Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752752AbeAEUPG (ORCPT + 1 other); Fri, 5 Jan 2018 15:15:06 -0500 Received: from smtp.codeaurora.org ([198.145.29.96]:52122 "EHLO smtp.codeaurora.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752720AbeAEUPF (ORCPT ); Fri, 5 Jan 2018 15:15:05 -0500 DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org AB6CF607F5 Authentication-Results: pdx-caf-mail.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org Authentication-Results: pdx-caf-mail.web.codeaurora.org; spf=none smtp.mailfrom=gkohli@codeaurora.org Subject: Re: [PATCH] tty: fix data race in n_tty_receive_buf_common To: Alan Cox Cc: jslaby@suse.com, gregkh@linuxfoundation.org, mikey@neuling.org, linux-kernel@vger.kernel.org, linux-arm-msm@vger.kernel.org References: <1514987332-14122-1-git-send-email-gkohli@codeaurora.org> <20180103193807.465e054e@alans-desktop> <0a456419-c836-08cf-070b-a254fb702b75@codeaurora.org> <20180104110920.169a1fe5@alans-desktop> <0dbd1f05-4c94-d1cc-3858-7bd4d38b9212@codeaurora.org> <20180104143716.5b09b1c7@alans-desktop> <93a7bd73-1123-90a7-b22d-02964ba29fb0@codeaurora.org> <999c5499-05c7-4702-77a7-dfb56ba577d2@codeaurora.org> <20180105133609.636b2d1f@alans-desktop> <20180105141504.0e399394@alans-desktop> From: "Kohli, Gaurav" Message-ID: <1097619b-9e03-cba8-e40e-b0c00a53b84c@codeaurora.org> Date: Sat, 6 Jan 2018 01:44:58 +0530 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.5.2 MIME-Version: 1.0 In-Reply-To: <20180105141504.0e399394@alans-desktop> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: Hi Alan, On 1/5/2018 7:45 PM, Alan Cox wrote: >> But in above case , there we can hit another race, if we have a sequence >> like this >> tty_init_dev->alloc_tty_struct -> tty_ldisc_init -> this will initialize >> ldisc , >> but at this moment disc_data is still NULL >> >> And if flush_to_ldisc comes in between, it will take ldisc reference and >> proceeds receive buffer. > So you need to move the lock up one line to protect the assignment to > tty->port->itty. We can do that. > > At that point your flush_to_ldisc should see either port->itty = NULL or a > valid initialized ldisc. > > Yes , with little modification this should work. +retval =  tty_ldisc_lock(tty, 5 * HZ); +if (retval) +         goto err_release_lock; tty->port->itty = tty; /* * Structures all installed ... call the ldisc open routines. * If we fail here just call release_tty to clean up.  No need * to decrement the use counts, as release_tty doesn't care. */ retval = tty_ldisc_setup(tty, tty->link);         if (retval)             goto err_release_tty; tty_ldisc_unlock(tty); err_release_tty: tty_unlock(tty); tty_info_ratelimited(tty, "ldisc open failed (%d), clearing slot %d\n",     retval, idx);     release_tty(tty, idx);     return ERR_PTR(retval); +err_release_lock; +tty_ldisc_unlock(tty); +return ERR_PTR(retval); Please let me know if above modification seems fine , then we can upload this and try reproduction of Bug. Regards Gaurav -- Qualcomm India Private Limited, on behalf of Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum, a Linux Foundation Collaborative Project.