Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp428176imm;
        Fri, 31 Aug 2018 04:21:10 -0700 (PDT)
X-Google-Smtp-Source: ANB0VdYCMMBD0EuFc9ccPABSA2f11XTyof+W8u7nZoAdwHuq94CB+sg3ZWL7OkqMPo0S0r9RoAvR
X-Received: by 2002:a62:ad9:: with SMTP id 86-v6mr15432792pfk.57.1535714469809;
        Fri, 31 Aug 2018 04:21:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1535714469; cv=none;
        d=google.com; s=arc-20160816;
        b=s6cygZKp3hqZTHT5Obt74p8hUSObt7o+jQEcFujFm0IOpSQgeCdkmhKhlzeUYg19Lv
         Vr7PmZ2eW3Uyod9MntF6qY0y31LUDh4J5YYAIQNJppge0ACDrzVlMXkr6CUk0hBC225w
         bq50Y0F3bhvqirQzAUSgjwAVh6620x3/ej3DznwbLggrll9VCd5CU9ackQWeL3WEpYxZ
         QQlA7kLff3Znr/KxwhrS3m4bfPvxtY+mPSr3PBlrDuz14zDwFlc0X0bdGDCkROhQbXkW
         qL1M7I7pwJsjlM1C+rF7TiX9jVA4hcMm4hmANQoN6Xm+b7AkYl2MvQO3VkUQRZfSCk9u
         CN3Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject:arc-authentication-results;
        bh=M/fVkU4QZboWaf13sRbsoDhFGnzKqMB5XozdyMYIpig=;
        b=U0SJYKv8Bot5tC5gXai70Mr7rkDKQOZSWvqr18gtJsokF1w3eB6gnFExzvtceBe8Dn
         iEGIXAptSqy9Lj6p2/mKB/A2jTKqHENMt2Gvk/HR+yoBSiQ9MpNobVDTCCxkwbZhj8y/
         pU8BIFkU/3mkHpMbc1fC5CA1fYSEYXuThTl/HKe7WBakeBTmpNfboeoYgukYxpq1lQhM
         SOO6EpIPgQNEia3clgQPjpQdCRjPf/tWoUh5t132CMoc8S6dbHYRtf1J6jOCRBgOp9Yl
         xp0Qqj4FMyeizLXvnIfrCTCQrFSUDzch7UtcDsD9/W8NdiZXkDqNmP5tfpZxspOtpzY/
         ahDQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id u42-v6si9773297pgn.86.2018.08.31.04.20.54;
        Fri, 31 Aug 2018 04:21:09 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728001AbeHaPZM (ORCPT <rfc822;daisukeokaopensource@gmail.com>
        + 99 others); Fri, 31 Aug 2018 11:25:12 -0400
Received: from www262.sakura.ne.jp ([202.181.97.72]:37066 "EHLO
        www262.sakura.ne.jp" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727868AbeHaPZM (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 31 Aug 2018 11:25:12 -0400
Received: from fsav402.sakura.ne.jp (fsav402.sakura.ne.jp [133.242.250.101])
        by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id w7VBIA38026182;
        Fri, 31 Aug 2018 20:18:10 +0900 (JST)
        (envelope-from penguin-kernel@i-love.sakura.ne.jp)
Received: from www262.sakura.ne.jp (202.181.97.72)
 by fsav402.sakura.ne.jp (F-Secure/fsigk_smtp/530/fsav402.sakura.ne.jp);
 Fri, 31 Aug 2018 20:18:10 +0900 (JST)
X-Virus-Status: clean(F-Secure/fsigk_smtp/530/fsav402.sakura.ne.jp)
Received: from [192.168.1.8] (softbank060157066051.bbtec.net [60.157.66.51])
        (authenticated bits=0)
        by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id w7VBHlBr025930
        (version=TLSv1.2 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
        Fri, 31 Aug 2018 20:18:10 +0900 (JST)
        (envelope-from penguin-kernel@i-love.sakura.ne.jp)
Subject: Re: [PATCH 2/4] tty: Hold tty_ldisc_lock() during tty_reopen()
To:     Jiri Slaby <jslaby@suse.com>, Dmitry Safonov <dima@arista.com>,
        linux-kernel@vger.kernel.org
Cc:     Dmitry Safonov <0x7f454c46@gmail.com>,
        Daniel Axtens <dja@axtens.net>,
        Dmitry Vyukov <dvyukov@google.com>,
        Michael Neuling <mikey@neuling.org>,
        Mikulas Patocka <mpatocka@redhat.com>,
        =?UTF-8?B?UGFzaSBLw6Rya2vDpGluZW4=?= <pasik@iki.fi>,
        Peter Hurley <peter@hurleysoftware.com>,
        Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>,
        Tan Xiaojun <tanxiaojun@huawei.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org
References: <20180829022353.23568-1-dima@arista.com>
 <20180829022353.23568-3-dima@arista.com>
 <0cb6bb7c-776b-28d6-65a6-f5b496e32344@I-love.SAKURA.ne.jp>
 <5b5fa362-f5cf-53ab-044b-0577856b872d@suse.com>
From:   Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Message-ID: <19bf55bc-eca4-672f-8ce7-b72329207074@i-love.sakura.ne.jp>
Date:   Fri, 31 Aug 2018 20:17:45 +0900
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:52.0) Gecko/20100101
 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <5b5fa362-f5cf-53ab-044b-0577856b872d@suse.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 2018/08/31 15:51, Jiri Slaby wrote:
> On 08/29/2018, 05:19 PM, Tetsuo Handa wrote:
>> On 2018/08/29 11:23, Dmitry Safonov wrote:
>>> tty_ldisc_reinit() doesn't race with neither tty_ldisc_hangup()
>>> nor set_ldisc() nor tty_ldisc_release() as they use tty lock.
>>> But it races with anyone who expects line discipline to be the same
>>> after hoding read semaphore in tty_ldisc_ref().
>>>
>>> We've seen the following crash on v4.9.108 stable:
>>>
>>> BUG: unable to handle kernel paging request at 0000000000002260
>>> IP: [..] n_tty_receive_buf_common+0x5f/0x86d
>>> Workqueue: events_unbound flush_to_ldisc
>>> Call Trace:
>>>  [..] n_tty_receive_buf2
>>>  [..] tty_ldisc_receive_buf
>>>  [..] flush_to_ldisc
>>>  [..] process_one_work
>>>  [..] worker_thread
>>>  [..] kthread
>>>  [..] ret_from_fork
>>>
>>> I think, tty_ldisc_reinit() should be called with ldisc_sem hold for
>>> writing, which will protect any reader against line discipline changes.
>>>
>>> Note: I failed to reproduce the described crash, so obiviously can't
>>> guarantee that this is the place where line discipline was switched.
>>
>> This will be same with a report at
>> https://syzkaller.appspot.com/bug?id=f08670354701fa64cc0dd3c0128a491bdb16adcc .
>>
>> syzbot is now testing a patch from Jiri Slaby.
> 
> Yes, my patch passed, so could you add:
> Reported-by: syzbot+3aa9784721dfb90e984d@syzkaller.appspotmail.com
> 
> (not adding tested-by as this particular patch was not tested, but
> shoiuld work the same way.)
> 
> thanks,
> 

Tested with all 4 patches applied using syzbot-provided reproducer and
my simplified reproducer. No crashes and no lockdep warnings.
Also, noisy messages like

  pts pts4033: tty_release: tty->count(10529) != (#fd's(7) + #kopen's(0))

are gone. Very nice. Thank you.