* [PATCH] n_tty: fix data race in n_tty_poll()
@ 2025-05-10 16:38 Jeongjun Park
2025-05-12 6:21 ` kernel test robot
2025-05-21 11:27 ` Greg KH
0 siblings, 2 replies; 3+ messages in thread
From: Jeongjun Park @ 2025-05-10 16:38 UTC (permalink / raw)
To: gregkh, jirislaby; +Cc: linux-kernel, linux-serial, Jeongjun Park
I found data-race in my fuzzer:
==================================================================
BUG: KCSAN: data-race in n_tty_poll / tty_set_termios
read to 0xffff8880116b4d14 of 4 bytes by task 5443 on cpu 0:
n_tty_poll+0xa4/0x4c0 drivers/tty/n_tty.c:2452
tty_poll+0x8f/0x100 drivers/tty/tty_io.c:2208
vfs_poll include/linux/poll.h:82 [inline]
select_poll_one fs/select.c:480 [inline]
do_select+0x95f/0x1030 fs/select.c:536
core_sys_select+0x284/0x6d0 fs/select.c:677
....
write to 0xffff8880116b4d08 of 44 bytes by task 14547 on cpu 1:
tty_set_termios+0xf9/0x500 drivers/tty/tty_ioctl.c:339
set_termios.part.0+0x3bc/0x4d0 drivers/tty/tty_ioctl.c:520
set_termios drivers/tty/tty_ioctl.c:454 [inline]
tty_mode_ioctl+0x2db/0xa00 drivers/tty/tty_ioctl.c:807
n_tty_ioctl_helper+0x4e/0x230 drivers/tty/tty_ioctl.c:986
n_tty_ioctl+0x67/0x230 drivers/tty/n_tty.c:2509
....
==================================================================
In n_tty_poll() we are doing a read on tty->termios but we are missing
rwsem lock, which causes a concurrency problem. To fix this, we need to
add rwsem lock at the appropriate location.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
---
drivers/tty/n_tty.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
index 6af3f3a0b531..36b41374e1bd 100644
--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -2449,6 +2449,8 @@ static __poll_t n_tty_poll(struct tty_struct *tty, struct file *file,
poll_wait(file, &tty->read_wait, wait);
poll_wait(file, &tty->write_wait, wait);
+
+ down_read(&tty->termios_rwsem);
if (input_available_p(tty, 1))
mask |= EPOLLIN | EPOLLRDNORM;
else {
@@ -2456,6 +2458,8 @@ static __poll_t n_tty_poll(struct tty_struct *tty, struct file *file,
if (input_available_p(tty, 1))
mask |= EPOLLIN | EPOLLRDNORM;
}
+ up_read(&tty->termios_rwsem);
+
if (tty->ctrl.packet && tty->link->ctrl.pktstatus)
mask |= EPOLLPRI | EPOLLIN | EPOLLRDNORM;
if (test_bit(TTY_OTHER_CLOSED, &tty->flags))
--
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH] n_tty: fix data race in n_tty_poll()
2025-05-10 16:38 [PATCH] n_tty: fix data race in n_tty_poll() Jeongjun Park
@ 2025-05-12 6:21 ` kernel test robot
2025-05-21 11:27 ` Greg KH
1 sibling, 0 replies; 3+ messages in thread
From: kernel test robot @ 2025-05-12 6:21 UTC (permalink / raw)
To: Jeongjun Park
Cc: oe-lkp, lkp, linux-kernel, linux-serial, gregkh, jirislaby,
Jeongjun Park, oliver.sang
Hello,
kernel test robot noticed "WARNING:possible_circular_locking_dependency_detected" on:
commit: 6145aac371f6e1aae92b20b04bf6f4e7b3c46657 ("[PATCH] n_tty: fix data race in n_tty_poll()")
url: https://github.com/intel-lab-lkp/linux/commits/Jeongjun-Park/n_tty-fix-data-race-in-n_tty_poll/20250511-004004
base: https://git.kernel.org/cgit/linux/kernel/git/gregkh/tty.git tty-testing
patch link: https://lore.kernel.org/all/20250510163828.21963-1-aha310510@gmail.com/
patch subject: [PATCH] n_tty: fix data race in n_tty_poll()
in testcase: boot
config: x86_64-randconfig-075-20250511
compiler: gcc-11
test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
(please refer to attached dmesg/kmsg for entire log/backtrace)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@intel.com>
| Closes: https://lore.kernel.org/oe-lkp/202505121345.9f8944dc-lkp@intel.com
[ 42.238614][ T205] WARNING: possible circular locking dependency detected
[ 42.239002][ T205] 6.15.0-rc4-00081-g6145aac371f6 #1 Tainted: G T
[ 42.239551][ T205] ------------------------------------------------------
[ 42.239965][ T205] bootlogd/205 is trying to acquire lock:
[ 42.240305][ T205] ffff88812c1d6428 ((work_completion)(&buf->work)){+.+.}-{0:0}, at: start_flush_work (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/workqueue.c:3922 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/workqueue.c:4176)
[ 42.240960][ T205]
[ 42.240960][ T205] but task is already holding lock:
[ 42.241424][ T205] ffff888185dc0ea8 (&tty->termios_rwsem){++++}-{4:4}, at: n_tty_poll (kbuild/obj/consumer/x86_64-randconfig-075-20250511/drivers/tty/n_tty.c:2454)
[ 42.242126][ T205]
[ 42.242126][ T205] which lock already depends on the new lock.
