Re: [PATCH] tty: n_tty: order lockless input availability checks

[Cen Zhang]

Dear Greg KH

Thanks for taking a look.

> Cool, where are those reports?

Sorry, I should have been clearer.

These are local data-race reports from my pty/tty fuzzing run.
They were produced on v6.17-rc5:

  76eeb9b8de98 ("Linux 6.17-rc5")

The stack line numbers below are from that tested tree.  I also checked
current v7.0.3, and the same relevant plain lockless accesses are still
present there, although some surrounding line numbers have moved.

Report 1:

  ============ DATARACE ============

  Function: chars_in_buffer drivers/tty/n_tty.c:216 [inline]
  Function: n_tty_check_unthrottle+0x25c/0xbd0 drivers/tty/n_tty.c:275
  Function: tty_io_nonblock include/linux/tty.h:323 [inline]
  Function: n_tty_wait_for_input drivers/tty/n_tty.c:2163 [inline]
  Function: n_tty_read+0xed5/0x41f0 drivers/tty/n_tty.c:2264
  Function: tty_read+0x532/0xf50 drivers/tty/tty_io.c:904
  Function: new_sync_read fs/read_write.c:489 [inline]
  Function: vfs_read+0x5fe/0xb70 fs/read_write.c:572
  Function: ksys_read+0xf7/0x1e0 fs/read_write.c:712

  ============OTHER_INFO============

  Function: n_tty_receive_char_canon drivers/tty/n_tty.c:1259 [inline]
  Function: n_tty_receive_char_special drivers/tty/n_tty.c:1372 [inline]
  Function: n_tty_receive_buf_common+0x2cb0/0x3410 drivers/tty/n_tty.c:1588
  Function: n_tty_receive_buf2+0x51/0x80 drivers/tty/n_tty.c:1487
  Function: tty_flip_buffer_commit drivers/tty/tty_buffer.c:515 [inline]
  Function: tty_ldisc_receive_buf+0x1e8/0x450 drivers/tty/tty_buffer.c:532
  Function: paste_selection+0x781/0xcd0

Report 2:

  ============ DATARACE ============

  Function: input_available_p drivers/tty/n_tty.c:1926 [inline]
  Function: n_tty_poll+0x623/0x16b0 drivers/tty/n_tty.c:2452
  Function: tty_poll+0x224/0x4a0 drivers/tty/tty_io.c:2199
  Function: do_select+0xce7/0x13d0 fs/select.c:536
  Function: __do_sys_pselect6+0x1d8/0x240 fs/select.c:793

  ============OTHER_INFO============

  Function: n_tty_set_termios+0x82b/0x37a0 drivers/tty/n_tty.c:1799
  Function: tty_set_termios+0x112d/0x1b80 drivers/tty/tty_ioctl.c:348
  Function: set_termios+0xc1b/0xca0 drivers/tty/tty_ioctl.c:512
  Function: n_tty_ioctl_helper+0xe5/0x8f0 drivers/tty/tty_ioctl.c:982
  Function: n_tty_ioctl+0x253/0x730 drivers/tty/n_tty.c:2509
  Function: tty_ioctl+0x1cfb/0x3070 drivers/tty/tty_io.c:2801

In current v7.0.3, the same relevant source pattern is still present at:

  - chars_in_buffer():
      drivers/tty/n_tty.c:216-218

  - input_available_p():
      drivers/tty/n_tty.c:1912-1915

  - n_tty_set_termios():
      drivers/tty/n_tty.c:1782
      drivers/tty/n_tty.c:1786
      drivers/tty/n_tty.c:1789

Thanks,
Cen