syzbot is reporting sleep in atomic context, for gsmld_write() is calling con_write() with spinlock held and IRQs disabled. Since include/linux/tty_ldisc.h says that "struct tty_ldisc_ops"->write (e.g. gsmld_write()) is allowed to sleep and include/linux/tty_driver.h says that "struct tty_operations"->write (e.g. con_write()) is not allowed to sleep, we should handle this problem on the con_write() side. It seems that "Andrew Morton: console locking merge" in 2.4.10-pre11 added in_interrupt() check to do_con_write()/con_put_char()/con_flush_chars() in order to handle exceptional caller. Since include/linux/preempt.h says that in_atomic() cannot know about held spinlocks in non-preemptible kernels, but gsmld_write() is calling con_write() with IRQs disabled, we can add irqs_disabled() check to do_con_write()/con_flush_chars() in order to handle this case. Though, I'm not sure whether returning the bytes to write is appropriate behavior when do_con_write() can't work... Reported-by: syzbot+06fa1063cca8163ea541@xxxxxxxxxxxxxxxxxxxxxxxxx Closes: https://syzkaller.appspot.com/bug?extid=06fa1063cca8163ea541 Signed-off-by: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx> --- drivers/tty/vt/vt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c index 156efda7c80d..0d3d602ae147 100644 --- a/drivers/tty/vt/vt.c +++ b/drivers/tty/vt/vt.c @@ -2856,7 +2856,7 @@ static int do_con_write(struct tty_struct *tty, const u8 *buf, int count) struct vt_notifier_param param; bool rescan; - if (in_interrupt()) + if (in_interrupt() || irqs_disabled()) return count; console_lock(); @@ -3314,7 +3314,7 @@ static void con_flush_chars(struct tty_struct *tty) { struct vc_data *vc; - if (in_interrupt()) /* from flush_to_ldisc */ + if (in_interrupt() || irqs_disabled()) /* from flush_to_ldisc */ return; /* if we race with con_close(), vt may be null */ -- 2.18.4
