Re: tty crash in Linux 4.6
From: Peter Hurley
Date: Tue May 17 2016 - 11:58:10 EST
On 05/16/2016 04:36 PM, Peter Hurley wrote:
> Hi Mikulas,
>
> On 05/16/2016 01:12 PM, Mikulas Patocka wrote:
>> Hi
>>
>> In the kernel 4.6 I get crashes in the tty layer. I can reproduce the
>> crash by logging into the machine with ssh and typing before the prompt
>> appears.
>
> Thanks for the report.
> I tried to reproduce this a number of times on different machines
> with no luck.
I was able to reproduce this crash with a test jig.
The patch below fixed it, but I'm testing a better patch now, which
I'll get to you asap.
Regards,
Peter Hurley
>> The crash is caused by the pointer tty->disc_data being NULL in the
>> function n_tty_receive_buf_common. The crash happens on the statement
>> smp_load_acquire(&ldata->read_tail).
>>
>> Bisecting shows that the crashes are caused by the patch
>> 892d1fa7eaaed9d3c04954cb140c34ebc3393932 ("tty: Destroy ldisc instance on
>> hangup").
>
>
> Can you try the test patch below?
>
> Regards,
> Peter Hurley
>
>
>> Kernel Fault: Code=15 regs=000000007d9e0720 (Addr=0000000000002260)
>> CPU: 0 PID: 3319 Comm: kworker/u8:0 Not tainted 4.6.0 #1
>> Workqueue: events_unbound flush_to_ldisc
>> task: 000000007c25ea80 ti: 000000007d9e0000 task.ti: 000000007d9e0000
>>
>> YZrvWESTHLNXBCVMcbcbcbcbOGFRQPDI
>> PSW: 00001000000001000000000000001111 Not tainted
>> r00-03 000000000804000f 000000004076cd10 0000000040475fb4 000000007f761800
>> r04-07 0000000040749510 0000000000000001 000000007f761800 000000007d9e0490
>> r08-11 000000007e722890 0000000000000000 000000007da4ec00 000000007f763823
>> r12-15 0000000000000000 000000007fc08ea8 000000007fc08c78 000000004080e080
>> r16-19 000000007fc08c00 0000000000000001 0000000000000000 0000000000002260
>> r20-23 000000007f7618b0 000000007c25ea80 0000000000000001 0000000000000001
>> r24-27 0000000000000000 000000000800000f 000000007f7618ac 0000000040749510
>> r28-31 0000000000000001 000000007d9e0840 000000007d9e0720 0000000000000001
>> sr00-03 00000000086c8800 0000000000000000 0000000000000000 00000000086c8800
>> sr04-07 0000000000000000 0000000000000000 0000000000000000 0000000000000000
>>
>> IASQ: 0000000000000000 0000000000000000 IAOQ: 0000000040475fd4 0000000040475fd8
>> IIR: 0e6c00d5 ISR: 0000000000000000 IOR: 0000000000002260
>> CPU: 0 CR30: 000000007d9e0000 CR31: ff87e7ffbc9ffffe
>> ORIG_R28: 000000004080a180
>> IAOQ[0]: n_tty_receive_buf_common+0xb4/0xbe0
>> IAOQ[1]: n_tty_receive_buf_common+0xb8/0xbe0
>> RP(r2): n_tty_receive_buf_common+0x94/0xbe0
>> Backtrace:
>> [<0000000040476b14>] n_tty_receive_buf2+0x14/0x20
>> [<000000004047a208>] tty_ldisc_receive_buf+0x30/0x90
>> [<000000004047a544>] flush_to_ldisc+0x144/0x1c8
>> [<00000000402556bc>] process_one_work+0x1b4/0x460
>> [<0000000040255bbc>] worker_thread+0x1e4/0x5e0
>> [<000000004025d454>] kthread+0x134/0x168
>
> --- >% ---
> diff --git a/drivers/tty/tty_ldisc.c b/drivers/tty/tty_ldisc.c
> index 68947f6..f271832 100644
> --- a/drivers/tty/tty_ldisc.c
> +++ b/drivers/tty/tty_ldisc.c
> @@ -653,7 +653,7 @@ static void tty_reset_termios(struct tty_struct *tty)
> * Returns 0 if successful, otherwise error code < 0
> */
>
> -int tty_ldisc_reinit(struct tty_struct *tty, int disc)
> +static int __tty_ldisc_reinit(struct tty_struct *tty, int disc)
> {
> struct tty_ldisc *ld;
> int retval;
> @@ -682,6 +682,16 @@ int tty_ldisc_reinit(struct tty_struct *tty, int disc)
> return retval;
> }
>
> +int tty_ldisc_reinit(struct tty_struct *tty, int disc)
> +{
> + int retval;
> +
> + tty_ldisc_lock(tty, MAX_SCHEDULE_TIMEOUT);
> + retval = __tty_ldisc_reinit(tty, disc);
> + tty_ldisc_unlock(tty);
> + return retval;
> +}
> +
> /**
> * tty_ldisc_hangup - hangup ldisc reset
> * @tty: tty being hung up
> @@ -732,8 +742,8 @@ void tty_ldisc_hangup(struct tty_struct *tty, bool reinit)
>
> if (tty->ldisc) {
> if (reinit) {
> - if (tty_ldisc_reinit(tty, tty->termios.c_line) < 0)
> - tty_ldisc_reinit(tty, N_TTY);
> + if (__tty_ldisc_reinit(tty, tty->termios.c_line) < 0)
> + __tty_ldisc_reinit(tty, N_TTY);
> } else
> tty_ldisc_kill(tty);
> }
>