From: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
To: Samo Pogacnik <samo_pogacnik@t-2.net>
Cc: Petr Mladek <pmladek@suse.com>, Jiri Slaby <jirislaby@kernel.org>,
Sergey Senozhatsky <sergey.senozhatsky@gmail.com>,
Steven Rostedt <rostedt@goodmis.org>,
John Ogness <john.ogness@linutronix.de>,
linux-kernel@vger.kernel.org,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: How to handle concurrent access to /dev/ttyprintk ?
Date: Mon, 12 Apr 2021 19:39:04 +0900 [thread overview]
Message-ID: <cd213843-45fe-2eac-4943-0906ab8d272b@i-love.sakura.ne.jp> (raw)
In-Reply-To: <051b550c-1cdd-6503-d2b7-0877bf0578fc@i-love.sakura.ne.jp>
What is the intended usage of /dev/ttyprintk ?
It seems that drivers/char/ttyprintk.c was not designed to be opened by
multiple processes. As a result, syzbot can trigger tty_warn() flooding
enough to fire khungtaskd warning due to tty_port_close().
Do we need to allow concurrent access to /dev/ttyprintk ?
If we can't change /dev/ttyprintk exclusively open()able by only
one thread, how to handle concurrent access to /dev/ttyprintk ?
On 2021/04/07 23:24, Tetsuo Handa wrote:
> On 2021/04/07 22:48, Greg Kroah-Hartman wrote:
>>> By the way, as soon as applying this patch, I guess that syzkaller starts
>>> generating hung task reports because /dev/ttyprintk can trivially trigger
>>> flood of
>>>
>>> tty_warn(tty, "%s: tty->count = 1 port count = %d\n", __func__,
>>> port->count);
>>>
>>> message, and adding
>>>
>>> if (strcmp(tty_driver_name(tty), "ttyprintk"))
>>
>> Odd, how can ttyprintk() generate that mess?
>
> So far three tests and results:
>
> https://groups.google.com/g/syzkaller-bugs/c/yRLYijD2tbw/m/WifLgadvAAAJ
> https://groups.google.com/g/syzkaller-bugs/c/yRLYijD2tbw/m/w2_MiMmAAAAJ
> https://groups.google.com/g/syzkaller-bugs/c/yRLYijD2tbw/m/hfsQqSOPAAAJ
>
> Patch https://syzkaller.appspot.com/x/patch.diff?x=145e4c9ad00000 generated
> console output https://syzkaller.appspot.com/x/log.txt?x=162f9fced00000 .
>
> Patch https://syzkaller.appspot.com/x/patch.diff?x=14839931d00000 did not
> flood the console output enough to fire khungtaskd.
>
> Maybe it is because /dev/ttyprintk can be opened/closed by multiple processes
> without serialization?
>
> Running
>
> for i in $(seq 1 100); do sleep 1 > /dev/ttyprintk & done
>
> results in
>
> tty_port_close_start: tty->count = 1 port count = 100
>
> . If tty_port_open() from tpk_open() can do
>
> spin_lock_irq(&port->lock);
> ++port->count;
> spin_unlock_irq(&port->lock);
>
> when tty_port_close_start() from tty_port_close() from tpk_close() is doing
>
> spin_lock_irqsave(&port->lock, flags);
> if (tty->count == 1 && port->count != 1) {
> tty_warn(tty, "%s: tty->count = 1 port count = %d\n", __func__,
> port->count);
> port->count = 1;
> }
> if (--port->count < 0) {
> tty_warn(tty, "%s: bad port count (%d)\n", __func__,
> port->count);
> port->count = 0;
> }
>
> if (port->count) {
> spin_unlock_irqrestore(&port->lock, flags);
> return 0;
> }
> spin_unlock_irqrestore(&port->lock, flags);
>
> , what prevents port->count from getting larger than 1 ?
>
next prev parent reply other threads:[~2021-04-12 10:39 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-03 4:14 [PATCH] tty: use printk_safe context at tty_msg() Tetsuo Handa
2021-04-03 6:52 ` kernel test robot
2021-04-03 10:11 ` [PATCH] printk: Make multiple inclusion of kernel/printk/internal.h safe Tetsuo Handa
2021-04-06 4:51 ` [PATCH] tty: use printk_safe context at tty_msg() Jiri Slaby
2021-04-06 5:31 ` Tetsuo Handa
2021-04-06 7:10 ` Greg Kroah-Hartman
2021-04-06 11:16 ` Tetsuo Handa
2021-04-06 13:42 ` Greg Kroah-Hartman
2021-04-06 15:10 ` Petr Mladek
2021-04-06 16:22 ` Tetsuo Handa
2021-04-06 19:10 ` Greg Kroah-Hartman
2021-04-07 9:20 ` Petr Mladek
2021-04-07 13:26 ` [PATCH v2] tty: use printk_deferred() " Tetsuo Handa
2021-04-07 13:48 ` Greg Kroah-Hartman
2021-04-07 14:24 ` Tetsuo Handa
2021-04-12 10:39 ` Tetsuo Handa [this message]
2021-04-12 10:44 ` How to handle concurrent access to /dev/ttyprintk ? Greg Kroah-Hartman
2021-04-12 11:25 ` Tetsuo Handa
2021-04-12 12:04 ` Greg Kroah-Hartman
2021-04-14 0:45 ` Tetsuo Handa
2021-04-14 11:11 ` Tetsuo Handa
2021-04-14 16:15 ` Samo Pogačnik
2021-04-15 0:22 ` [PATCH] ttyprintk: Add TTY hangup callback Tetsuo Handa
2021-04-18 11:16 ` Samo Pogačnik
2021-04-22 10:02 ` Greg Kroah-Hartman
2021-04-23 4:22 ` Jiri Slaby
2021-04-23 9:55 ` Samo Pogačnik
2021-04-23 10:12 ` Tetsuo Handa
2021-04-23 19:47 ` Samo Pogačnik
2021-04-24 1:16 ` Tetsuo Handa
2021-04-24 9:57 ` Samo Pogačnik
2021-04-26 10:00 ` Petr Mladek
2021-04-26 16:42 ` Samo Pogačnik
2021-04-27 10:08 ` Petr Mladek
2021-04-27 11:31 ` Samo Pogačnik
2021-04-23 10:28 ` Jiri Slaby
2021-04-23 12:23 ` [PATCH] ttyprintk: Add TTY port shutdown callback Samo Pogačnik
2021-04-12 12:41 ` How to handle concurrent access to /dev/ttyprintk ? Samo Pogačnik
2021-04-13 9:41 ` Petr Mladek
2021-04-13 11:10 ` Samo Pogačnik
2021-04-13 14:32 ` Petr Mladek
2021-04-13 15:22 ` Samo Pogačnik
2021-04-14 17:36 ` Petr Mladek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cd213843-45fe-2eac-4943-0906ab8d272b@i-love.sakura.ne.jp \
--to=penguin-kernel@i-love.sakura.ne.jp \
--cc=gregkh@linuxfoundation.org \
--cc=jirislaby@kernel.org \
--cc=john.ogness@linutronix.de \
--cc=linux-kernel@vger.kernel.org \
--cc=pmladek@suse.com \
--cc=rostedt@goodmis.org \
--cc=samo_pogacnik@t-2.net \
--cc=sergey.senozhatsky@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).