Re: tty crash in tty_ldisc_receive_buf()

[Michael Neuling <mikey@neuling.org>]

> > +	/* This probably shouldn't happen, but return 0 data processed */
> > +	if (!ldata)
> > +		return 0;
> > +
> >  	while (1) {
> >  		/*
> >  		 * When PARMRK is set, each input char may take up to 3
> > chars
> 
> Maybe your patch should looks like:
> +	/* This probably shouldn't happen, but return 0 data processed */
> +	if (!ldata) {
> +               up_read(&tty->termios_rwsem);
> +		return 0;
> +       }

Oops, nice catch.. Thanks!

That does indeed fix the problem now without the softlockup.  I'm not sure it's
the right fix, but full patch below.

Anyone see a problem with this approach? Am I just papering over a real issue?

> Maybe below patch should work:
> @@ -1668,11 +1668,12 @@ static int
>  n_tty_receive_buf_common(struct tty_struct *tty, const unsigned char *cp,
>                           char *fp, int count, int flow)
>  {
> -       struct n_tty_data *ldata = tty->disc_data;
> +       struct n_tty_data *ldata;
> 			           int room, n, rcvd = 0, overflow;
> 
>         down_read(&tty->termios_rwsem);
> 
> +       ldata = tty->disc_data;

I did try just that alone and it didn't help.

Mikey


------------------------------------------------------------------------
>From 75c2a0369450692946ca8cc7ac148a98deaecd2a Mon Sep 17 00:00:00 2001
From: Michael Neuling <mikey@neuling.org>
Date: Fri, 7 Apr 2017 11:31:02 +1000
Subject: [PATCH] tty: fix regression in flush_to_ldisc

When reiniting a tty we can end up with:

[  417.514499] Unable to handle kernel paging request for data at address 0x00002260
[  417.515361] Faulting instruction address: 0xc0000000006fad80
cpu 0x15: Vector: 300 (Data Access) at [c00000799411f890]
    pc: c0000000006fad80: n_tty_receive_buf_common+0xc0/0xbd0
    lr: c0000000006fad5c: n_tty_receive_buf_common+0x9c/0xbd0
    sp: c00000799411fb10
   msr: 900000000280b033
   dar: 2260
 dsisr: 40000000
  current = 0xc0000079675d1e00
  paca    = 0xc00000000fb0d200   softe: 0        irq_happened: 0x01
    pid   = 5, comm = kworker/u56:0
Linux version 4.11.0-rc5-next-20170405 (mikey@bml86) (gcc version 5.4.0 20160609 (Ubuntu/IBM 5.4.0-6ubuntu1~16.04.4) ) #2 SMP Thu Apr 6 00:36:46 CDT 2017
enter ? for help
[c00000799411fbe0] c0000000006ff968 tty_ldisc_receive_buf+0x48/0xe0
[c00000799411fc10] c0000000007009d8 tty_port_default_receive_buf+0x68/0xe0
[c00000799411fc50] c0000000006ffce4 flush_to_ldisc+0x114/0x130
[c00000799411fca0] c00000000010a0fc process_one_work+0x1ec/0x580
[c00000799411fd30] c00000000010a528 worker_thread+0x98/0x5d0
[c00000799411fdc0] c00000000011343c kthread+0x16c/0x1b0
[c00000799411fe30] c00000000000b4e8 ret_from_kernel_thread+0x5c/0x74

This is due to a NULL ptr dref of tty->disc_data.

This fixes the issue by moving the disc_data read to after we take the
semaphore, then returning 0 data processed when NULL.

Cc: <stable@vger.kernel.org>    [4.10+]
Signed-off-by: Michael Neuling <mikey@neuling.org>
---
 drivers/tty/n_tty.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
index bdf0e6e899..a2a9832a42 100644
--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -1668,11 +1668,17 @@ static int
 n_tty_receive_buf_common(struct tty_struct *tty, const unsigned char *cp,
 			 char *fp, int count, int flow)
 {
-	struct n_tty_data *ldata = tty->disc_data;
+	struct n_tty_data *ldata;
 	int room, n, rcvd = 0, overflow;
 
 	down_read(&tty->termios_rwsem);
 
+	ldata = tty->disc_data;
+	if (!ldata) {
+		up_read(&tty->termios_rwsem);
+		return 0;
+	}
+
 	while (1) {
 		/*
 		 * When PARMRK is set, each input char may take up to 3 chars
-- 
2.9.3