From: Mark Rutland <mark.rutland@arm.com>
To: Dmitry Safonov <dima@arista.com>
Cc: linux-kernel@vger.kernel.org,
"Dmitry Safonov" <0x7f454c46@gmail.com>,
"Daniel Axtens" <dja@axtens.net>,
"Dmitry Vyukov" <dvyukov@google.com>,
"Michael Neuling" <mikey@neuling.org>,
"Mikulas Patocka" <mpatocka@redhat.com>,
"Nathan March" <nathan@gt.net>, "Pasi Kärkkäinen" <pasik@iki.fi>,
"Peter Hurley" <peter@hurleysoftware.com>,
"Rong, Chen" <rong.a.chen@intel.com>,
"Sergey Senozhatsky" <sergey.senozhatsky.work@gmail.com>,
"Tan Xiaojun" <tanxiaojun@huawei.com>,
"Tetsuo Handa" <penguin-kernel@I-love.SAKURA.ne.jp>,
stable@vger.kernel.org,
"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Jiri Slaby" <jslaby@suse.com>, "Jiri Slaby" <jslaby@suse.cz>,
"Peter Zijlstra" <peterz@infradead.org>,
"Paul E. McKenney" <paulmck@linux.vnet.ibm.com>,
syzbot+3aa9784721dfb90e984d@syzkaller.appspotmail.com
Subject: Re: [PATCHv3 0/6] tty: Hold write ldisc sem in tty_reopen()
Date: Tue, 11 Sep 2018 13:16:02 +0100 [thread overview]
Message-ID: <20180911121602.bskg32oqkluhwdbg@lakrids.cambridge.arm.com> (raw)
In-Reply-To: <20180911014821.26286-1-dima@arista.com>
On Tue, Sep 11, 2018 at 02:48:15AM +0100, Dmitry Safonov wrote:
> Hi all,
Hi,
> Three fixes that worth to have in the @stable, as we've hit them on v4.9
> stable.
>
> And for linux-next - adding lockdep asserts for line discipline changing
> code, verifying that write ldisc sem will be held forthwith.
>
> The last patch is optional and probably, timeout can be dropped for
> read_lock(). I'll do it if everyone agrees.
>
> Rong Chen, could you kindly re-run this version to see if the lockup
> from v1 still happens? I wasn't able to reproduce it..
These patches seem to fix issues I've been seeing on arm64 for a while
but hadn't managed to track down.
For patches 1, 3, and 5, feel free to add:
Tested-by: Mark Rutland <mark.rutland@arm.com>
On vanilla v4.19-rc2, the below reproducer would fire in seconds,
whereas with those patches applied, I have not seen issues after 10s of
minutes of testing.
Thanks,
Mark.
Syzkaller hit 'KASAN: user-memory-access Write in n_tty_set_termios' bug.
IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
ipV6: ADDRCONF(NETDEV_UP): veth1: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
==================================================================
BUG: KASAN: user-memory-access in memset include/linux/string.h:330 [inline]
BUG: KASAN: user-memory-access in bitmap_zero include/linux/bitmap.h:216 [inline]
BUG: KASAN: user-memory-access in n_tty_set_termios+0xe4/0xd08 drivers/tty/n_tty.c:1784
Write of size 512 at addr 0000000000001060 by task syz-executor0/3007
CPU: 1 PID: 3007 Comm: syz-executor0 Not tainted 4.19.0-rc2-dirty #4
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0x0/0x340 arch/arm64/include/asm/ptrace.h:270
show_stack+0x20/0x30 arch/arm64/kernel/traps.c:152
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xec/0x150 lib/dump_stack.c:113
kasan_report_error mm/kasan/report.c:352 [inline]
kasan_report+0x228/0x360 mm/kasan/report.c:412
check_memory_region_inline mm/kasan/kasan.c:253 [inline]
check_memory_region+0x114/0x1c8 mm/kasan/kasan.c:267
memset+0x2c/0x50 mm/kasan/kasan.c:285
memset include/linux/string.h:330 [inline]
bitmap_zero include/linux/bitmap.h:216 [inline]
n_tty_set_termios+0xe4/0xd08 drivers/tty/n_tty.c:1784
tty_set_termios+0x538/0x760 drivers/tty/tty_ioctl.c:341
set_termios+0x348/0x968 drivers/tty/tty_ioctl.c:414
tty_mode_ioctl+0x8f0/0xc60 drivers/tty/tty_ioctl.c:779
n_tty_ioctl_helper+0x6c/0x390 drivers/tty/tty_ioctl.c:940
