On 08/29/2018, 05:19 PM, Tetsuo Handa wrote: > On 2018/08/29 11:23, Dmitry Safonov wrote: >> tty_ldisc_reinit() doesn't race with neither tty_ldisc_hangup() >> nor set_ldisc() nor tty_ldisc_release() as they use tty lock. >> But it races with anyone who expects line discipline to be the same >> after hoding read semaphore in tty_ldisc_ref(). >> >> We've seen the following crash on v4.9.108 stable: >> >> BUG: unable to handle kernel paging request at 0000000000002260 >> IP: [..] n_tty_receive_buf_common+0x5f/0x86d >> Workqueue: events_unbound flush_to_ldisc >> Call Trace: >> [..] n_tty_receive_buf2 >> [..] tty_ldisc_receive_buf >> [..] flush_to_ldisc >> [..] process_one_work >> [..] worker_thread >> [..] kthread >> [..] ret_from_fork >> >> I think, tty_ldisc_reinit() should be called with ldisc_sem hold for >> writing, which will protect any reader against line discipline changes. >> >> Note: I failed to reproduce the described crash, so obiviously can't >> guarantee that this is the place where line discipline was switched. > > This will be same with a report at > https://syzkaller.appspot.com/bug?id=f08670354701fa64cc0dd3c0128a491bdb16adcc . > > syzbot is now testing a patch from Jiri Slaby. Yes, my patch passed, so could you add: Reported-by: syzbot+3aa9784721dfb90e984d@xxxxxxxxxxxxxxxxxxxxxxxxx (not adding tested-by as this particular patch was not tested, but shoiuld work the same way.) thanks, -- js suse labs
