On Mon, Mar 20, 2017 at 10:21 AM, Dmitry Vyukov <dvyukov@xxxxxxxxxx> wrote: > On Mon, Mar 20, 2017 at 3:28 AM, Stephen Rothwell <sfr@xxxxxxxxxxxxxxxx> wrote: >> Hi Greg, >> >> Today's linux-next merge of the tty tree got a conflict in: >> >> drivers/tty/tty_ldisc.c >> >> between commit: >> >> 5362544bebe8 ("tty: don't panic on OOM in tty_set_ldisc()") >> >> from the tty.current tree and commit: >> >> 71472fa9c52b ("tty: Fix ldisc crash on reopened tty") >> >> from the tty tree. >> >> I fixed it up (see below) and can carry the fix as necessary. This >> is now fixed as far as linux-next is concerned, but any non trivial >> conflicts should be mentioned to your upstream maintainer when your tree >> is submitted for merging. You may also want to consider cooperating >> with the maintainer of the conflicting tree to minimise any particularly >> complex conflicts. >> >> -- >> Cheers, >> Stephen Rothwell >> >> diff --cc drivers/tty/tty_ldisc.c >> index b0500a0a87b8,4ee7742dced3..000000000000 >> --- a/drivers/tty/tty_ldisc.c >> +++ b/drivers/tty/tty_ldisc.c >> @@@ -621,14 -669,17 +621,15 @@@ int tty_ldisc_reinit(struct tty_struct >> tty_ldisc_put(tty->ldisc); >> } >> >> - /* switch the line discipline */ >> - tty->ldisc = ld; >> tty_set_termios_ldisc(tty, disc); >> - retval = tty_ldisc_open(tty, tty->ldisc); >> + retval = tty_ldisc_open(tty, ld); >> if (retval) { >> - tty_ldisc_put(tty->ldisc); >> - tty->ldisc = NULL; >> - if (!WARN_ON(disc == N_TTY)) { >> - tty_ldisc_put(ld); >> - ld = NULL; >> - } >> ++ tty_ldisc_put(ld); >> ++ ld = NULL; >> } >> + >> + /* switch the line discipline */ >> + smp_store_release(&tty->ldisc, ld); >> return retval; >> } >> > > > Peter, > > Looking at your patch "tty: Fix ldisc crash on reopened tty", I think > there is a missed barrier in tty_ldisc_ref. A single barrier does not > have any effect, they always need to be in pairs. So I think we also > need at least: > > @@ -295,7 +295,8 @@ struct tty_ldisc *tty_ldisc_ref(struct tty_struct *tty) > struct tty_ldisc *ld = NULL; > > if (ldsem_down_read_trylock(&tty->ldisc_sem)) { > - ld = tty->ldisc; > + ld = READ_ONCE(tty->ldisc); > + read_barrier_depends(); > if (!ld) > ldsem_up_read(&tty->ldisc_sem); > } > > > Or simply: > > @@ -295,7 +295,8 @@ struct tty_ldisc *tty_ldisc_ref(struct tty_struct *tty) > struct tty_ldisc *ld = NULL; > > if (ldsem_down_read_trylock(&tty->ldisc_sem)) { > - ld = tty->ldisc; > + /* pairs with smp_store_release in tty_ldisc_reinit */ > + ld = smp_load_acquire(&tty->ldisc); > if (!ld) > ldsem_up_read(&tty->ldisc_sem); > } I am also surprised that callers of tty_ldisc_reinit don't hold ldisc_sem. I thought that ldisc_sem is what's supposed to protect changes to ldisc. That would also auto fix the crash without any tricky barriers as flush_to_ldisc uses tty_ldisc_ref. -- To unsubscribe from this list: send the line "unsubscribe linux-next" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html