[ 42.242126][ T205]
[ 42.242789][ T205]
[ 42.242789][ T205] the existing dependency chain (in reverse order) is:
[ 42.243312][ T205]
[ 42.243312][ T205] -> #2 (&tty->termios_rwsem){++++}-{4:4}:
[ 42.243783][ T205] validate_chain (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:3286 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:3909)
[ 42.244098][ T205] __lock_acquire (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:5235)
[ 42.244404][ T205] lock_acquire (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:472 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:5868)
[ 42.244701][ T205] down_write (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/rwsem.c:1578)
[ 42.244977][ T205] n_tty_flush_buffer (kbuild/obj/consumer/x86_64-randconfig-075-20250511/drivers/tty/n_tty.c:353)
[ 42.245369][ T205] tty_buffer_flush (kbuild/obj/consumer/x86_64-randconfig-075-20250511/include/linux/instrumented.h:96 kbuild/obj/consumer/x86_64-randconfig-075-20250511/include/linux/atomic/atomic-instrumented.h:592 kbuild/obj/consumer/x86_64-randconfig-075-20250511/drivers/tty/tty_buffer.c:243)
[ 42.245806][ T205] tty_ldisc_flush (kbuild/obj/consumer/x86_64-randconfig-075-20250511/drivers/tty/tty_ldisc.c:389)
[ 42.246122][ T205] tty_port_close_start (kbuild/obj/consumer/x86_64-randconfig-075-20250511/drivers/tty/tty_port.c:647)
[ 42.246453][ T205] tty_port_close (kbuild/obj/consumer/x86_64-randconfig-075-20250511/drivers/tty/tty_port.c:698)
[ 42.246742][ T205] tty_release (kbuild/obj/consumer/x86_64-randconfig-075-20250511/drivers/tty/tty_io.c:1748)
[ 42.247038][ T205] __fput (kbuild/obj/consumer/x86_64-randconfig-075-20250511/fs/file_table.c:466)
[ 42.247308][ T205] fput_close_sync (kbuild/obj/consumer/x86_64-randconfig-075-20250511/fs/file_table.c:568)
[ 42.247741][ T205] __do_sys_close (kbuild/obj/consumer/x86_64-randconfig-075-20250511/fs/open.c:1583)
[ 42.248156][ T205] do_syscall_64 (kbuild/obj/consumer/x86_64-randconfig-075-20250511/arch/x86/entry/syscall_64.c:63 kbuild/obj/consumer/x86_64-randconfig-075-20250511/arch/x86/entry/syscall_64.c:94)
[ 42.248453][ T205] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
[ 42.248829][ T205]
[ 42.248829][ T205] -> #1 (&buf->lock){+.+.}-{4:4}:
[ 42.249243][ T205] validate_chain (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:3286 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:3909)
[ 42.249545][ T205] __lock_acquire (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:5235)
[ 42.249834][ T205] lock_acquire (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:472 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:5868)
[ 42.250121][ T205] __mutex_lock (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/mutex.c:603 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/mutex.c:746)
[ 42.250402][ T205] flush_to_ldisc (kbuild/obj/consumer/x86_64-randconfig-075-20250511/drivers/tty/tty_buffer.c:470)
[ 42.250692][ T205] process_one_work (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/workqueue.c:3243)
[ 42.250994][ T205] process_scheduled_works (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/workqueue.c:3319)
[ 42.251317][ T205] worker_thread (kbuild/obj/consumer/x86_64-randconfig-075-20250511/include/linux/list.h:373 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/workqueue.c:946 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/workqueue.c:3401)
[ 42.251601][ T205] kthread (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/kthread.c:464)
[ 42.251859][ T205] ret_from_fork (kbuild/obj/consumer/x86_64-randconfig-075-20250511/arch/x86/kernel/process.c:159)
[ 42.252137][ T205] ret_from_fork_asm (arch/x86/entry/entry_64.S:258)
[ 42.252430][ T205]
[ 42.252430][ T205] -> #0 ((work_completion)(&buf->work)){+.+.}-{0:0}:
