Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp233125imm; Tue, 28 Aug 2018 21:36:07 -0700 (PDT) X-Google-Smtp-Source: ANB0VdYa3KTzIDpR5xwAxA7PWrTWleig8i8z0qw+h+RZ9U3WY99C7TS6gR7j2QclZp4B3D1XDU60 X-Received: by 2002:a62:c406:: with SMTP id y6-v6mr4265823pff.161.1535517367165; Tue, 28 Aug 2018 21:36:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535517367; cv=none; d=google.com; s=arc-20160816; b=iuralzXL1cXkgOVNajrygCO+WNzu+QE3llsADsOaXfc42LOJe3ZComqV5YeR99FTCM 48NH2RDQPN6NaSqq2HX8SczfKPxzEmeeuK5LqrAfOApzZDlSRR6MpeejJIGFqChJE/My xIR4XSx4zq+l226Q3Svq1MtzNPoKkaAOSp5IQtR3SGUW4E2xyzZgCQE3kMCwe7TiqgaA iV1RrGG+8VMCBfkEbut4iYjaRS3NdSlzepDL4oky88rxqwfqoJv+GoEhvNaeHvKou5LV jB5tBXMSqY6lF2I8JjGIi/j+Tr4PMwyhO3SLs1rexqTCrMQS4ZMILGHAua9rDXc+sGQ7 YIfw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:arc-authentication-results; bh=A4cOhlwhuZetS+UJ9f3q5pGs5rbdKzbTZbLy6N4f7s4=; b=Ee/n1LIPRayLTI3aG+pH9J/NdZMxJqzSkDujLGG378hoh99a8dOnfq/YxdniHIzNT7 2Np0IPabdeXfMOjRZaTw1R4Ggo/WQUq/7mRtvUBIZ6LBr82RaUDlu90y33TzPjXMxt8Q GafkZbjhjiKRWoA2sjxHVdVK1Ml1AU+nvuZUkHTgA9MQnzxZWH7m+gFEulsSKgZFVtps pJq89WnbjMC8CCAgkoSD+kcPl9V4/mW9mWs3e847v8VcNKjqErkLSCC1aFhjrd4SlceG BA2crZA5q5sUcYZBusB26d2jq++CpCvpYE9H9a1+KgO1jFmu0dkUfFAiF614+sThZWvS Vu1w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=M5895AXK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f2-v6si3017454pgg.552.2018.08.28.21.35.49; Tue, 28 Aug 2018 21:36:07 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=M5895AXK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727224AbeH2I3e (ORCPT + 99 others); Wed, 29 Aug 2018 04:29:34 -0400 Received: from mail-pf1-f194.google.com ([209.85.210.194]:39570 "EHLO mail-pf1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726857AbeH2I3e (ORCPT ); Wed, 29 Aug 2018 04:29:34 -0400 Received: by mail-pf1-f194.google.com with SMTP id j8-v6so1684065pff.6; Tue, 28 Aug 2018 21:34:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=A4cOhlwhuZetS+UJ9f3q5pGs5rbdKzbTZbLy6N4f7s4=; b=M5895AXKYSGkBxSt0w7/RduSUYY0GBRoX6xJoZFznICW+ojVihpBx1+Vz4x4I5V2JR GBCzIrRxHn9u9CY/HEygMuBLcWblZZNrPlYVze6ZaaUzbNMisbTcaQDPhcReYEYyGoNZ APVVAJcTfYDkOxlUw5g7PvUcnIIX0lmhClF89mTr9UbQXUhwWy1cldYSna1bg0Sx8lXj zH6nhRtovm49n5Q6Iux4PuDvLPrG5jC2OyHwyxfIS2rUy/yCefnwghVbyq56+WM0N8I5 BfLsh6TvnrkTSpCK+APnNL2dbctvd1wfJF6tgnYXgKGqfVD2bepiPPcnpVxkjwBFYjp2 RcCQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=A4cOhlwhuZetS+UJ9f3q5pGs5rbdKzbTZbLy6N4f7s4=; b=Isupk+a6VJdflmCMKP8wUSc/1msxM0QT/Eal1pn9HMwmr/aDRhTdaCLpWEG3SXEiNb +Ofvj+559IjXhPNywgNgGwHSW92aXMpnyop3odNUYpaaz+4T5YMxifvv3f6xBzwiu2GS SQUdIOl8p8LW7nOUmDDa4akxomUoPIEcH60VDckHpXsad8G4Lpjw92elD3jX4MfLXKY9 