From d4820e44b0ae6830b1d634e6d0a425d839388c06 Mon Sep 17 00:00:00 2001
From: Heiko Carstens <heiko.carstens@de.ibm.com>
Date: Fri, 30 May 2008 10:03:30 +0200
Subject: [S390] sclp_vt220: fix scheduling while atomic bug.

The driver incorrectly assumed that putchar will only be called from
schedulable process context and therefore blocked and waited if no
free output buffers where available.
Since putchar may also be called from BH context this may lead to
deadlocks.
To fix this just return the number of characters accepted and let the
upper layer handle the rest.

The console write function will busy wait (sclp_sync_wait) until a
buffer is available again.

Cc: Peter Oberparleiter <peter.oberparleiter@de.ibm.com>
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
---
 drivers/s390/char/sclp_vt220.c | 27 +++++++--------------------
 1 file changed, 7 insertions(+), 20 deletions(-)

(limited to 'drivers/s390/char/sclp_vt220.c')

diff --git a/drivers/s390/char/sclp_vt220.c b/drivers/s390/char/sclp_vt220.c
index 35707c04e613..62576af36f47 100644
--- a/drivers/s390/char/sclp_vt220.c
+++ b/drivers/s390/char/sclp_vt220.c
@@ -71,9 +71,6 @@ static struct list_head sclp_vt220_outqueue;
 /* Number of requests in outqueue */
 static int sclp_vt220_outqueue_count;
 
-/* Wait queue used to delay write requests while we've run out of buffers */
-static wait_queue_head_t sclp_vt220_waitq;
-
 /* Timer used for delaying write requests to merge subsequent messages into
  * a single buffer */
 static struct timer_list sclp_vt220_timer;
@@ -133,7 +130,6 @@ sclp_vt220_process_queue(struct sclp_vt220_request *request)
 	} while (request && __sclp_vt220_emit(request));
 	if (request == NULL && sclp_vt220_flush_later)
 		sclp_vt220_emit_current();
-	wake_up(&sclp_vt220_waitq);
 	/* Check if the tty needs a wake up call */
 	if (sclp_vt220_tty != NULL) {
 		tty_wakeup(sclp_vt220_tty);
@@ -383,7 +379,7 @@ sclp_vt220_timeout(unsigned long data)
  */
 static int
 __sclp_vt220_write(const unsigned char *buf, int count, int do_schedule,
-		   int convertlf, int may_schedule)
+		   int convertlf, int may_fail)
 {
 	unsigned long flags;
 	void *page;
@@ -395,15 +391,14 @@ __sclp_vt220_write(const unsigned char *buf, int count, int do_schedule,
 	overall_written = 0;
 	spin_lock_irqsave(&sclp_vt220_lock, flags);
 	do {
-		/* Create a sclp output buffer if none exists yet */
+		/* Create an sclp output buffer if none exists yet */
 		if (sclp_vt220_current_request == NULL) {
 			while (list_empty(&sclp_vt220_empty)) {
 				spin_unlock_irqrestore(&sclp_vt220_lock, flags);
-				if (in_interrupt() || !may_schedule)
-					sclp_sync_wait();
+				if (may_fail)
+					goto out;
 				else
-					wait_event(sclp_vt220_waitq,
-						!list_empty(&sclp_vt220_empty));
+					sclp_sync_wait();
 				spin_lock_irqsave(&sclp_vt220_lock, flags);
 			}
 			page = (void *) sclp_vt220_empty.next;
@@ -437,6 +432,7 @@ __sclp_vt220_write(const unsigned char *buf, int count, int do_schedule,
 		add_timer(&sclp_vt220_timer);
 	}
 	spin_unlock_irqrestore(&sclp_vt220_lock, flags);
+out:
 	return overall_written;
 }
 
@@ -520,19 +516,11 @@ sclp_vt220_close(struct tty_struct *tty, struct file *filp)
  * character to the tty device.  If the kernel uses this routine,
  * it must call the flush_chars() routine (if defined) when it is
  * done stuffing characters into the driver.
- *
- * NOTE: include/linux/tty_driver.h specifies that a character should be
- * ignored if there is no room in the queue. This driver implements a different
- * semantic in that it will block when there is no more room left.
- *
- * FIXME: putchar can currently be called from BH and other non blocking
- * handlers so  this semantic isn't a good idea.
  */
 static int
 sclp_vt220_put_char(struct tty_struct *tty, unsigned char ch)
 {
-	__sclp_vt220_write(&ch, 1, 0, 0, 1);
-	return 1;
+	return __sclp_vt220_write(&ch, 1, 0, 0, 1);
 }
 
