On 2018/08/31 15:51, Jiri Slaby wrote: > On 08/29/2018, 05:19 PM, Tetsuo Handa wrote: >> On 2018/08/29 11:23, Dmitry Safonov wrote: >>> tty_ldisc_reinit() doesn't race with neither tty_ldisc_hangup() >>> nor set_ldisc() nor tty_ldisc_release() as they use tty lock. >>> But it races with anyone who expects line discipline to be the same >>> after hoding read semaphore in tty_ldisc_ref(). >>> >>> We've seen the following crash on v4.9.108 stable: >>> >>> BUG: unable to handle kernel paging request at 0000000000002260 >>> IP: [..] n_tty_receive_buf_common+0x5f/0x86d >>> Workqueue: events_unbound flush_to_ldisc >>> Call Trace: >>> [..] n_tty_receive_buf2 >>> [..] tty_ldisc_receive_buf >>> [..] flush_to_ldisc >>> [..] process_one_work >>> [..] worker_thread >>> [..] kthread >>> [..] ret_from_fork >>> >>> I think, tty_ldisc_reinit() should be called with ldisc_sem hold for >>> writing, which will protect any reader against line discipline changes. >>> >>> Note: I failed to reproduce the described crash, so obiviously can't >>> guarantee that this is the place where line discipline was switched. >> >> This will be same with a report at >> https://syzkaller.appspot.com/bug?id=f08670354701fa64cc0dd3c0128a491bdb16adcc . >> >> syzbot is now testing a patch from Jiri Slaby. > > Yes, my patch passed, so could you add: > Reported-by: syzbot+3aa9784721dfb90e984d@xxxxxxxxxxxxxxxxxxxxxxxxx > > (not adding tested-by as this particular patch was not tested, but > shoiuld work the same way.) > > thanks, > Tested with all 4 patches applied using syzbot-provided reproducer and my simplified reproducer. No crashes and no lockdep warnings. Also, noisy messages like pts pts4033: tty_release: tty->count(10529) != (#fd's(7) + #kopen's(0)) are gone. Very nice. Thank you.
