From patchwork Mon Mar 20 13:07:12 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Breno Leitao X-Patchwork-Id: 741128 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 3vn4CJ3lnHz9s7D; Tue, 21 Mar 2017 05:26:20 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1cq20T-0004yQ-DA; Mon, 20 Mar 2017 18:26:13 +0000 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by huckleberry.canonical.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1cpx2P-00062q-In for kernel-team@lists.canonical.com; Mon, 20 Mar 2017 13:07:53 +0000 Received: from pps.filterd (m0098394.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v2KCx2p1077245 for ; Mon, 20 Mar 2017 09:07:51 -0400 Received: from e24smtp03.br.ibm.com (e24smtp03.br.ibm.com [32.104.18.24]) by mx0a-001b2d01.pphosted.com with ESMTP id 29ae08dyc8-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Mar 2017 09:07:50 -0400 Received: from localhost by e24smtp03.br.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Mar 2017 10:07:48 -0300 Received: from d24relay02.br.ibm.com (9.18.232.42) by e24smtp03.br.ibm.com (10.172.0.139) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Mar 2017 10:07:47 -0300 Received: from d24av02.br.ibm.com (d24av02.br.ibm.com [9.8.31.93]) by d24relay02.br.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v2KD7f3I16056452 for ; Mon, 20 Mar 2017 10:07:46 -0300 Received: from d24av02.br.ibm.com (localhost [127.0.0.1]) by d24av02.br.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP id v2KD7Qk1029754 for ; Mon, 20 Mar 2017 10:07:26 -0300 Received: from debra.ibm.com ([9.80.227.23]) by d24av02.br.ibm.com (8.14.4/8.14.4/NCO v10.0 AVin) with ESMTP id v2KD7ORI029616 for ; Mon, 20 Mar 2017 10:07:24 -0300 From: brenohl@br.ibm.com To: kernel-team@lists.canonical.com Subject: [PATCH 1/2] UBUNTU: SAUCE: tty: Fix ldisc crash on reopened tty Date: Mon, 20 Mar 2017 10:07:12 -0300 X-Mailer: git-send-email 1.9.3 X-TM-AS-MML: disable x-cbid: 17032013-0024-0000-0000-00000160A74D X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17032013-0025-0000-0000-00001627D0B8 Message-Id: <1490015233-4345-1-git-send-email-brenohl@br.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-03-20_09:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=1 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1702020001 definitions=main-1703200114 X-Mailman-Approved-At: Mon, 20 Mar 2017 18:26:12 +0000 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.14 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com From: Peter Hurley BugLink: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1674325 If the tty has been hungup, the ldisc instance may have been destroyed. Continued input to the tty will be ignored as long as the ldisc instance is not visible to the flush_to_ldisc kworker. However, when the tty is reopened and a new ldisc instance is created, the flush_to_ldisc kworker can obtain an ldisc reference before the new ldisc is completely initialized. This will likely crash: BUG: unable to handle kernel paging request at 0000000000002260 IP: [] n_tty_receive_buf_common+0x6d/0xb80 PGD 2ab581067 PUD 290c11067 PMD 0 Oops: 0000 [#1] PREEMPT SMP Modules linked in: nls_iso8859_1 ip6table_filter [.....] CPU: 2 PID: 103 Comm: kworker/u16:1 Not tainted 4.6.0-rc7+wip-xeon+debug #rc7+wip Hardware name: Dell Inc. Precision WorkStation T5400 /0RW203, BIOS A11 04/30/2012 Workqueue: events_unbound flush_to_ldisc task: ffff8802ad16d100 ti: ffff8802ad31c000 task.ti: ffff8802ad31c000 RIP: 0010:[] [] n_tty_receive_buf_common+0x6d/0xb80 RSP: 0018:ffff8802ad31fc70 EFLAGS: 00010296 RAX: 0000000000000000 RBX: ffff8802aaddd800 RCX: 0000000000000001 RDX: 00000000ffffffff RSI: ffffffff810db48f RDI: 0000000000000246 RBP: ffff8802ad31fd08 R08: 0000000000000000 R09: 0000000000000001 R10: ffff8802aadddb28 R11: 0000000000000001 R12: ffff8800ba6da808 R13: ffff8802ad18be80 R14: ffff8800ba6da858 R15: ffff8800ba6da800 FS: 0000000000000000(0000) GS:ffff8802b0a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000002260 CR3: 000000028ee5d000 CR4: 00000000000006e0 Stack: ffffffff81531219 ffff8802aadddab8 ffff8802aadddde0 ffff8802aadddd78 ffffffff00000001 ffff8800ba6da858 ffff8800ba6da860 ffff8802ad31fd30 ffffffff81885f78 ffffffff81531219 0000000000000000 0000000200000000 Call Trace: [] ? flush_to_ldisc+0x49/0xd0 [] ? mutex_lock_nested+0x2c8/0x430 [] ? flush_to_ldisc+0x49/0xd0 [] n_tty_receive_buf2+0x14/0x20 [] tty_ldisc_receive_buf+0x22/0x50 [] flush_to_ldisc+0xbe/0xd0 [] process_one_work+0x1ed/0x6e0 [] ? process_one_work+0x16f/0x6e0 [] worker_thread+0x4e/0x490 [] ? process_one_work+0x6e0/0x6e0 [] kthread+0xf2/0x110 [] ? preempt_count_sub+0x4c/0x80 [] ret_from_fork+0x22/0x50 [] ? kthread_create_on_node+0x220/0x220 Code: ff ff e8 27 a0 35 00 48 8d 83 78 05 00 00 c7 45 c0 00 00 00 00 48 89 45 80 48 8d 83 e0 05 00 00 48 89 85 78 ff ff ff 48 8b 45 b8 <48> 8b b8 60 22 00 00 48 8b 30 89 f8 8b 8b 88 04 00 00 29 f0 8d RIP [] n_tty_receive_buf_common+0x6d/0xb80 RSP CR2: 0000000000002260 Ensure the kworker cannot obtain the ldisc reference until the new ldisc is completely initialized. Fixes: 892d1fa7eaae ("tty: Destroy ldisc instance on hangup") Reported-by: Mikulas Patocka Signed-off-by: Peter Hurley Signed-off-by: Michael Neuling Signed-off-by: Greg Kroah-Hartman Signed-off-by: Breno Leitao --- drivers/tty/tty_ldisc.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/drivers/tty/tty_ldisc.c b/drivers/tty/tty_ldisc.c index 68947f6de5ad..4ee7742dced3 100644 --- a/drivers/tty/tty_ldisc.c +++ b/drivers/tty/tty_ldisc.c @@ -669,16 +669,17 @@ int tty_ldisc_reinit(struct tty_struct *tty, int disc) tty_ldisc_put(tty->ldisc); } - /* switch the line discipline */ - tty->ldisc = ld; tty_set_termios_ldisc(tty, disc); - retval = tty_ldisc_open(tty, tty->ldisc); + retval = tty_ldisc_open(tty, ld); if (retval) { if (!WARN_ON(disc == N_TTY)) { - tty_ldisc_put(tty->ldisc); - tty->ldisc = NULL; + tty_ldisc_put(ld); + ld = NULL; } } + + /* switch the line discipline */ + smp_store_release(&tty->ldisc, ld); return retval; }