On Tue, Sep 18, 2018 at 12:52:54AM +0100, Dmitry Safonov wrote: > tty_ldisc_reinit() doesn't race with neither tty_ldisc_hangup() > nor set_ldisc() nor tty_ldisc_release() as they use tty lock. > But it races with anyone who expects line discipline to be the same > after hoding read semaphore in tty_ldisc_ref(). > > We've seen the following crash on v4.9.108 stable: > > BUG: unable to handle kernel paging request at 0000000000002260 > IP: [..] n_tty_receive_buf_common+0x5f/0x86d > Workqueue: events_unbound flush_to_ldisc > Call Trace: > [..] n_tty_receive_buf2 > [..] tty_ldisc_receive_buf > [..] flush_to_ldisc > [..] process_one_work > [..] worker_thread > [..] kthread > [..] ret_from_fork > > tty_ldisc_reinit() should be called with ldisc_sem hold for writing, > which will protect any reader against line discipline changes. > > Backport-first: b027e2298bd5 ("tty: fix data race between tty_init_dev > and flush of buf") What does this mean? Does this require that patch for a stable patch? If so, just do: Cc: stable@xxxxxxxxxxxxxxx # b027e2298bd5 ("tty: fix data race between tty_init_dev and flush of buf") in the signed-off-by area. The stable documentation should describe this pretty well. If not, we can modify it to make it more obvious. can you fix this up for the next resend of this series? thanks, greg k-h