Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S965466AbcDLPXJ (ORCPT <rfc822;w@1wt.eu>);
	Tue, 12 Apr 2016 11:23:09 -0400
Received: from smtp.codeaurora.org ([198.145.29.96]:59082 "EHLO
	smtp.codeaurora.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S965005AbcDLPWq (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Tue, 12 Apr 2016 11:22:46 -0400
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII;
 format=flowed
Content-Transfer-Encoding: 7bit
Date: Tue, 12 Apr 2016 20:52:41 +0530
From: Sodagudi Prasad <psodagud@codeaurora.org>
To: jslaby@suse.cz, gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org,
        linux@arm.linux.org.uk, dvyukov@google.com, peter@hurleysoftware.com
Cc: sboyd@codeaurora.org
Subject: Is there any race between flush_to_ldisc() and release_one_tty()?
Message-ID: <2047e92205c00d5bbc8e6e6ace22ccfa@codeaurora.org>
User-Agent: Roundcube Webmail/1.1.4
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 2244
Lines: 66


Hi All,

It looks like there is race between flush_to_ldisc() and 
release_one_tty().

Following crash is observed even after including below change.
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/drivers/tty/tty_buffer.c?id=7098296a362a96051fa120abf48f0095818b99cd
https://lkml.org/lkml/2015/9/1/491


[386532.450351] Unable to handle kernel paging request at virtual 
address 6b6b6b6b6b6b6b93
[386532.465217] pgd = ffffffc05bea5000
[386532.467677] [6b6b6b6b6b6b6b93] *pgd=0000000000000000, 
*pud=0000000000000000
[386532.474715] Internal error: Oops: 96000004 [#1] PREEMPT SMP
[386532.480350] Modules linked in: wlan(O) [last unloaded: wlan]
[386532.486085] CPU: 5 PID: 31970 Comm: kworker/5:1 Tainted: G        W  
O   3.18.24-ga9bbc02-00076-g1434803 #1
[386532.495885] Hardware name: Qualcomm Technologies, Inc. MSM8953 MTP 
(DT)
[386532.502581] Workqueue: events flush_to_ldisc
[386532.506909] task: ffffffc061620000 ti: ffffffc011efc000 task.ti: 
ffffffc011efc000
[386532.514465] PC is at ldsem_down_read_trylock+0x0/0x48
[386532.519583] LR is at tty_ldisc_ref+0x24/0x4c
....
....
....
[386533.028262] Process kworker/5:1 (pid: 31970, stack limit = 
0xffffffc011efc058)
[386533.035553] Call trace:
[386533.038080] [<ffffffc0005092a8>] ldsem_down_read_trylock+0x0/0x48
[386533.044236] [<ffffffc00050817c>] flush_to_ldisc+0x28/0x124
[386533.049794] [<ffffffc0000ba32c>] process_one_work+0x238/0x3f0
[386533.055608] [<ffffffc0000bb160>] worker_thread+0x2f8/0x418
[386533.061163] [<ffffffc0000bf3e0>] kthread+0xec/0xf8

1) It is not clear how READ_ONCE would fix the race between 
flush_to_ldisc() and release_one_tty() discussed in 
https://lkml.org/lkml/2015/9/1/491. could you please provide more 
information?

2) Is there any chance that, other core could free tty memory between 
442 and 445 lines?

434 static void flush_to_ldisc(struct work_struct *work)
435 {
...
...
...
441         tty = READ_ONCE(port->itty);
442         if (tty == NULL)
443                 return;
444
445         disc = tty_ldisc_ref(tty);
446         if (disc == NULL)
447                 return;

-Thanks, Prasad

-- 
The Qualcomm Innovation Center, Inc. is a member of the Code Aurora 
Forum,
Linux Foundation Collaborative Project