DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org 900C360B1E
Subject: Re: [PATCH] tty: fix data race in n_tty_receive_buf_common
From: "Kohli, Gaurav" <gkohli@codeaurora.org>
To: Alan Cox <gnomes@lxorguk.ukuu.org.uk>
Cc: jslaby@suse.com, gregkh@linuxfoundation.org, mikey@neuling.org,
        linux-kernel@vger.kernel.org, linux-arm-msm@vger.kernel.org
References: <1514987332-14122-1-git-send-email-gkohli@codeaurora.org>
 <20180103193807.465e054e@alans-desktop>
 <0a456419-c836-08cf-070b-a254fb702b75@codeaurora.org>
 <20180104110920.169a1fe5@alans-desktop>
 <0dbd1f05-4c94-d1cc-3858-7bd4d38b9212@codeaurora.org>
 <20180104143716.5b09b1c7@alans-desktop>
 <93a7bd73-1123-90a7-b22d-02964ba29fb0@codeaurora.org>
 <999c5499-05c7-4702-77a7-dfb56ba577d2@codeaurora.org>
 <20180105133609.636b2d1f@alans-desktop>
 <a502434e-b534-0e59-fa31-7644a23152eb@codeaurora.org>
 <20180105141504.0e399394@alans-desktop>
 <1097619b-9e03-cba8-e40e-b0c00a53b84c@codeaurora.org>
Message-ID: <46645a5b-b0d4-35b7-95ac-3606ab9c69d2@codeaurora.org>
Date: Sat, 6 Jan 2018 01:54:36 +0530
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101
 Thunderbird/52.5.2
MIME-Version: 1.0
In-Reply-To: <1097619b-9e03-cba8-e40e-b0c00a53b84c@codeaurora.org>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Sender: linux-kernel-owner@vger.kernel.org

Hi Alan,

Sorry correcting the typo here:
+retval =  tty_ldisc_lock(tty, 5 * HZ);
+if (retval)
+         goto err_release_lock;
tty->port->itty = tty;
/*
* Structures all installed ... call the ldisc open routines.
* If we fail here just call release_tty to clean up.  No need
* to decrement the use counts, as release_tty doesn't care.
*/
retval = tty_ldisc_setup(tty, tty->link);
         if (retval)
             goto err_release_tty;
tty_ldisc_unlock(tty);
err_release_tty:
tty_info_ratelimited(tty, "ldisc open failed (%d), clearing slot %d\n",
     retval, idx);
+err_release_lock;
+tty_unlock(tty);
+release_tty(tty, idx);
+tty_ldisc_unlock(tty);
+return ERR_PTR(retval);

On 1/6/2018 1:44 AM, Kohli, Gaurav wrote:
> Hi Alan,
>
>
> On 1/5/2018 7:45 PM, Alan Cox wrote:
>>> But in above case , there we can hit another race, if we have a 
>>> sequence
>>> like this
>>> tty_init_dev->alloc_tty_struct -> tty_ldisc_init -> this will 
>>> initialize
>>> ldisc ,
>>> but at this moment disc_data is still NULL
>>>
>>> And if flush_to_ldisc comes in between, it will take ldisc reference 
>>> and
>>> proceeds receive buffer.
>> So you need to move the lock up one line to protect the assignment to
>> tty->port->itty. We can do that.
>>
>> At that point your flush_to_ldisc should see either port->itty = NULL 
>> or a
>> valid initialized ldisc.
>>
>>
>
> Yes , with little modification this should work.
>
> +retval =  tty_ldisc_lock(tty, 5 * HZ);
> +if (retval)
> +         goto err_release_lock;
> tty->port->itty = tty;
> /*
> * Structures all installed ... call the ldisc open routines.
> * If we fail here just call release_tty to clean up.  No need
> * to decrement the use counts, as release_tty doesn't care.
> */
> retval = tty_ldisc_setup(tty, tty->link);
>         if (retval)
>             goto err_release_tty;
> tty_ldisc_unlock(tty);
> err_release_tty:
> tty_unlock(tty);
> tty_info_ratelimited(tty, "ldisc open failed (%d), clearing slot %d\n",
>     retval, idx);
>     release_tty(tty, idx);
>     return ERR_PTR(retval);
>
> +err_release_lock;
> +tty_ldisc_unlock(tty);
> +return ERR_PTR(retval);
>
> Please let me know if above modification seems fine , then we can 
> upload this and try reproduction of Bug.
>
> Regards
> Gaurav
>

-- 
Qualcomm India Private Limited, on behalf of Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum,
a Linux Foundation Collaborative Project.