From: Alan Cox <gnomes@lxorguk.ukuu.org.uk>
To: DaeRyong Jeong <threeearcat@gmail.com>
Cc: gregkh@linuxfoundation.org, jslaby@suse.com,
byoungyoung@purdue.edu, kt0755@gmail.com, bammanag@purdue.edu,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] tty: Fix data race in tty_insert_flip_string_fixed_flag
Date: Wed, 25 Apr 2018 15:39:48 +0100 [thread overview]
Message-ID: <20180425153948.7be2bc57@alans-desktop> (raw)
In-Reply-To: <20180425132047.GA20337@dragonet.kaist.ac.kr>
On Wed, 25 Apr 2018 22:20:50 +0900
DaeRyong Jeong <threeearcat@gmail.com> wrote:
> tty_insert_flip_string_fixed_flag() copies chars to the buffer indicated
> by th->used and updates tb->used.
> But tty_insert_flip_string_fixed_flag() can be executed concurrently and
> tb->used can be updated improperly.
The tty input layer does not work if it can be executed concurrently. If
that is happening in the pty code then the pty code is buggy and that
needs serializing on the inbound path.
> -static void tty_write_unlock(struct tty_struct *tty)
> +void tty_write_unlock(struct tty_struct *tty, int wakeup)
> {
> mutex_unlock(&tty->atomic_write_lock);
> - wake_up_interruptible_poll(&tty->write_wait, EPOLLOUT);
> + if (wakeup) {
> + wake_up_interruptible_poll(&tty->write_wait, EPOLLOUT);
> + }
And this may cause deadlocks.
You don't actually need any of the wakeup changes in your code
> diff --git a/drivers/tty/tty_ioctl.c b/drivers/tty/tty_ioctl.c
> index d9b561d89432..a54ab91aec90 100644
> --- a/drivers/tty/tty_ioctl.c
> +++ b/drivers/tty/tty_ioctl.c
> @@ -911,12 +911,17 @@ int n_tty_ioctl_helper(struct tty_struct *tty, struct file *file,
> spin_unlock_irq(&tty->flow_lock);
> break;
> case TCOON:
> + if (tty_write_lock(tty, 0) < 0)
> + return -ERESTARTSYS;
> +
> spin_lock_irq(&tty->flow_lock);
> if (tty->flow_stopped) {
> tty->flow_stopped = 0;
> __start_tty(tty);
> }
> spin_unlock_irq(&tty->flow_lock);
> +
> + tty_write_unlock(tty, 0);
If you just used these unmodified it would be simpler and as good,
however it won't actually fix anything. The pty layer is broken not this
code.
The tty layer rule for all the input buffer handling is that you may not
call *any* of it from multiple threads at once. This works fine for
normal serial because the IRQ layer or the polling logic has that
property.
The bug looks real, your diagnosis looks right, your fix sort of works
but isn't sufficient.
So NAK.
Alan
next prev parent reply other threads:[~2018-04-25 14:39 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-25 13:20 [PATCH] tty: Fix data race in tty_insert_flip_string_fixed_flag DaeRyong Jeong
2018-04-25 13:41 ` Greg KH
2018-04-25 17:42 ` DaeRyong Jeong
2018-04-25 14:39 ` Alan Cox [this message]
2018-04-25 17:54 ` DaeRyong Jeong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180425153948.7be2bc57@alans-desktop \
--to=gnomes@lxorguk.ukuu.org.uk \
--cc=bammanag@purdue.edu \
--cc=byoungyoung@purdue.edu \
--cc=gregkh@linuxfoundation.org \
--cc=jslaby@suse.com \
--cc=kt0755@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=threeearcat@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox