel paging request at ffffffffa09a9348
[Sun Jun 25 08:37:03 2017] IP: get_ldops+0x2b/0x70
[Sun Jun 25 08:37:03 2017] PGD 1a0c067
[Sun Jun 25 08:37:03 2017] PUD 1a0d063
[Sun Jun 25 08:37:03 2017] PMD 113b8b067
[Sun Jun 25 08:37:03 2017] PTE 0

[Sun Jun 25 08:37:03 2017] Oops: 0000 [#1] PREEMPT SMP
[Sun Jun 25 08:37:03 2017] Modules linked in: pl2303 usbserial ctr ccm joydev uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_core videodev arc4 gpio_ich iTCO_wdt iTCO_vendor_support media iwldvm dell_wmi sparse_keymap mac80211 dell_rbtn ppdev dell_laptop dell_smbios dcdbas coretemp iwlwifi kvm_intel dell_smm_hwmon kvm irqbypass cfg80211 snd_hda_codec_hdmi nfnetlink_log rfkill nfnetlink snd_hda_codec_idt snd_hda_codec_generic psmouse pcspkr i2c_i801 i915 cdc_ether usbnet cdc_wdm mii cdc_acm lpc_ich shpchp snd_hda_intel mousedev evdev input_leds mac_hid snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_timer snd soundcore drm_kms_helper thermal acpi_als wmi battery kfifo_buf button drm parport_pc syscopyarea e1000e parport sysfillrect intel_agp industrialio sysimgblt fb_sys_fops ptp intel_gtt
[Sun Jun 25 08:37:03 2017]  i2c_algo_bit pps_core video ac acpi_cpufreq tpm_tis tpm_tis_core tpm sch_fq_codel sg ip_tables x_tables ext4 crc16 jbd2 fscrypto mbcache sr_mod cdrom sd_mod hid_generic usbhid hid uhci_hcd serio_raw atkbd libps2 ahci libahci firewire_ohci sdhci_pci sdhci led_class mmc_core firewire_core libata crc_itu_t scsi_mod ehci_pci ehci_hcd usbcore usb_common i8042 serio [last unloaded: speakup]
[Sun Jun 25 08:37:03 2017] CPU: 0 PID: 738 Comm: bash Tainted: G         C O    4.11.3-ARCH-dirty #11
[Sun Jun 25 08:37:03 2017] Hardware name: Dell Inc. Latitude E4300                  /0D201R, BIOS A13 10/29/2009
[Sun Jun 25 08:37:03 2017] task: ffff8801073b8d00 task.stack: ffffc90000648000
[Sun Jun 25 08:37:03 2017] RIP: 0010:get_ldops+0x2b/0x70
[Sun Jun 25 08:37:03 2017] RSP: 0018:ffffc9000064bb00 EFLAGS: 00010086
[Sun Jun 25 08:37:03 2017] RAX: 0000000000000293 RBX: ffffffffa09a92c0 RCX: 0000000000000003
[Sun Jun 25 08:37:03 2017] RDX: 0000000000000001 RSI: 000000000000001a RDI: ffffffff81d26670
[Sun Jun 25 08:37:03 2017] RBP: ffffc9000064bb10 R08: 0000000000000002 R09: ffffffff8141d612
[Sun Jun 25 08:37:03 2017] R10: 0000000000000000 R11: ffff8800d838c3c0 R12: 0000000000000293
[Sun Jun 25 08:37:03 2017] R13: ffff880104d6c800 R14: ffffffff8186e760 R15: ffff88008c4cfe10
[Sun Jun 25 08:37:03 2017] FS:  00007f7a17a44b40(0000) GS:ffff88011fc00000(0000) knlGS:0000000000000000
[Sun Jun 25 08:37:03 2017] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[Sun Jun 25 08:37:03 2017] CR2: ffffffffa09a9348 CR3: 000000008c56a000 CR4: 00000000000406f0
[Sun Jun 25 08:37:03 2017] Call Trace:
[Sun Jun 25 08:37:03 2017]  tty_ldisc_get.part.1+0x1b/0xa0
[Sun Jun 25 08:37:03 2017]  tty_ldisc_reinit+0x37/0x100
[Sun Jun 25 08:37:03 2017]  tty_reopen+0x6a/0x80
[Sun Jun 25 08:37:03 2017]  tty_open_by_driver+0x216/0x250
[Sun Jun 25 08:37:03 2017]  tty_open+0x16b/0x2d0
[Sun Jun 25 08:37:03 2017]  chrdev_open+0xb0/0x1e0
[Sun Jun 25 08:37:03 2017]  do_dentry_open+0x20a/0x2f0
[Sun Jun 25 08:37:03 2017]  ? cdev_put+0x30/0x30
[Sun Jun 25 08:37:03 2017]  vfs_open+0x4e/0x80
[Sun Jun 25 08:37:03 2017]  path_openat+0x2c9/0x1170
[Sun Jun 25 08:37:03 2017]  ? alloc_set_pte+0x259/0x600
[Sun Jun 25 08:37:03 2017]  do_filp_open+0x99/0x110
[Sun Jun 25 08:37:03 2017]  ? __check_object_size+0x54/0x196
[Sun Jun 25 08:37:03 2017]  ? __alloc_fd+0xb2/0x160
[Sun Jun 25 08:37:03 2017]  do_sys_open+0x147/0x210
[Sun Jun 25 08:37:03 2017]  ? do_sys_open+0x147/0x210
[Sun Jun 25 08:37:03 2017]  SyS_open+0x1e/0x20
[Sun Jun 25 08:37:03 2017]  entry_SYSCALL_64_fastpath+0x1a/0xa9
[Sun Jun 25 08:37:03 2017] RIP: 0033:0x7f7a17128120
[Sun Jun 25 08:37:03 2017] RSP: 002b:00007ffd3b37d498 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
[Sun Jun 25 08:37:03 2017] RAX: ffffffffffffffda RBX: 000000000259ab20 RCX: 00007f7a17128120
[Sun Jun 25 08:37:03 2017] RDX: 00000000000001b6 RSI: 0000000000000241 RDI: 000000000259ab20
[Sun Jun 25 08:37:03 2017] RBP: 0000000000000001 R08: 0000000000000020 R09: 0000000000000000
[Sun Jun 25 08:37:03 2017] R10: 00000000025966c0 R11: 0000000000000246 R12: 0000000000000020
[Sun Jun 25 08:37:03 2017] R13: 0000000000000003 R14: 0000000000000001 R15: 000000000259ab20
[Sun Jun 25 08:37:03 2017] Code: 66 66 66 66 90 55 48 89 e5 41 54 53 48 63 df 48 c7 c7 70 66 d2 81 e8 f5 28 21 00 48 8b 1c dd 80 65 d2 81 49 89 c4 48 85 db 74 37 <48> 8b bb 88 00 00 00 e8 99 87 ce ff 84 c0 74 1e 83 83 90 00 00
[Sun Jun 25 08:37:03 2017] RIP: get_ldops+0x2b/0x70 RSP: ffffc9000064bb00
[Sun Jun 25 08:37:03 2017] CR2: ffffffffa09a9348
[Sun Jun 25 08:37:03 2017] ---[ end trace 158d4b4e7aed864d ]---
[Sun Jun 25 08:37:03 2017] note: bash[738] exited with preempt_count 1

More information about the Speakup mailing list