[ 42.252920][ T205] check_noncircular (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:2215)
[ 42.253211][ T205] check_prev_add (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:3167)
[ 42.253512][ T205] validate_chain (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:3286 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:3909)
[ 42.253799][ T205] __lock_acquire (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:5235)
[ 42.254086][ T205] lock_acquire (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:472 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:5868)
[ 42.254363][ T205] start_flush_work (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/workqueue.c:3923 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/workqueue.c:4176)
[ 42.254660][ T205] __flush_work (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/workqueue.c:4208)
[ 42.254939][ T205] n_tty_poll (kbuild/obj/consumer/x86_64-randconfig-075-20250511/drivers/tty/n_tty.c:2458)
[ 42.255204][ T205] tty_poll (kbuild/obj/consumer/x86_64-randconfig-075-20250511/drivers/tty/tty_io.c:2199)
[ 42.255467][ T205] do_select (kbuild/obj/consumer/x86_64-randconfig-075-20250511/include/linux/file.h:62 kbuild/obj/consumer/x86_64-randconfig-075-20250511/include/linux/file.h:83 kbuild/obj/consumer/x86_64-randconfig-075-20250511/fs/select.c:469 kbuild/obj/consumer/x86_64-randconfig-075-20250511/fs/select.c:536)
[ 42.255733][ T205] core_sys_select (kbuild/obj/consumer/x86_64-randconfig-075-20250511/fs/select.c:677)
[ 42.256025][ T205] kern_select (kbuild/obj/consumer/x86_64-randconfig-075-20250511/fs/select.c:719)
[ 42.256299][ T205] __x64_sys_select (kbuild/obj/consumer/x86_64-randconfig-075-20250511/fs/select.c:722)
[ 42.256586][ T205] do_syscall_64 (kbuild/obj/consumer/x86_64-randconfig-075-20250511/arch/x86/entry/syscall_64.c:63 kbuild/obj/consumer/x86_64-randconfig-075-20250511/arch/x86/entry/syscall_64.c:94)
[ 42.256861][ T205] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
[ 42.257211][ T205]
[ 42.257211][ T205] other info that might help us debug this:
[ 42.257211][ T205]
[ 42.257768][ T205] Chain exists of:
[ 42.257768][ T205] (work_completion)(&buf->work) --> &buf->lock --> &tty->termios_rwsem
[ 42.257768][ T205]
[ 42.258538][ T205] Possible unsafe locking scenario:
[ 42.258538][ T205]
[ 42.258942][ T205] CPU0 CPU1
[ 42.259235][ T205] ---- ----
[ 42.259528][ T205] rlock(&tty->termios_rwsem);
[ 42.259799][ T205] lock(&buf->lock);
[ 42.260157][ T205] lock(&tty->termios_rwsem);
[ 42.260556][ T205] lock((work_completion)(&buf->work));
[ 42.260867][ T205]
[ 42.260867][ T205] *** DEADLOCK ***
[ 42.260867][ T205]
[ 42.261306][ T205] 3 locks held by bootlogd/205:
[ 42.261585][ T205] #0: ffff888185dc0cb0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait (kbuild/obj/consumer/x86_64-randconfig-075-20250511/drivers/tty/tty_ldisc.c:244)
[ 42.262123][ T205] #1: ffff888185dc0ea8 (&tty->termios_rwsem){++++}-{4:4}, at: n_tty_poll (kbuild/obj/consumer/x86_64-randconfig-075-20250511/drivers/tty/n_tty.c:2454)
[ 42.262647][ T205] #2: ffffffff851e6d60 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire (kbuild/obj/consumer/x86_64-randconfig-075-20250511/include/linux/rcupdate.h:331)
[ 42.263222][ T205]
[ 42.263222][ T205] stack backtrace:
[ 42.263550][ T205] CPU: 0 UID: 0 PID: 205 Comm: bootlogd Tainted: G T 6.15.0-rc4-00081-g6145aac371f6 #1 NONE
[ 42.263560][ T205] Tainted: [T]=RANDSTRUCT
[ 42.263562][ T205] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[ 42.263567][ T205] Call Trace:
[ 42.263572][ T205] <TASK>
[ 42.263576][ T205] dump_stack_lvl (kbuild/obj/consumer/x86_64-randconfig-075-20250511/lib/dump_stack.c:122 (discriminator 4))
