Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp233125imm;
        Tue, 28 Aug 2018 21:36:07 -0700 (PDT)
X-Google-Smtp-Source: ANB0VdYa3KTzIDpR5xwAxA7PWrTWleig8i8z0qw+h+RZ9U3WY99C7TS6gR7j2QclZp4B3D1XDU60
X-Received: by 2002:a62:c406:: with SMTP id y6-v6mr4265823pff.161.1535517367165;
        Tue, 28 Aug 2018 21:36:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1535517367; cv=none;
        d=google.com; s=arc-20160816;
        b=iuralzXL1cXkgOVNajrygCO+WNzu+QE3llsADsOaXfc42LOJe3ZComqV5YeR99FTCM
         48NH2RDQPN6NaSqq2HX8SczfKPxzEmeeuK5LqrAfOApzZDlSRR6MpeejJIGFqChJE/My
         xIR4XSx4zq+l226Q3Svq1MtzNPoKkaAOSp5IQtR3SGUW4E2xyzZgCQE3kMCwe7TiqgaA
         iV1RrGG+8VMCBfkEbut4iYjaRS3NdSlzepDL4oky88rxqwfqoJv+GoEhvNaeHvKou5LV
         jB5tBXMSqY6lF2I8JjGIi/j+Tr4PMwyhO3SLs1rexqTCrMQS4ZMILGHAua9rDXc+sGQ7
         YIfw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature:arc-authentication-results;
        bh=A4cOhlwhuZetS+UJ9f3q5pGs5rbdKzbTZbLy6N4f7s4=;
        b=Ee/n1LIPRayLTI3aG+pH9J/NdZMxJqzSkDujLGG378hoh99a8dOnfq/YxdniHIzNT7
         2Np0IPabdeXfMOjRZaTw1R4Ggo/WQUq/7mRtvUBIZ6LBr82RaUDlu90y33TzPjXMxt8Q
         GafkZbjhjiKRWoA2sjxHVdVK1Ml1AU+nvuZUkHTgA9MQnzxZWH7m+gFEulsSKgZFVtps
         pJq89WnbjMC8CCAgkoSD+kcPl9V4/mW9mWs3e847v8VcNKjqErkLSCC1aFhjrd4SlceG
         BA2crZA5q5sUcYZBusB26d2jq++CpCvpYE9H9a1+KgO1jFmu0dkUfFAiF614+sThZWvS
         Vu1w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=M5895AXK;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id f2-v6si3017454pgg.552.2018.08.28.21.35.49;
        Tue, 28 Aug 2018 21:36:07 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=M5895AXK;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727224AbeH2I3e (ORCPT <rfc822;xqjcool@gmail.com> + 99 others);
        Wed, 29 Aug 2018 04:29:34 -0400
Received: from mail-pf1-f194.google.com ([209.85.210.194]:39570 "EHLO
        mail-pf1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726857AbeH2I3e (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 29 Aug 2018 04:29:34 -0400
Received: by mail-pf1-f194.google.com with SMTP id j8-v6so1684065pff.6;
        Tue, 28 Aug 2018 21:34:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to:user-agent;
        bh=A4cOhlwhuZetS+UJ9f3q5pGs5rbdKzbTZbLy6N4f7s4=;
        b=M5895AXKYSGkBxSt0w7/RduSUYY0GBRoX6xJoZFznICW+ojVihpBx1+Vz4x4I5V2JR
         GBCzIrRxHn9u9CY/HEygMuBLcWblZZNrPlYVze6ZaaUzbNMisbTcaQDPhcReYEYyGoNZ
         APVVAJcTfYDkOxlUw5g7PvUcnIIX0lmhClF89mTr9UbQXUhwWy1cldYSna1bg0Sx8lXj
         zH6nhRtovm49n5Q6Iux4PuDvLPrG5jC2OyHwyxfIS2rUy/yCefnwghVbyq56+WM0N8I5
         BfLsh6TvnrkTSpCK+APnNL2dbctvd1wfJF6tgnYXgKGqfVD2bepiPPcnpVxkjwBFYjp2
         RcCQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to:user-agent;
        bh=A4cOhlwhuZetS+UJ9f3q5pGs5rbdKzbTZbLy6N4f7s4=;
        b=Isupk+a6VJdflmCMKP8wUSc/1msxM0QT/Eal1pn9HMwmr/aDRhTdaCLpWEG3SXEiNb
         +Ofvj+559IjXhPNywgNgGwHSW92aXMpnyop3odNUYpaaz+4T5YMxifvv3f6xBzwiu2GS
         SQUdIOl8p8LW7nOUmDDa4akxomUoPIEcH60VDckHpXsad8G4Lpjw92elD3jX4MfLXKY9
         ve57ldsx4TAE+bA/KItrr+IoJiyv7cmQfpOn5Rki0XBI6AV3wizsMeCA3xWTp4zpNIDV
         4TE7rmrT5PCvlXozbKtAtaXh1UlSnPARuZZ/rNDfTaGwuzxvYwt3rr4mpE4crnd1rdf5
         PIyg==
X-Gm-Message-State: APzg51C2dgVEqoGB5JbuZo50tc0Ci2F63BQXe4erAnPET6CIYqGGtJY8
        T04rsB8MRV2ozue5bIDunjk=
X-Received: by 2002:a63:d345:: with SMTP id u5-v6mr2680673pgi.330.1535517275905;
        Tue, 28 Aug 2018 21:34:35 -0700 (PDT)
Received: from localhost ([175.223.20.38])
        by smtp.gmail.com with ESMTPSA id d19-v6sm4616051pfe.42.2018.08.28.21.34.33
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Tue, 28 Aug 2018 21:34:34 -0700 (PDT)
Date:   Wed, 29 Aug 2018 13:34:30 +0900
From:   Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>
To:     Dmitry Safonov <dima@arista.com>
Cc:     linux-kernel@vger.kernel.org,
        Dmitry Safonov <0x7f454c46@gmail.com>,
        Daniel Axtens <dja@axtens.net>,
        Dmitry Vyukov <dvyukov@google.com>,
        Michael Neuling <mikey@neuling.org>,
        Mikulas Patocka <mpatocka@redhat.com>,
        Pasi =?iso-8859-1?Q?K=E4rkk=E4inen?= <pasik@iki.fi>,
        Peter Hurley <peter@hurleysoftware.com>,
        Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>,
        Tan Xiaojun <tanxiaojun@huawei.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Jiri Slaby <jslaby@suse.com>, stable@vger.kernel.org,
        Benjamin Herrenschmidt <benh@kernel.crashing.org>
Subject: Re: [PATCH 2/4] tty: Hold tty_ldisc_lock() during tty_reopen()
Message-ID: <20180829043430.GB13049@jagdpanzerIV>
References: <20180829022353.23568-1-dima@arista.com>
 <20180829022353.23568-3-dima@arista.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20180829022353.23568-3-dima@arista.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi,

