From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754706AbcEPUM5 (ORCPT <rfc822;w@1wt.eu>);
	Mon, 16 May 2016 16:12:57 -0400
Received: from mx1.redhat.com ([209.132.183.28]:39678 "EHLO mx1.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1753954AbcEPUM4 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Mon, 16 May 2016 16:12:56 -0400
Date: Mon, 16 May 2016 16:12:53 -0400 (EDT)
From: Mikulas Patocka <mpatocka@redhat.com>
X-X-Sender: mpatocka@file01.intranet.prod.int.rdu2.redhat.com
To: Peter Hurley <peter@hurleysoftware.com>
cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Jiri Slaby <jslaby@suse.com>, linux-kernel@vger.kernel.org
Subject: tty crash in Linux 4.6
Message-ID: <alpine.LRH.2.02.1605161555430.8188@file01.intranet.prod.int.rdu2.redhat.com>
User-Agent: Alpine 2.02 (LRH 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Mon, 16 May 2016 20:12:55 +0000 (UTC)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi

In the kernel 4.6 I get crashes in the tty layer. I can reproduce the 
crash by logging into the machine with ssh and typing before the prompt 
appears.

The crash is caused by the pointer tty->disc_data being NULL in the 
function n_tty_receive_buf_common. The crash happens on the statement 
smp_load_acquire(&ldata->read_tail).

Bisecting shows that the crashes are caused by the patch 
892d1fa7eaaed9d3c04954cb140c34ebc3393932 ("tty: Destroy ldisc instance on 
hangup").

Kernel Fault: Code=15 regs=000000007d9e0720 (Addr=0000000000002260)
CPU: 0 PID: 3319 Comm: kworker/u8:0 Not tainted 4.6.0 #1
Workqueue: events_unbound flush_to_ldisc
task: 000000007c25ea80 ti: 000000007d9e0000 task.ti: 000000007d9e0000

     YZrvWESTHLNXBCVMcbcbcbcbOGFRQPDI
PSW: 00001000000001000000000000001111 Not tainted
r00-03  000000000804000f 000000004076cd10 0000000040475fb4 000000007f761800
r04-07  0000000040749510 0000000000000001 000000007f761800 000000007d9e0490
r08-11  000000007e722890 0000000000000000 000000007da4ec00 000000007f763823
r12-15  0000000000000000 000000007fc08ea8 000000007fc08c78 000000004080e080
r16-19  000000007fc08c00 0000000000000001 0000000000000000 0000000000002260
r20-23  000000007f7618b0 000000007c25ea80 0000000000000001 0000000000000001
r24-27  0000000000000000 000000000800000f 000000007f7618ac 0000000040749510
r28-31  0000000000000001 000000007d9e0840 000000007d9e0720 0000000000000001
sr00-03  00000000086c8800 0000000000000000 0000000000000000 00000000086c8800
sr04-07  0000000000000000 0000000000000000 0000000000000000 0000000000000000

IASQ: 0000000000000000 0000000000000000 IAOQ: 0000000040475fd4 0000000040475fd8
 IIR: 0e6c00d5    ISR: 0000000000000000  IOR: 0000000000002260
 CPU:        0   CR30: 000000007d9e0000 CR31: ff87e7ffbc9ffffe
 ORIG_R28: 000000004080a180
 IAOQ[0]: n_tty_receive_buf_common+0xb4/0xbe0
 IAOQ[1]: n_tty_receive_buf_common+0xb8/0xbe0
 RP(r2): n_tty_receive_buf_common+0x94/0xbe0
Backtrace:
 [<0000000040476b14>] n_tty_receive_buf2+0x14/0x20
 [<000000004047a208>] tty_ldisc_receive_buf+0x30/0x90
 [<000000004047a544>] flush_to_ldisc+0x144/0x1c8
 [<00000000402556bc>] process_one_work+0x1b4/0x460
 [<0000000040255bbc>] worker_thread+0x1e4/0x5e0
 [<000000004025d454>] kthread+0x134/0x168

Mikulas