ve57ldsx4TAE+bA/KItrr+IoJiyv7cmQfpOn5Rki0XBI6AV3wizsMeCA3xWTp4zpNIDV 4TE7rmrT5PCvlXozbKtAtaXh1UlSnPARuZZ/rNDfTaGwuzxvYwt3rr4mpE4crnd1rdf5 PIyg== X-Gm-Message-State: APzg51C2dgVEqoGB5JbuZo50tc0Ci2F63BQXe4erAnPET6CIYqGGtJY8 T04rsB8MRV2ozue5bIDunjk= X-Received: by 2002:a63:d345:: with SMTP id u5-v6mr2680673pgi.330.1535517275905; Tue, 28 Aug 2018 21:34:35 -0700 (PDT) Received: from localhost ([175.223.20.38]) by smtp.gmail.com with ESMTPSA id d19-v6sm4616051pfe.42.2018.08.28.21.34.33 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 28 Aug 2018 21:34:34 -0700 (PDT) Date: Wed, 29 Aug 2018 13:34:30 +0900 From: Sergey Senozhatsky To: Dmitry Safonov Cc: linux-kernel@vger.kernel.org, Dmitry Safonov <0x7f454c46@gmail.com>, Daniel Axtens , Dmitry Vyukov , Michael Neuling , Mikulas Patocka , Pasi =?iso-8859-1?Q?K=E4rkk=E4inen?= , Peter Hurley , Sergey Senozhatsky , Tan Xiaojun , Greg Kroah-Hartman , Jiri Slaby , stable@vger.kernel.org, Benjamin Herrenschmidt Subject: Re: [PATCH 2/4] tty: Hold tty_ldisc_lock() during tty_reopen() Message-ID: <20180829043430.GB13049@jagdpanzerIV> References: <20180829022353.23568-1-dima@arista.com> <20180829022353.23568-3-dima@arista.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180829022353.23568-3-dima@arista.com> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, Cc-ing Benjamin on this. On (08/29/18 03:23), Dmitry Safonov wrote: > BUG: unable to handle kernel paging request at 0000000000002260 > IP: [..] n_tty_receive_buf_common+0x5f/0x86d > Workqueue: events_unbound flush_to_ldisc > Call Trace: > [..] n_tty_receive_buf2 > [..] tty_ldisc_receive_buf > [..] flush_to_ldisc > [..] process_one_work > [..] worker_thread > [..] kthread > [..] ret_from_fork Seems that you are not the first one to hit this NULL deref. > I think, tty_ldisc_reinit() should be called with ldisc_sem hold for > writing, which will protect any reader against line discipline changes. Per https://lore.kernel.org/patchwork/patch/777220/ : Note that we noticed one path that called reinit without the ldisc lock : held for writing, we added that, but it didn't fix the problem. And I guess that Ben meant the same reinit path which you patched: > @@ -1267,15 +1267,20 @@ static int tty_reopen(struct tty_struct *tty) > if (test_bit(TTY_EXCLUSIVE, &tty->flags) && !capable(CAP_SYS_ADMIN)) > return -EBUSY; > > - tty->count++; > + retval = tty_ldisc_lock(tty, 5 * HZ); > + if (retval) > + return retval; > > + tty->count++; > if (tty->ldisc) > - return 0; > + goto out_unlock; > > retval = tty_ldisc_reinit(tty, tty->termios.c_line); > if (retval) > tty->count--; > > +out_unlock: > + tty_ldisc_unlock(tty); > return retval; > } -ss