Date: Fri, 7 Apr 2017 05:12:05 +0100
From: Al Viro <viro@ZenIV.linux.org.uk>
To: Michael Neuling <mikey@neuling.org>
Cc: greg@kroah.com, johan Hovold <johan@kernel.org>,
        Peter Hurley <peter@hurleysoftware.com>,
        Alexander Popov <alex.popov@linux.com>, Rob Herring <robh@kernel.org>,
        Mikulas Patocka <mpatocka@redhat.com>,
        Dmitry Vyukov <dvyukov@google.com>, benh <benh@kernel.crashing.org>,
        LKML <linux-kernel@vger.kernel.org>, Wang YanQing <udknight@gmail.com>,
        Jiri Slaby <jslaby@suse.com>
Subject: Re: [PATCH] tty: Fix crash with flush_to_ldisc()
Message-ID: <20170407041205.GY29622@ZenIV.linux.org.uk>
References: <20170407035053.3068-1-mikey@neuling.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20170407035053.3068-1-mikey@neuling.org>
User-Agent: Mutt/1.7.1 (2016-10-04)
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1031
Lines: 26

On Fri, Apr 07, 2017 at 01:50:53PM +1000, Michael Neuling wrote:

> diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
> index bdf0e6e899..a2a9832a42 100644
> --- a/drivers/tty/n_tty.c
> +++ b/drivers/tty/n_tty.c
> @@ -1668,11 +1668,17 @@ static int
>  n_tty_receive_buf_common(struct tty_struct *tty, const unsigned char *cp,
>  			 char *fp, int count, int flow)
>  {
> -	struct n_tty_data *ldata = tty->disc_data;
> +	struct n_tty_data *ldata;
>  	int room, n, rcvd = 0, overflow;
>  
>  	down_read(&tty->termios_rwsem);
>  
> +	ldata = tty->disc_data;
> +	if (!ldata) {
> +		up_read(&tty->termios_rwsem);

I very much doubt that it's correct.  It shouldn't have been called after
the n_tty_close(); apparently it has been.  ->termios_rwsem won't serialize
against it, and something apparently has gone wrong with the exclusion there.
At the very least I would like to see what's to prevent n_tty_close() from
overlapping the exection of this function - if *that* is what broke, your
patch will only paper over the problem.