From: John Ogness <john.ogness@linutronix.de>
To: Petr Mladek <pmladek@suse.com>
Cc: Sergey Senozhatsky <senozhatsky@chromium.org>,
Steven Rostedt <rostedt@goodmis.org>,
Marcos Paulo de Souza <mpdesouza@suse.com>,
Chris Down <chris@chrisdown.name>,
linux-kernel@vger.kernel.org, Petr Mladek <pmladek@suse.com>
Subject: Re: [PATCH v2 4/9] printk: Cleanup _braille_(un)register_console() wrappers
Date: Fri, 15 May 2026 14:57:43 +0206 [thread overview]
Message-ID: <87ik8o7s4g.fsf@jogness.linutronix.de> (raw)
In-Reply-To: <20260423130015.85175-5-pmladek@suse.com>
On 2026-04-23, Sashiko wrote:
>> diff --git a/drivers/accessibility/braille/braille_console.c b/drivers/accessibility/braille/braille_console.c
>> index 06b43b678d6e..7b324329882f 100644
>> --- a/drivers/accessibility/braille/braille_console.c
>> +++ b/drivers/accessibility/braille/braille_console.c
>> @@ -360,12 +360,12 @@ int braille_register_console(struct console *console, int index,
>> if (ret != 0)
>> return ret;
>> }
>> - console->flags |= CON_ENABLED;
>> + console->flags |= CON_ENABLED | CON_BRL;
>> console->index = index;
>> braille_co = console;
>> register_keyboard_notifier(&keyboard_notifier_block);
>> register_vt_notifier(&vt_notifier_block);
>> - return 1;
>> + return 0;
>> }
>
> While reviewing this function, I noticed a pre-existing
> regression. The printk subsystem relies on console_lock() to serialize
> console setup against boot consoles that might be actively printing to
> the same hardware port. For normal consoles, this synchronization is
> handled explicitly:
>
> kernel/printk/printk.c:console_call_setup() {
> ...
> console_lock();
> err = newcon->setup(newcon, options);
> console_unlock();
> ...
> }
>
> However, it looks like braille_register_console() bypasses this
> protection and directly invokes console->setup() just above this block
> without acquiring console_lock().
>
> Could this unprotected setup call cause a data race or hardware state
> corruption if the underlying driver shares the hardware with an active
> boot console?
I do not know enough about braille consoles if they can also be early
consoles, but it makes sense to synchronize the ->setup()
callback. Something like this:
--- a/drivers/accessibility/braille/braille_console.c
+++ b/drivers/accessibility/braille/braille_console.c
@@ -356,7 +356,9 @@ int braille_register_console(struct console *console, int index,
if (braille_co)
return -ENODEV;
if (console->setup) {
+ console_lock();
ret = console->setup(console, console_options);
+ console_unlock();
if (ret != 0)
return ret;
}
>> int braille_unregister_console(struct console *console)
>> @@ -375,5 +375,6 @@ int braille_unregister_console(struct console *console)
>> unregister_keyboard_notifier(&keyboard_notifier_block);
>> unregister_vt_notifier(&vt_notifier_block);
>> braille_co = NULL;
>> - return 1;
>> + console->flags &= ~(CON_ENABLED | CON_BRL);
>> + return 0;
>> }
>
> This also appears to be a pre-existing regression. The
> unregister_keyboard_notifier() and unregister_vt_notifier() functions
> remove callbacks from atomic notifier chains. Since atomic notifiers
> execute their callbacks under RCU read lock, unregistering them only
> unlinks the node without blocking for concurrent callbacks to finish.
>
> By immediately clearing the global braille_co pointer and returning,
> could a concurrently executing keyboard_notifier_call that already
> passed the braille_co check on another CPU cause a use-after-free or
> null pointer dereference?
>
> Does this function need a synchronize_rcu() before returning to ensure
> all callbacks have completed?
atomic_notifier_chain_unregister() already calls synchronize_rcu()
before returning, so no action is needed here.
For this patch as it is:
Reviewed-by: John Ogness <john.ogness@linutronix.de>
(The console lock/unlock should be a separate patch.)
John
prev parent reply other threads:[~2026-05-15 12:51 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20260423130015.85175-1-pmladek@suse.com>
[not found] ` <20260423130015.85175-6-pmladek@suse.com>
2026-05-05 17:56 ` [PATCH v2 5/9] printk: Separate code for enabling console Marcos Paulo de Souza
2026-05-15 12:57 ` John Ogness
[not found] ` <20260423130015.85175-2-pmladek@suse.com>
2026-05-08 14:22 ` [PATCH v2 1/9] printk: Rename struct console_cmdline to preferred_console John Ogness
[not found] ` <20260423130015.85175-3-pmladek@suse.com>
2026-05-15 9:07 ` [PATCH v2 2/9] printk: Rename preferred_console to preferred_dev_console John Ogness
[not found] ` <20260423130015.85175-4-pmladek@suse.com>
2026-05-05 17:47 ` [PATCH v2 3/9] printk: Separate code for adding/updating preferred console metadata Marcos Paulo de Souza
2026-05-15 10:23 ` John Ogness
2026-05-15 10:30 ` John Ogness
[not found] ` <20260423130015.85175-5-pmladek@suse.com>
2026-05-15 12:51 ` John Ogness [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87ik8o7s4g.fsf@jogness.linutronix.de \
--to=john.ogness@linutronix.de \
--cc=chris@chrisdown.name \
--cc=linux-kernel@vger.kernel.org \
--cc=mpdesouza@suse.com \
--cc=pmladek@suse.com \
--cc=rostedt@goodmis.org \
--cc=senozhatsky@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox