From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from mail-pf1-f194.google.com ([209.85.210.194]:38686 "EHLO
        mail-pf1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1725997AbeKJG1O (ORCPT
        <rfc822;stable@vger.kernel.org>); Sat, 10 Nov 2018 01:27:14 -0500
Received: by mail-pf1-f194.google.com with SMTP id b11-v6so1444716pfi.5
        for <stable@vger.kernel.org>; Fri, 09 Nov 2018 12:44:59 -0800 (PST)
Date: Fri, 9 Nov 2018 13:44:54 -0700
From: Tycho Andersen <tycho@tycho.ws>
To: Dmitry Safonov <dima@arista.com>
Cc: linux-kernel@vger.kernel.org,
        Dmitry Safonov <0x7f454c46@gmail.com>,
        Daniel Axtens <dja@axtens.net>,
        Dmitry Vyukov <dvyukov@google.com>,
        Mark Rutland <mark.rutland@arm.com>,
        Michael Neuling <mikey@neuling.org>,
        Mikulas Patocka <mpatocka@redhat.com>,
        Nathan March <nathan@gt.net>,
        Pasi =?iso-8859-1?Q?K=E4rkk=E4inen?= <pasik@iki.fi>,
        Peter Hurley <peter@hurleysoftware.com>,
        Peter Zijlstra <peterz@infradead.org>,
        "Rong, Chen" <rong.a.chen@intel.com>,
        Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>,
        Tan Xiaojun <tanxiaojun@huawei.com>,
        Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
        Jiri Slaby <jslaby@suse.cz>,
        syzbot+3aa9784721dfb90e984d@syzkaller.appspotmail.com,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Jiri Slaby <jslaby@suse.com>, stable@vger.kernel.org
Subject: Re: [PATCHv6 2/7] tty: Hold tty_ldisc_lock() during tty_reopen()
Message-ID: <20181109204454.GF3645@cisco>
References: <20181101002452.5483-1-dima@arista.com>
 <20181101002452.5483-3-dima@arista.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20181101002452.5483-3-dima@arista.com>
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

Hi,

On Thu, Nov 01, 2018 at 12:24:47AM +0000, Dmitry Safonov wrote:
> tty_ldisc_reinit() doesn't race with neither tty_ldisc_hangup()
> nor set_ldisc() nor tty_ldisc_release() as they use tty lock.
> But it races with anyone who expects line discipline to be the same
> after hoding read semaphore in tty_ldisc_ref().
> 
> We've seen the following crash on v4.9.108 stable:
> 
> BUG: unable to handle kernel paging request at 0000000000002260
> IP: [..] n_tty_receive_buf_common+0x5f/0x86d
> Workqueue: events_unbound flush_to_ldisc
> Call Trace:
>  [..] n_tty_receive_buf2
>  [..] tty_ldisc_receive_buf
>  [..] flush_to_ldisc
>  [..] process_one_work
>  [..] worker_thread
>  [..] kthread
>  [..] ret_from_fork
> 
> tty_ldisc_reinit() should be called with ldisc_sem hold for writing,
> which will protect any reader against line discipline changes.
> 
> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Cc: Jiri Slaby <jslaby@suse.com>
> Cc: stable@vger.kernel.org # b027e2298bd5 ("tty: fix data race between tty_init_dev and flush of buf")
> Reviewed-by: Jiri Slaby <jslaby@suse.cz>
> Reported-by: syzbot+3aa9784721dfb90e984d@syzkaller.appspotmail.com
> Tested-by: Mark Rutland <mark.rutland@arm.com>
> Tested-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>

Feel free to add

Tested-by: Tycho Andersen <tycho@tycho.ws>

to this as well. We've recently seen this bug (well, the one that
syzbot reported), and this patch fixes it.

Tycho