 /*
@@ -653,7 +641,6 @@ static int __init __sclp_vt220_init(void)
 	spin_lock_init(&sclp_vt220_lock);
 	INIT_LIST_HEAD(&sclp_vt220_empty);
 	INIT_LIST_HEAD(&sclp_vt220_outqueue);
-	init_waitqueue_head(&sclp_vt220_waitq);
 	init_timer(&sclp_vt220_timer);
 	sclp_vt220_current_request = NULL;
 	sclp_vt220_buffered_chars = 0;
-- 
cgit v1.2.3


From 7b439d25300dc59bba76b53eb344bb9e5a1133f2 Mon Sep 17 00:00:00 2001
From: Carsten Otte <cotte@de.ibm.com>
Date: Tue, 10 Jun 2008 10:03:22 +0200
Subject: [S390] vt220 console, initialize list head before use

This patch fixes a null pointer dereference during initialisation when no
sclp event facility is available:
sclp vt220 tty driver: could not register vt220 - sclp_register returned -5
Unable to handle kernel paging request at virtual user address 0000000000000000
Oops: 0004 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 Not tainted 2.6.26-rc3-kvm-bigiron-00968-gd939e93-dirty #30
Process swapper (pid: 0, task: 0000000000600be0, ksp: 000000000064a000)
Krnl PSW : 0400000180000000 0000000000320d8c (sclp_unregister+0x48/0x8c)
           R:0 T:1 IO:0 EX:0 Key:0 M:0 W:0 P:0 AS:0 CC:0 PM:0 EA:3
Krnl GPRS: 0000000000000000 0000000000000000 0000000000630478 0700000000649c20
           0000000000000000 0000000000433060 000000000064a660 0000000002e26000
           00000000006db000 0000000000000000 0000000000a78578 0000000000649b80
           0000000000630dc0 000000000044fa20 0000000000320d76 0000000000649b80
Krnl Code: 0000000000320d7c: e310c0080004       lg      %r1,8(%r12)
           0000000000320d82: b9040032           lgr     %r3,%r2
           0000000000320d86: c02000187b79       larl    %r2,630478
          >0000000000320d8c: e34010000024       stg     %r4,0(%r1)
           0000000000320d92: e31040080024       stg     %r1,8(%r4)
           0000000000320d98: c01100200200       lgfi    %r1,2097664
           0000000000320d9e: e310c0080024       stg     %r1,8(%r12)
           0000000000320da4: c01100100100       lgfi    %r1,1048832
Call Trace:
([<0000000000320d76>] sclp_unregister+0x32/0x8c)
 [<00000000006657b4>] __sclp_vt220_cleanup+0xc4/0xe0
 [<000000000066595c>] __sclp_vt220_init+0x18c/0x1a0
 [<0000000000665aba>] sclp_vt220_con_init+0x42/0x68
 [<00000000006601ca>] console_init+0x4e/0x68
 [<000000000064acae>] start_kernel+0x3a2/0x4dc
 [<0000000000100020>] _stext+0x20/0x80
INFO: lockdep is turned off.
Last Breaking-Event-Address:
 [<000000000041f964>] _spin_lock_irqsave+0xb0/0xb4
 <4>---[ end trace 31fd0ba7d8756001 ]---

The issue is caused by a list_empty() check in __sclp_vt220_cleanup, which
usually fails on non-initialized list heads that contain {NULL,NULL} instead.

Signed-off-by: Carsten Otte <cotte@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
---
 drivers/s390/char/sclp_vt220.c | 1 +
 1 file changed, 1 insertion(+)

(limited to 'drivers/s390/char/sclp_vt220.c')

diff --git a/drivers/s390/char/sclp_vt220.c b/drivers/s390/char/sclp_vt220.c
index 62576af36f47..3e577f655b18 100644
--- a/drivers/s390/char/sclp_vt220.c
+++ b/drivers/s390/char/sclp_vt220.c
@@ -773,6 +773,7 @@ sclp_vt220_con_init(void)
 {
 	int rc;
 
+	INIT_LIST_HEAD(&sclp_vt220_register.list);
 	if (!CONSOLE_IS_SCLP)
 		return 0;
 	rc = __sclp_vt220_init();
-- 
cgit v1.2.3