Cc-ing Benjamin on this.

On (08/29/18 03:23), Dmitry Safonov wrote:
> BUG: unable to handle kernel paging request at 0000000000002260
> IP: [..] n_tty_receive_buf_common+0x5f/0x86d
> Workqueue: events_unbound flush_to_ldisc
> Call Trace:
>  [..] n_tty_receive_buf2
>  [..] tty_ldisc_receive_buf
>  [..] flush_to_ldisc
>  [..] process_one_work
>  [..] worker_thread
>  [..] kthread
>  [..] ret_from_fork

Seems that you are not the first one to hit this NULL deref.

> I think, tty_ldisc_reinit() should be called with ldisc_sem hold for
> writing, which will protect any reader against line discipline changes.

Per https://lore.kernel.org/patchwork/patch/777220/

: Note that we noticed one path that called reinit without the ldisc lock
: held for writing, we added that, but it didn't fix the problem.

And I guess that Ben meant the same reinit path which you patched:

> @@ -1267,15 +1267,20 @@ static int tty_reopen(struct tty_struct *tty)
>  	if (test_bit(TTY_EXCLUSIVE, &tty->flags) && !capable(CAP_SYS_ADMIN))
>  		return -EBUSY;
>  
> -	tty->count++;
> +	retval = tty_ldisc_lock(tty, 5 * HZ);
> +	if (retval)
> +		return retval;
>  
> +	tty->count++;
>  	if (tty->ldisc)
> -		return 0;
> +		goto out_unlock;
>  
>  	retval = tty_ldisc_reinit(tty, tty->termios.c_line);
>  	if (retval)
>  		tty->count--;
>  
> +out_unlock:
> +	tty_ldisc_unlock(tty);
>  	return retval;
>  }

	-ss