From: Tycho Andersen <tycho@tycho.ws>
To: Dmitry Safonov <dima@arista.com>
Cc: linux-kernel@vger.kernel.org,
"Dmitry Safonov" <0x7f454c46@gmail.com>,
"Daniel Axtens" <dja@axtens.net>,
"Dmitry Vyukov" <dvyukov@google.com>,
"Mark Rutland" <mark.rutland@arm.com>,
"Michael Neuling" <mikey@neuling.org>,
"Mikulas Patocka" <mpatocka@redhat.com>,
"Nathan March" <nathan@gt.net>, "Pasi Kärkkäinen" <pasik@iki.fi>,
"Peter Hurley" <peter@hurleysoftware.com>,
"Peter Zijlstra" <peterz@infradead.org>,
"Rong, Chen" <rong.a.chen@intel.com>,
"Sergey Senozhatsky" <sergey.senozhatsky.work@gmail.com>,
"Tan Xiaojun" <tanxiaojun@huawei.com>,
"Tetsuo Handa" <penguin-kernel@I-love.SAKURA.ne.jp>,
"Jiri Slaby" <jslaby@suse.cz>,
syzbot+3aa9784721dfb90e984d@syzkaller.appspotmail.com,
"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Jiri Slaby" <jslaby@suse.com>,
stable@vger.kernel.org
Subject: Re: [PATCHv6 2/7] tty: Hold tty_ldisc_lock() during tty_reopen()
Date: Fri, 9 Nov 2018 13:44:54 -0700 [thread overview]
Message-ID: <20181109204454.GF3645@cisco> (raw)
In-Reply-To: <20181101002452.5483-3-dima@arista.com>
Hi,
On Thu, Nov 01, 2018 at 12:24:47AM +0000, Dmitry Safonov wrote:
> tty_ldisc_reinit() doesn't race with neither tty_ldisc_hangup()
> nor set_ldisc() nor tty_ldisc_release() as they use tty lock.
> But it races with anyone who expects line discipline to be the same
> after hoding read semaphore in tty_ldisc_ref().
>
> We've seen the following crash on v4.9.108 stable:
>
> BUG: unable to handle kernel paging request at 0000000000002260
> IP: [..] n_tty_receive_buf_common+0x5f/0x86d
> Workqueue: events_unbound flush_to_ldisc
> Call Trace:
> [..] n_tty_receive_buf2
> [..] tty_ldisc_receive_buf
> [..] flush_to_ldisc
> [..] process_one_work
> [..] worker_thread
> [..] kthread
> [..] ret_from_fork
>
> tty_ldisc_reinit() should be called with ldisc_sem hold for writing,
> which will protect any reader against line discipline changes.
>
> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Cc: Jiri Slaby <jslaby@suse.com>
> Cc: stable@vger.kernel.org # b027e2298bd5 ("tty: fix data race between tty_init_dev and flush of buf")
> Reviewed-by: Jiri Slaby <jslaby@suse.cz>
> Reported-by: syzbot+3aa9784721dfb90e984d@syzkaller.appspotmail.com
> Tested-by: Mark Rutland <mark.rutland@arm.com>
> Tested-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Feel free to add
Tested-by: Tycho Andersen <tycho@tycho.ws>
to this as well. We've recently seen this bug (well, the one that
syzbot reported), and this patch fixes it.
Tycho
next prev parent reply other threads:[~2018-11-09 20:45 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-01 0:24 [PATCHv6 0/7] tty: Hold write ldisc sem in tty_reopen() Dmitry Safonov
2018-11-01 0:24 ` [PATCHv6 1/7] tty/ldsem: Wake up readers after timed out down_write() Dmitry Safonov
2018-11-01 0:24 ` [PATCHv6 2/7] tty: Hold tty_ldisc_lock() during tty_reopen() Dmitry Safonov
2018-11-09 20:44 ` Tycho Andersen [this message]
2018-11-01 0:24 ` [PATCHv6 3/7] tty: Don't block on IO when ldisc change is pending Dmitry Safonov
2018-11-01 0:24 ` [PATCHv6 4/7] tty: Simplify tty->count math in tty_reopen() Dmitry Safonov
2018-11-01 0:24 ` [PATCHv6 5/7] tty/ldsem: Convert to regular lockdep annotations Dmitry Safonov
2018-11-01 0:24 ` [PATCHv6 6/7] tty/ldsem: Add lockdep asserts for ldisc_sem Dmitry Safonov
2018-11-01 0:24 ` [PATCHv6 7/7] tty/ldsem: Decrement wait_readers on timeouted down_read() Dmitry Safonov
2018-11-19 12:52 ` [PATCHv6 0/7] tty: Hold write ldisc sem in tty_reopen() Pasi Kärkkäinen
2018-11-19 12:52 ` Pasi Kärkkäinen
2018-12-07 14:24 ` Guilherme G. Piccoli
2018-12-07 15:23 ` Tycho Andersen
[not found] ` <CAHD1Q_yPbhTYcKwk2PUkoabD+dTqegkVEab7nAvcrgAN10otSQ@mail.gmail.com>
2018-12-07 15:37 ` Dmitry Safonov
2018-12-07 18:09 ` Guilherme G. Piccoli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181109204454.GF3645@cisco \
--to=tycho@tycho.ws \
--cc=0x7f454c46@gmail.com \
--cc=dima@arista.com \
--cc=dja@axtens.net \
--cc=dvyukov@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=jslaby@suse.com \
--cc=jslaby@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=mikey@neuling.org \
--cc=mpatocka@redhat.com \
--cc=nathan@gt.net \
--cc=pasik@iki.fi \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=peter@hurleysoftware.com \
--cc=peterz@infradead.org \
--cc=rong.a.chen@intel.com \
--cc=sergey.senozhatsky.work@gmail.com \
--cc=stable@vger.kernel.org \
--cc=syzbot+3aa9784721dfb90e984d@syzkaller.appspotmail.com \
--cc=tanxiaojun@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.