n_tty_ioctl+0x6c/0x490 drivers/tty/n_tty.c:2450
tty_ioctl+0x610/0x19a8 drivers/tty/tty_io.c:2655
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:501 [inline]
do_vfs_ioctl+0x1bc/0x1618 fs/ioctl.c:685
ksys_ioctl+0xbc/0x108 fs/ioctl.c:702
__do_sys_ioctl fs/ioctl.c:709 [inline]
__se_sys_ioctl fs/ioctl.c:707 [inline]
__arm64_sys_ioctl+0x6c/0xa0 fs/ioctl.c:707
__invoke_syscall arch/arm64/kernel/syscall.c:36 [inline]
invoke_syscall arch/arm64/kernel/syscall.c:48 [inline]
el0_svc_common+0x150/0x288 arch/arm64/kernel/syscall.c:84
el0_svc_handler+0x54/0xf0 arch/arm64/kernel/syscall.c:130
el0_svc+0x8/0xc arch/arm64/kernel/entry.S:917
==================================================================
Syzkaller reproducer:
# {Threaded:true Collide:true Repeat:true RepeatTimes:0 Procs:1 Sandbox:none Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true EnableCgroups:true EnableNetdev:true ResetNet:true HandleSegv:true Repro:false Trace:false}
r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ptmx\x00', 0x0, 0x0)
ioctl$TIOCGPTPEER(r0, 0x40045431, 0x6e0000)
r1 = syz_open_pts(r0, 0x0)
ioctl$TCXONC(r1, 0x5437, 0x0)
ioctl$TIOCGSOFTCAR(r0, 0x5419, &(0x7f00000000c0))
r2 = semget(0x0, 0x1, 0x1a)
semctl$IPC_INFO(r2, 0x0, 0x3, &(0x7f0000000100)=""/166)
syz_open_pts(r0, 0x2)
ioctl$TCSETAW(r0, 0x5407, &(0x7f0000000080))
next prev parent reply other threads:[~2018-09-11 12:16 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-11 1:48 [PATCHv3 0/6] tty: Hold write ldisc sem in tty_reopen() Dmitry Safonov
2018-09-11 1:48 ` [PATCHv3 1/6] tty: Drop tty->count on tty_reopen() failure Dmitry Safonov
2018-09-11 1:48 ` [PATCHv3 2/6] tty/ldsem: Update waiter->task before waking up reader Dmitry Safonov
2018-09-11 5:04 ` Sergey Senozhatsky
2018-09-11 5:41 ` Sergey Senozhatsky
2018-09-11 11:04 ` Kirill Tkhai
2018-09-11 11:44 ` Peter Zijlstra
2018-09-11 11:43 ` Peter Zijlstra
2018-09-11 11:40 ` Peter Zijlstra
2018-09-11 12:48 ` Dmitry Safonov
2018-09-11 1:48 ` [PATCHv3 3/6] tty: Hold tty_ldisc_lock() during tty_reopen() Dmitry Safonov
2018-09-11 1:48 ` [PATCHv3 4/6] tty/lockdep: Add ldisc_sem asserts Dmitry Safonov
2018-09-11 11:59 ` Peter Zijlstra
2018-09-11 12:01 ` Peter Zijlstra
2018-09-11 12:53 ` Dmitry Safonov
2018-09-11 1:48 ` [PATCHv3 5/6] tty: Simplify tty->count math in tty_reopen() Dmitry Safonov
2018-09-11 1:48 ` [PATCHv3 6/6] tty/ldsem: Decrement wait_readers on timeouted down_read() Dmitry Safonov
2018-09-11 12:02 ` Peter Zijlstra
2018-09-11 13:01 ` Dmitry Safonov
2018-09-11 13:33 ` Dmitry Safonov
2018-09-11 13:50 ` Peter Zijlstra
2018-09-11 15:04 ` Dmitry Safonov
2018-09-11 12:16 ` Mark Rutland [this message]
2018-09-11 12:42 ` [PATCHv3 0/6] tty: Hold write ldisc sem in tty_reopen() Dmitry Safonov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180911121602.bskg32oqkluhwdbg@lakrids.cambridge.arm.com \
--to=mark.rutland@arm.com \
--cc=0x7f454c46@gmail.com \
--cc=dima@arista.com \
--cc=dja@axtens.net \
--cc=dvyukov@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=jslaby@suse.com \
--cc=jslaby@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=mikey@neuling.org \
--cc=mpatocka@redhat.com \
--cc=nathan@gt.net \
--cc=pasik@iki.fi \
--cc=paulmck@linux.vnet.ibm.com \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=peter@hurleysoftware.com \
--cc=peterz@infradead.org \
--cc=rong.a.chen@intel.com \
--cc=sergey.senozhatsky.work@gmail.com \
--cc=stable@vger.kernel.org \
--cc=syzbot+3aa9784721dfb90e984d@syzkaller.appspotmail.com \
--cc=tanxiaojun@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.