[ 42.263586][ T205] print_circular_bug (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:2082 (discriminator 1))
[ 42.263592][ T205] check_noncircular (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:2215)
[ 42.263599][ T205] check_prev_add (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:3167)
[ 42.263604][ T205] ? local_clock_noinstr (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/sched/clock.c:301)
[ 42.263610][ T205] validate_chain (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:3286 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:3909)
[ 42.263616][ T205] __lock_acquire (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:5235)
[ 42.263622][ T205] lock_acquire (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:472 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:5868)
[ 42.263627][ T205] ? start_flush_work (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/workqueue.c:3922 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/workqueue.c:4176)
[ 42.263633][ T205] ? mark_held_locks (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:4326)
[ 42.263638][ T205] ? start_flush_work (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/workqueue.c:3922 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/workqueue.c:4176)
[ 42.263644][ T205] start_flush_work (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/workqueue.c:3923 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/workqueue.c:4176)
[ 42.263649][ T205] ? start_flush_work (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/workqueue.c:3922 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/workqueue.c:4176)
[ 42.263655][ T205] ? tty_buffer_free (kbuild/obj/consumer/x86_64-randconfig-075-20250511/drivers/tty/tty_buffer.c:463)
[ 42.263660][ T205] __flush_work (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/workqueue.c:4208)
[ 42.263666][ T205] ? start_flush_work (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/workqueue.c:4199)
[ 42.263671][ T205] ? __rwsem_set_reader_owned (kbuild/obj/consumer/x86_64-randconfig-075-20250511/arch/x86/include/asm/atomic64_64.h:20 kbuild/obj/consumer/x86_64-randconfig-075-20250511/include/linux/atomic/atomic-arch-fallback.h:2629 kbuild/obj/consumer/x86_64-randconfig-075-20250511/include/linux/atomic/atomic-long.h:79 kbuild/obj/consumer/x86_64-randconfig-075-20250511/include/linux/atomic/atomic-instrumented.h:3224 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/rwsem.c:176)
[ 42.263679][ T205] ? flush_workqueue_prep_pwqs (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/workqueue.c:3733)
[ 42.263690][ T205] n_tty_poll (kbuild/obj/consumer/x86_64-randconfig-075-20250511/drivers/tty/n_tty.c:2458)
[ 42.263696][ T205] tty_poll (kbuild/obj/consumer/x86_64-randconfig-075-20250511/drivers/tty/tty_io.c:2199)
[ 42.263702][ T205] do_select (kbuild/obj/consumer/x86_64-randconfig-075-20250511/include/linux/file.h:62 kbuild/obj/consumer/x86_64-randconfig-075-20250511/include/linux/file.h:83 kbuild/obj/consumer/x86_64-randconfig-075-20250511/fs/select.c:469 kbuild/obj/consumer/x86_64-randconfig-075-20250511/fs/select.c:536)
[ 42.263712][ T205] ? select_estimate_accuracy (kbuild/obj/consumer/x86_64-randconfig-075-20250511/fs/select.c:484)
[ 42.263717][ T205] ? validate_chain (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:3824 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:3877)
[ 42.263721][ T205] ? mark_lock (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:4726 (discriminator 3))
[ 42.263725][ T205] ? validate_chain (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:3824 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:3877)
[ 42.263729][ T205] ? mark_lock (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:4726 (discriminator 3))
