From: Peter Hurley <peter@hurleysoftware.com>
To: Mikulas Patocka <mpatocka@redhat.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Jiri Slaby <jslaby@suse.com>,
linux-kernel@vger.kernel.org
Subject: Re: tty crash in Linux 4.6
Date: Mon, 16 May 2016 16:36:54 -0700 [thread overview]
Message-ID: <573A5996.3080305@hurleysoftware.com> (raw)
In-Reply-To: <alpine.LRH.2.02.1605161555430.8188@file01.intranet.prod.int.rdu2.redhat.com>
Hi Mikulas,
On 05/16/2016 01:12 PM, Mikulas Patocka wrote:
> Hi
>
> In the kernel 4.6 I get crashes in the tty layer. I can reproduce the
> crash by logging into the machine with ssh and typing before the prompt
> appears.
Thanks for the report.
I tried to reproduce this a number of times on different machines
with no luck.
> The crash is caused by the pointer tty->disc_data being NULL in the
> function n_tty_receive_buf_common. The crash happens on the statement
> smp_load_acquire(&ldata->read_tail).
>
> Bisecting shows that the crashes are caused by the patch
> 892d1fa7eaaed9d3c04954cb140c34ebc3393932 ("tty: Destroy ldisc instance on
> hangup").
Can you try the test patch below?
Regards,
Peter Hurley
> Kernel Fault: Code=15 regs=000000007d9e0720 (Addr=0000000000002260)
> CPU: 0 PID: 3319 Comm: kworker/u8:0 Not tainted 4.6.0 #1
> Workqueue: events_unbound flush_to_ldisc
> task: 000000007c25ea80 ti: 000000007d9e0000 task.ti: 000000007d9e0000
>
> YZrvWESTHLNXBCVMcbcbcbcbOGFRQPDI
> PSW: 00001000000001000000000000001111 Not tainted
> r00-03 000000000804000f 000000004076cd10 0000000040475fb4 000000007f761800
> r04-07 0000000040749510 0000000000000001 000000007f761800 000000007d9e0490
> r08-11 000000007e722890 0000000000000000 000000007da4ec00 000000007f763823
> r12-15 0000000000000000 000000007fc08ea8 000000007fc08c78 000000004080e080
> r16-19 000000007fc08c00 0000000000000001 0000000000000000 0000000000002260
> r20-23 000000007f7618b0 000000007c25ea80 0000000000000001 0000000000000001
> r24-27 0000000000000000 000000000800000f 000000007f7618ac 0000000040749510
> r28-31 0000000000000001 000000007d9e0840 000000007d9e0720 0000000000000001
> sr00-03 00000000086c8800 0000000000000000 0000000000000000 00000000086c8800
> sr04-07 0000000000000000 0000000000000000 0000000000000000 0000000000000000
>
> IASQ: 0000000000000000 0000000000000000 IAOQ: 0000000040475fd4 0000000040475fd8
> IIR: 0e6c00d5 ISR: 0000000000000000 IOR: 0000000000002260
> CPU: 0 CR30: 000000007d9e0000 CR31: ff87e7ffbc9ffffe
> ORIG_R28: 000000004080a180
> IAOQ[0]: n_tty_receive_buf_common+0xb4/0xbe0
> IAOQ[1]: n_tty_receive_buf_common+0xb8/0xbe0
> RP(r2): n_tty_receive_buf_common+0x94/0xbe0
> Backtrace:
> [<0000000040476b14>] n_tty_receive_buf2+0x14/0x20
> [<000000004047a208>] tty_ldisc_receive_buf+0x30/0x90
> [<000000004047a544>] flush_to_ldisc+0x144/0x1c8
> [<00000000402556bc>] process_one_work+0x1b4/0x460
> [<0000000040255bbc>] worker_thread+0x1e4/0x5e0
> [<000000004025d454>] kthread+0x134/0x168
--- >% ---
diff --git a/drivers/tty/tty_ldisc.c b/drivers/tty/tty_ldisc.c
index 68947f6..f271832 100644
--- a/drivers/tty/tty_ldisc.c
+++ b/drivers/tty/tty_ldisc.c
@@ -653,7 +653,7 @@ static void tty_reset_termios(struct tty_struct *tty)
* Returns 0 if successful, otherwise error code < 0
*/
-int tty_ldisc_reinit(struct tty_struct *tty, int disc)
+static int __tty_ldisc_reinit(struct tty_struct *tty, int disc)
{
struct tty_ldisc *ld;
int retval;
@@ -682,6 +682,16 @@ int tty_ldisc_reinit(struct tty_struct *tty, int disc)
return retval;
}
+int tty_ldisc_reinit(struct tty_struct *tty, int disc)
+{
+ int retval;
+
+ tty_ldisc_lock(tty, MAX_SCHEDULE_TIMEOUT);
+ retval = __tty_ldisc_reinit(tty, disc);
+ tty_ldisc_unlock(tty);
+ return retval;
+}
+
/**
* tty_ldisc_hangup - hangup ldisc reset
* @tty: tty being hung up
@@ -732,8 +742,8 @@ void tty_ldisc_hangup(struct tty_struct *tty, bool reinit)
if (tty->ldisc) {
if (reinit) {
- if (tty_ldisc_reinit(tty, tty->termios.c_line) < 0)
- tty_ldisc_reinit(tty, N_TTY);
+ if (__tty_ldisc_reinit(tty, tty->termios.c_line) < 0)
+ __tty_ldisc_reinit(tty, N_TTY);
} else
tty_ldisc_kill(tty);
}
next prev parent reply other threads:[~2016-05-16 23:37 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-16 20:12 tty crash in Linux 4.6 Mikulas Patocka
2016-05-16 23:36 ` Peter Hurley [this message]
2016-05-17 15:57 ` Peter Hurley
2016-05-17 18:09 ` Peter Hurley
2016-05-17 21:26 ` Mikulas Patocka
2016-07-07 22:57 ` Mikulas Patocka
2017-03-11 0:31 ` Michael Neuling
2018-03-22 13:48 ` Daniel Axtens
2018-03-22 14:05 ` Greg Kroah-Hartman
2018-03-27 12:18 ` Mikulas Patocka
2018-04-11 16:09 ` Daniel Axtens
2019-11-15 19:21 ` Mike Kravetz
2019-11-16 9:36 ` Greg Kroah-Hartman
2019-12-03 15:17 ` Mikulas Patocka
2019-12-03 19:14 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=573A5996.3080305@hurleysoftware.com \
--to=peter@hurleysoftware.com \
--cc=gregkh@linuxfoundation.org \
--cc=jslaby@suse.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mpatocka@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox