Hi Mikulas,
On 05/16/2016 01:12 PM, Mikulas Patocka wrote:
> Hi
>
> In the kernel 4.6 I get crashes in the tty layer. I can reproduce the
> crash by logging into the machine with ssh and typing before the prompt
> appears.
Thanks for the report.
I tried to reproduce this a number of times on different machines
with no luck.
> The crash is caused by the pointer tty->disc_data being NULL in the
> function n_tty_receive_buf_common. The crash happens on the statement
> smp_load_acquire(&ldata->read_tail).
>
> Bisecting shows that the crashes are caused by the patch
> 892d1fa7eaaed9d3c04954cb140c34ebc3393932 ("tty: Destroy ldisc instance on
> hangup").
Can you try the test patch below?
Regards,
Peter Hurley
> Kernel Fault: Code=15 regs=000000007d9e0720 (Addr=0000000000002260)
> CPU: 0 PID: 3319 Comm: kworker/u8:0 Not tainted 4.6.0 #1
> Workqueue: events_unbound flush_to_ldisc
> task: 000000007c25ea80 ti: 000000007d9e0000 task.ti: 000000007d9e0000
>
> YZrvWESTHLNXBCVMcbcbcbcbOGFRQPDI
> PSW: 00001000000001000000000000001111 Not tainted
> r00-03 000000000804000f 000000004076cd10 0000000040475fb4 000000007f761800
> r04-07 0000000040749510 0000000000000001 000000007f761800 000000007d9e0490
> r08-11 000000007e722890 0000000000000000 000000007da4ec00 000000007f763823
> r12-15 0000000000000000 000000007fc08ea8 000000007fc08c78 000000004080e080
> r16-19 000000007fc08c00 0000000000000001 0000000000000000 0000000000002260
> r20-23 000000007f7618b0 000000007c25ea80 0000000000000001 0000000000000001
> r24-27 0000000000000000 000000000800000f 000000007f7618ac 0000000040749510
> r28-31 0000000000000001 000000007d9e0840 000000007d9e0720 0000000000000001
> sr00-03 00000000086c8800 0000000000000000 0000000000000000 00000000086c8800
> sr04-07 0000000000000000 0000000000000000 0000000000000000 0000000000000000
>
> IASQ: 0000000000000000 0000000000000000 IAOQ: 0000000040475fd4
> 0000000040475fd8
> IIR: 0e6c00d5 ISR: 0000000000000000 IOR: 0000000000002260
> CPU: 0 CR30: 000000007d9e0000 CR31: ff87e7ffbc9ffffe
> ORIG_R28: 000000004080a180
> IAOQ[0]: n_tty_receive_buf_common+0xb4/0xbe0
> IAOQ[1]: n_tty_receive_buf_common+0xb8/0xbe0
> RP(r2): n_tty_receive_buf_common+0x94/0xbe0
> Backtrace:
> [<0000000040476b14>] n_tty_receive_buf2+0x14/0x20
> [<000000004047a208>] tty_ldisc_receive_buf+0x30/0x90
> [<000000004047a544>] flush_to_ldisc+0x144/0x1c8
> [<00000000402556bc>] process_one_work+0x1b4/0x460
> [<0000000040255bbc>] worker_thread+0x1e4/0x5e0
> [<000000004025d454>] kthread+0x134/0x168
--- >% ---
diff --git a/drivers/tty/tty_ldisc.c b/drivers/tty/tty_ldisc.c
index 68947f6..f271832 100644
--- a/drivers/tty/tty_ldisc.c
+++ b/drivers/tty/tty_ldisc.c
@@ -653,7 +653,7 @@ static void tty_reset_termios(struct tty_struct *tty)
* Returns 0 if successful, otherwise error code < 0
*/
-int tty_ldisc_reinit(struct tty_struct *tty, int disc)
+static int __tty_ldisc_reinit(struct tty_struct *tty, int disc)
{
struct tty_ldisc *ld;
int retval;
@@ -682,6 +682,16 @@ int tty_ldisc_reinit(struct tty_struct *tty, int disc)
return retval;
}
+int tty_ldisc_reinit(struct tty_struct *tty, int disc)
+{
+ int retval;
+
+ tty_ldisc_lock(tty, MAX_SCHEDULE_TIMEOUT);
+ retval = __tty_ldisc_reinit(tty, disc);
+ tty_ldisc_unlock(tty);
+ return retval;
+}
+
/**
* tty_ldisc_hangup - hangup ldisc reset
* @tty: tty being hung up
@@ -732,8 +742,8 @@ void tty_ldisc_hangup(struct tty_struct *tty, bool reinit)
if (tty->ldisc) {
if (reinit) {
- if (tty_ldisc_reinit(tty, tty->termios.c_line) < 0)
- tty_ldisc_reinit(tty, N_TTY);
+ if (__tty_ldisc_reinit(tty, tty->termios.c_line) < 0)
+ __tty_ldisc_reinit(tty, N_TTY);
} else
tty_ldisc_kill(tty);
}