[ 42.263733][ T205] ? __must_check_overflow (kbuild/obj/consumer/x86_64-randconfig-075-20250511/include/linux/err.h:70)
[ 42.263743][ T205] ? rcu_lock_acquire (kbuild/obj/consumer/x86_64-randconfig-075-20250511/include/linux/rcupdate.h:341)
[ 42.263749][ T205] ? rcu_lock_acquire (kbuild/obj/consumer/x86_64-randconfig-075-20250511/include/linux/rcupdate.h:341)
[ 42.263755][ T205] ? tracer_hardirqs_off (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/trace/trace_irqsoff.c:641)
[ 42.263762][ T205] ? mark_lock (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:4726 (discriminator 3))
[ 42.263767][ T205] ? validate_chain (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:3824 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:3877)
[ 42.263771][ T205] ? mark_lock (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:4726 (discriminator 3))
[ 42.263776][ T205] ? validate_chain (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:3824 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:3877)
[ 42.263780][ T205] ? mark_lock (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:4726 (discriminator 3))
[ 42.263785][ T205] ? __lock_acquire (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:5235)
[ 42.263790][ T205] ? lock_acquire (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:472 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:5868)
[ 42.263795][ T205] ? __might_fault (kbuild/obj/consumer/x86_64-randconfig-075-20250511/mm/memory.c:7151)
[ 42.263804][ T205] ? __might_fault (kbuild/obj/consumer/x86_64-randconfig-075-20250511/mm/memory.c:7151)
[ 42.263809][ T205] ? kvm_sched_clock_read (kbuild/obj/consumer/x86_64-randconfig-075-20250511/arch/x86/kernel/kvmclock.c:91)
[ 42.263813][ T205] ? local_clock_noinstr (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/sched/clock.c:301)
[ 42.263817][ T205] ? local_clock (kbuild/obj/consumer/x86_64-randconfig-075-20250511/arch/x86/include/asm/preempt.h:85 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/sched/clock.c:316)
[ 42.263825][ T205] ? __lock_release (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:5542)
[ 42.263829][ T205] ? __might_fault (kbuild/obj/consumer/x86_64-randconfig-075-20250511/mm/memory.c:7151)
[ 42.263835][ T205] ? __asan_memset (kbuild/obj/consumer/x86_64-randconfig-075-20250511/mm/kasan/shadow.c:84)
[ 42.263842][ T205] core_sys_select (kbuild/obj/consumer/x86_64-randconfig-075-20250511/fs/select.c:677)
[ 42.263849][ T205] ? __x64_compat_sys_ppoll_time64 (kbuild/obj/consumer/x86_64-randconfig-075-20250511/fs/select.c:623)
[ 42.263854][ T205] ? _raw_spin_unlock_irqrestore (kbuild/obj/consumer/x86_64-randconfig-075-20250511/arch/x86/include/asm/irqflags.h:42 kbuild/obj/consumer/x86_64-randconfig-075-20250511/arch/x86/include/asm/irqflags.h:119 kbuild/obj/consumer/x86_64-randconfig-075-20250511/arch/x86/include/asm/irqflags.h:159 kbuild/obj/consumer/x86_64-randconfig-075-20250511/include/linux/spinlock_api_smp.h:151 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/spinlock.c:194)
[ 42.263864][ T205] ? ktime_get_ts64 (kbuild/obj/consumer/x86_64-randconfig-075-20250511/include/linux/seqlock.h:226 (discriminator 1) kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/time/timekeeping.c:891 (discriminator 1))
[ 42.263871][ T205] ? timespec64_add_safe (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/time/time.c:854)
[ 42.263878][ T205] ? nsec_to_clock_t (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/time/time.c:848)
[ 42.263883][ T205] ? seqcount_lockdep_reader_access (kbuild/obj/consumer/x86_64-randconfig-075-20250511/arch/x86/include/asm/irqflags.h:42 (discriminator 1) kbuild/obj/consumer/x86_64-randconfig-075-20250511/arch/x86/include/asm/irqflags.h:119 (discriminator 1) kbuild/obj/consumer/x86_64-randconfig-075-20250511/arch/x86/include/asm/irqflags.h:159 (discriminator 1) kbuild/obj/consumer/x86_64-randconfig-075-20250511/include/linux/seqlock.h:74 (discriminator 1))
