From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751986AbbIQK6q (ORCPT ); Thu, 17 Sep 2015 06:58:46 -0400 Received: from mail-wi0-f172.google.com ([209.85.212.172]:36165 "EHLO mail-wi0-f172.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751908AbbIQK6o (ORCPT ); Thu, 17 Sep 2015 06:58:44 -0400 From: Dmitry Vyukov To: gregkh@linuxfoundation.org, peter@hurleysoftware.com, jslaby@suse.com, linux-kernel@vger.kernel.org Cc: jslaby@suse.cz, andreyknvl@google.com, kcc@google.com, glider@google.com, paulmck@linux.vnet.ibm.com, hboehm@google.com, Dmitry Vyukov Subject: [PATCH v3] tty: fix data race on tty_buffer.commit Date: Thu, 17 Sep 2015 12:58:41 +0200 Message-Id: <1442487521-144932-1-git-send-email-dvyukov@google.com> X-Mailer: git-send-email 2.6.0.rc0.131.gf624c3d Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Race on buffer data happens when newly committed data is picked up by an old flush work in the following scenario: __tty_buffer_request_room does a plain write of tail->commit, no barriers were executed before that. At this point flush_to_ldisc reads this new value of commit, and reads buffer data, no barriers in between. The committed buffer data is not necessary visible to flush_to_ldisc. Similar bug happens when tty_schedule_flip commits data. Update commit with smp_store_release and read commit with smp_load_acquire, as it is commit that signals data readiness. This is orthogonal to the existing synchronization on tty_buffer.next, which is required to not dismiss a buffer with unconsumed data. The data race was found with KernelThreadSanitizer (KTSAN). Signed-off-by: Dmitry Vyukov --- v3: Added patch revision notes v2: Removed unrelated changed --- drivers/tty/tty_buffer.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/drivers/tty/tty_buffer.c b/drivers/tty/tty_buffer.c index 5a3fa89..7ed2006 100644 --- a/drivers/tty/tty_buffer.c +++ b/drivers/tty/tty_buffer.c @@ -290,7 +290,10 @@ static int __tty_buffer_request_room(struct tty_port *port, size_t size, if (n != NULL) { n->flags = flags; buf->tail = n; - b->commit = b->used; + /* paired w/ acquire in flush_to_ldisc(); ensures + * flush_to_ldisc() sees buffer data. + */ + smp_store_release(&b->commit, b->used); /* paired w/ acquire in flush_to_ldisc(); ensures the * latest commit value can be read before the head is * advanced to the next buffer @@ -393,7 +396,10 @@ void tty_schedule_flip(struct tty_port *port) { struct tty_bufhead *buf = &port->buf; - buf->tail->commit = buf->tail->used; + /* paired w/ acquire in flush_to_ldisc(); ensures + * flush_to_ldisc() sees buffer data. + */ + smp_store_release(&buf->tail->commit, buf->tail->used); schedule_work(&buf->work); } EXPORT_SYMBOL(tty_schedule_flip); @@ -491,7 +497,10 @@ static void flush_to_ldisc(struct work_struct *work) * is advancing to the next buffer */ next = smp_load_acquire(&head->next); - count = head->commit - head->read; + /* paired w/ release in __tty_buffer_request_room() or in + * tty_buffer_flush(); ensures we see the committed buffer data + */ + count = smp_load_acquire(&head->commit) - head->read; if (!count) { if (next == NULL) { check_other_closed(tty); -- 2.6.0.rc0.131.gf624c3d