From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1756120AbcEQP6F (ORCPT <rfc822;w@1wt.eu>);
	Tue, 17 May 2016 11:58:05 -0400
Received: from mail-pa0-f45.google.com ([209.85.220.45]:36385 "EHLO
	mail-pa0-f45.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752304AbcEQP6B (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Tue, 17 May 2016 11:58:01 -0400
Subject: Re: tty crash in Linux 4.6
To: Mikulas Patocka <mpatocka@redhat.com>
References: <alpine.LRH.2.02.1605161555430.8188@file01.intranet.prod.int.rdu2.redhat.com>
 <573A5996.3080305@hurleysoftware.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Jiri Slaby <jslaby@suse.com>, linux-kernel@vger.kernel.org
From: Peter Hurley <peter@hurleysoftware.com>
Message-ID: <573B3F84.5050201@hurleysoftware.com>
Date: Tue, 17 May 2016 08:57:56 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
 Thunderbird/38.7.2
MIME-Version: 1.0
In-Reply-To: <573A5996.3080305@hurleysoftware.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 05/16/2016 04:36 PM, Peter Hurley wrote:
> Hi Mikulas,
> 
> On 05/16/2016 01:12 PM, Mikulas Patocka wrote:
>> Hi
>>
>> In the kernel 4.6 I get crashes in the tty layer. I can reproduce the 
>> crash by logging into the machine with ssh and typing before the prompt 
>> appears.
> 
> Thanks for the report.
> I tried to reproduce this a number of times on different machines
> with no luck.

I was able to reproduce this crash with a test jig.
The patch below fixed it, but I'm testing a better patch now, which
I'll get to you asap.

Regards,
Peter Hurley


>> The crash is caused by the pointer tty->disc_data being NULL in the 
>> function n_tty_receive_buf_common. The crash happens on the statement 
>> smp_load_acquire(&ldata->read_tail).
>>
>> Bisecting shows that the crashes are caused by the patch 
>> 892d1fa7eaaed9d3c04954cb140c34ebc3393932 ("tty: Destroy ldisc instance on 
>> hangup").
> 
> 
> Can you try the test patch below?
> 
> Regards,
> Peter Hurley
> 
> 
>> Kernel Fault: Code=15 regs=000000007d9e0720 (Addr=0000000000002260)
>> CPU: 0 PID: 3319 Comm: kworker/u8:0 Not tainted 4.6.0 #1
>> Workqueue: events_unbound flush_to_ldisc
>> task: 000000007c25ea80 ti: 000000007d9e0000 task.ti: 000000007d9e0000
>>
>>      YZrvWESTHLNXBCVMcbcbcbcbOGFRQPDI
>> PSW: 00001000000001000000000000001111 Not tainted
>> r00-03  000000000804000f 000000004076cd10 0000000040475fb4 000000007f761800
>> r04-07  0000000040749510 0000000000000001 000000007f761800 000000007d9e0490
>> r08-11  000000007e722890 0000000000000000 000000007da4ec00 000000007f763823
>> r12-15  0000000000000000 000000007fc08ea8 000000007fc08c78 000000004080e080
>> r16-19  000000007fc08c00 0000000000000001 0000000000000000 0000000000002260
>> r20-23  000000007f7618b0 000000007c25ea80 0000000000000001 0000000000000001
>> r24-27  0000000000000000 000000000800000f 000000007f7618ac 0000000040749510
>> r28-31  0000000000000001 000000007d9e0840 000000007d9e0720 0000000000000001
>> sr00-03  00000000086c8800 0000000000000000 0000000000000000 00000000086c8800
>> sr04-07  0000000000000000 0000000000000000 0000000000000000 0000000000000000
>>
>> IASQ: 0000000000000000 0000000000000000 IAOQ: 0000000040475fd4 0000000040475fd8
>>  IIR: 0e6c00d5    ISR: 0000000000000000  IOR: 0000000000002260
>>  CPU:        0   CR30: 000000007d9e0000 CR31: ff87e7ffbc9ffffe
>>  ORIG_R28: 000000004080a180
>>  IAOQ[0]: n_tty_receive_buf_common+0xb4/0xbe0
>>  IAOQ[1]: n_tty_receive_buf_common+0xb8/0xbe0
>>  RP(r2): n_tty_receive_buf_common+0x94/0xbe0
>> Backtrace:
>>  [<0000000040476b14>] n_tty_receive_buf2+0x14/0x20
>>  [<000000004047a208>] tty_ldisc_receive_buf+0x30/0x90
>>  [<000000004047a544>] flush_to_ldisc+0x144/0x1c8
>>  [<00000000402556bc>] process_one_work+0x1b4/0x460
>>  [<0000000040255bbc>] worker_thread+0x1e4/0x5e0
>>  [<000000004025d454>] kthread+0x134/0x168
> 
> --- >% ---
> diff --git a/drivers/tty/tty_ldisc.c b/drivers/tty/tty_ldisc.c
> index 68947f6..f271832 100644
> --- a/drivers/tty/tty_ldisc.c
> +++ b/drivers/tty/tty_ldisc.c
> @@ -653,7 +653,7 @@ static void tty_reset_termios(struct tty_struct *tty)
>   *	Returns 0 if successful, otherwise error code < 0
>   */
>  
> -int tty_ldisc_reinit(struct tty_struct *tty, int disc)
> +static int __tty_ldisc_reinit(struct tty_struct *tty, int disc)
>  {
>  	struct tty_ldisc *ld;
>  	int retval;
> @@ -682,6 +682,16 @@ int tty_ldisc_reinit(struct tty_struct *tty, int disc)
>  	return retval;
>  }
>  
> +int tty_ldisc_reinit(struct tty_struct *tty, int disc)
> +{
> +	int retval;
> +
> +	tty_ldisc_lock(tty, MAX_SCHEDULE_TIMEOUT);
> +	retval = __tty_ldisc_reinit(tty, disc);
> +	tty_ldisc_unlock(tty);
> +	return retval;
> +}
> +
>  /**
>   *	tty_ldisc_hangup		-	hangup ldisc reset
>   *	@tty: tty being hung up
> @@ -732,8 +742,8 @@ void tty_ldisc_hangup(struct tty_struct *tty, bool reinit)
>  
>  	if (tty->ldisc) {
>  		if (reinit) {
> -			if (tty_ldisc_reinit(tty, tty->termios.c_line) < 0)
> -				tty_ldisc_reinit(tty, N_TTY);
> +			if (__tty_ldisc_reinit(tty, tty->termios.c_line) < 0)
> +				__tty_ldisc_reinit(tty, N_TTY);
>  		} else
>  			tty_ldisc_kill(tty);
>  	}
>