[ 42.263890][ T205] ? ktime_get_ts64 (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/time/timekeeping.c:896 (discriminator 4))
[ 42.263896][ T205] kern_select (kbuild/obj/consumer/x86_64-randconfig-075-20250511/fs/select.c:719)
[ 42.263901][ T205] ? core_sys_select (kbuild/obj/consumer/x86_64-randconfig-075-20250511/fs/select.c:702)
[ 42.263906][ T205] ? tracer_hardirqs_on (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/trace/trace_irqsoff.c:634)
[ 42.263911][ T205] ? syscall_exit_to_user_mode (kbuild/obj/consumer/x86_64-randconfig-075-20250511/include/linux/entry-common.h:361 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/entry/common.c:220)
[ 42.263917][ T205] __x64_sys_select (kbuild/obj/consumer/x86_64-randconfig-075-20250511/fs/select.c:722)
[ 42.263922][ T205] do_syscall_64 (kbuild/obj/consumer/x86_64-randconfig-075-20250511/arch/x86/entry/syscall_64.c:63 kbuild/obj/consumer/x86_64-randconfig-075-20250511/arch/x86/entry/syscall_64.c:94)
[ 42.263929][ T205] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
[ 42.263934][ T205] RIP: 0033:0x7f0bac4a3e97
[ 42.263941][ T205] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 8d 05 a9 a3 0c 00 49 89 ca 8b 00 85 c0 75 10 b8 17 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 61 c3 41 56 49 89 f6 41 55 4d 89 c5 41 54 49
All code
The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20250512/202505121345.9f8944dc-lkp@intel.com
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [PATCH] n_tty: fix data race in n_tty_poll()
2025-05-10 16:38 [PATCH] n_tty: fix data race in n_tty_poll() Jeongjun Park
2025-05-12 6:21 ` kernel test robot
@ 2025-05-21 11:27 ` Greg KH
1 sibling, 0 replies; 3+ messages in thread
From: Greg KH @ 2025-05-21 11:27 UTC (permalink / raw)
To: Jeongjun Park; +Cc: jirislaby, linux-kernel, linux-serial
On Sun, May 11, 2025 at 01:38:27AM +0900, Jeongjun Park wrote:
> I found data-race in my fuzzer:
>
> ==================================================================
> BUG: KCSAN: data-race in n_tty_poll / tty_set_termios
>
> read to 0xffff8880116b4d14 of 4 bytes by task 5443 on cpu 0:
> n_tty_poll+0xa4/0x4c0 drivers/tty/n_tty.c:2452
> tty_poll+0x8f/0x100 drivers/tty/tty_io.c:2208
> vfs_poll include/linux/poll.h:82 [inline]
> select_poll_one fs/select.c:480 [inline]
> do_select+0x95f/0x1030 fs/select.c:536
> core_sys_select+0x284/0x6d0 fs/select.c:677
> ....
>
> write to 0xffff8880116b4d08 of 44 bytes by task 14547 on cpu 1:
> tty_set_termios+0xf9/0x500 drivers/tty/tty_ioctl.c:339
> set_termios.part.0+0x3bc/0x4d0 drivers/tty/tty_ioctl.c:520
> set_termios drivers/tty/tty_ioctl.c:454 [inline]
> tty_mode_ioctl+0x2db/0xa00 drivers/tty/tty_ioctl.c:807
> n_tty_ioctl_helper+0x4e/0x230 drivers/tty/tty_ioctl.c:986
> n_tty_ioctl+0x67/0x230 drivers/tty/n_tty.c:2509
> ....
> ==================================================================
>
> In n_tty_poll() we are doing a read on tty->termios but we are missing
> rwsem lock, which causes a concurrency problem. To fix this, we need to
> add rwsem lock at the appropriate location.
Does this "concurrency problem" actually cause a real issue?
As the tools point out, your change will not work as you will have a
locking deadlock, which makes me wonder how you tested it?
thanks,
greg k-h
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-05-21 11:27 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-05-10 16:38 [PATCH] n_tty: fix data race in n_tty_poll() Jeongjun Park
2025-05-12 6:21 ` kernel test robot
2025-05-21 11:27 ` Greg KH
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox