Bug#849474: marked as done (repeated console pasting with TIOCLINUX+TIOCL_PASTESEL hung process)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 15 May 2021 04:49:19 -0700 (PDT)
with message-id <609fb53f.1c69fb81.752b8.3290@mx.google.com>
and subject line Closing this bug (BTS maintenance for src:linux bugs)
has caused the Debian Bug report #849474,
regarding repeated console pasting with TIOCLINUX+TIOCL_PASTESEL hung process
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
849474: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849474
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: repeated console pasting with TIOCLINUX+TIOCL_PASTESEL hung process
• From: Bill Allombert <ballombe@debian.org>
• Date: Tue, 27 Dec 2016 16:02:26 +0100
• Message-id: <20161227150226.GA2028@yellowpig>

Package: src:linux
Version: 3.16.36-1+deb8u2
Severity: normal

Dear Linux team,

I found that quickly repeatedly pasting lot of text in the console using
the TIOCLINUX system call and the TIOCL_PASTESEL option cause the
calling process to hung in kernel mode, making it unkillable while
using 100% CPU, and hanging the shutdown of the system and other
negative effect.

This syscall requires the user to be root, however software like gpm and
consolation allow a non priviledged user to do it, by selecting a big
chunk of text and pasting it several time a second (with the mouse).

This can be automated using the attached program
(warning, this is slightly dangerous since it copy-paste dummy text to
the console, be careful. It is safer to use it in a X terminal since then
the pasted text is sent to the underlying VT which is disabled, but it
is less reliable)

gcc -O3 -Wall crash.c -o crash
sudo ./crash

I found that the larger the number of pasted characters and the faster it is done,
the quicker the process hangs.

-- Package-specific info:
** Version:
Linux version 3.16.0-4-amd64 (debian-kernel@lists.debian.org) (gcc version 4.8.4 (Debian 4.8.4-1) ) #1 SMP Debian 3.16.36-1+deb8u2 (2016-10-19)

** Command line:
BOOT_IMAGE=/boot/vmlinuz-3.16.0-4-amd64 root=UUID=f91ea73c-a9e5-440f-98eb-f99554b362e1 ro quiet

** Not tainted

Log:

Dec 27 14:02:16 yellowpig kernel: [  240.410094] INFO: task kworker/1:2:226 blocked for more than 120 seconds.
Dec 27 14:02:16 yellowpig kernel: [  240.414447]       Not tainted 3.16.0-4-amd64 #1
Dec 27 14:02:16 yellowpig kernel: [  240.419214] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
Dec 27 14:02:16 yellowpig kernel: [  240.423708] kworker/1:2     D ffff8802434eefb8     0   226      2 0x00000000
Dec 27 14:02:16 yellowpig kernel: [  240.423744] Workqueue: events flush_to_ldisc
Dec 27 14:02:16 yellowpig kernel: [  240.423756]  ffff8802434eeb60 0000000000000046 0000000000012f40 ffff880243b17fd8
Dec 27 14:02:16 yellowpig kernel: [  240.423764]  0000000000012f40 ffff8802434eeb60 ffff88024e81e428 ffff880243b17dd0
Dec 27 14:02:16 yellowpig kernel: [  240.423772]  ffff88024e81e42c ffff8802434eeb60 00000000ffffffff ffff88024e81e430
Dec 27 14:02:16 yellowpig kernel: [  240.423780] Call Trace:
Dec 27 14:02:16 yellowpig kernel: [  240.423797]  [<ffffffff815151d5>] ? schedule_preempt_disabled+0x25/0x70
Dec 27 14:02:16 yellowpig kernel: [  240.423824]  [<ffffffff81516c33>] ? __mutex_lock_slowpath+0xd3/0x1c0
Dec 27 14:02:16 yellowpig kernel: [  240.423836]  [<ffffffff81074076>] ? lock_timer_base.isra.35+0x26/0x50
Dec 27 14:02:16 yellowpig kernel: [  240.423844]  [<ffffffff81516d3b>] ? mutex_lock+0x1b/0x2a
Dec 27 14:02:16 yellowpig kernel: [  240.423865]  [<ffffffff8137202a>] ? flush_to_ldisc+0x4a/0x140
Dec 27 14:02:16 yellowpig kernel: [  240.423875]  [<ffffffff81082b73>] ? process_one_work+0x143/0x430
Dec 27 14:02:16 yellowpig kernel: [  240.423889]  [<ffffffff810832f3>] ? worker_thread+0x113/0x4f0
Dec 27 14:02:16 yellowpig kernel: [  240.423898]  [<ffffffff81514951>] ? __schedule+0x2b1/0x6f0
Dec 27 14:02:16 yellowpig kernel: [  240.423912]  [<ffffffff810831e0>] ? rescuer_thread+0x2d0/0x2d0
Dec 27 14:02:16 yellowpig kernel: [  240.423921]  [<ffffffff810894bd>] ? kthread+0xbd/0xe0
Dec 27 14:02:16 yellowpig kernel: [  240.423940]  [<ffffffff81089400>] ? kthread_create_on_node+0x180/0x180
Dec 27 14:02:16 yellowpig kernel: [  240.423953]  [<ffffffff815184d8>] ? ret_from_fork+0x58/0x90
Dec 27 14:02:16 yellowpig kernel: [  240.423962]  [<ffffffff81089400>] ? kthread_create_on_node+0x180/0x180

Cheers,
-- 
Bill. <ballombe@debian.org>

Imagine a large red swirl here. 

/* Copyright © 2016 Bill Allombert

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
  the Free Software Foundation; either version 2 of the License, or
  (at your option) any later version.

  This program is distributed in the hope that it will be useful,
  but WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  GNU General Public License for more details.

  Check the License for details. You should have received a copy of it, along
  with the package; see the file 'COPYING'. If not, write to the Free Software
  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/

#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <linux/tiocl.h>
#include <stdint.h>
#include <linux/kd.h>
#include <time.h>

static void
select(void)
{
  int fd;
  struct {
    char argp[2]; /*Force struct alignment*/
    struct tiocl_selection sel;
  } s;
  s.argp[0] = 0; /* unused */
  s.argp[1] = TIOCL_SETSEL;
  s.sel.xs = 1;
  s.sel.ys = 1;
  s.sel.xe = 10;
  s.sel.ye = 10;
  s.sel.sel_mode = TIOCL_SELCHAR;
  fd = open("/dev/tty0",O_RDONLY);
  if (ioctl(fd, TIOCLINUX, ((char*)&s)+1) < 0)
    perror("selection: TIOCLINUX");
  close(fd);
}

void paste(void)
{
  int fd;
  char subcode = TIOCL_PASTESEL;
  fd = open("/dev/tty0", O_RDWR);
  if (ioctl(fd, TIOCLINUX, &subcode)<0)
    perror("paste: TIOCLINUX");
  close(fd);
}

int main(void)
{
  int n=0, i;
  struct timespec req, rem;
  req.tv_sec  = 0;
  req.tv_nsec = 200000000;
  for(i=0; i<25*130; i++) fputc('@',stderr);
  select();
  while(1)
  {
    fprintf(stderr,"try %d\n",n++);
    paste();
    nanosleep(&req, &rem);
  }
}

--- End Message ---

--- Begin Message ---

• To: 849474-done@bugs.debian.org
• Cc: 849474-submitter@bugs.debian.org
• Subject: Closing this bug (BTS maintenance for src:linux bugs)
• From: carnil@debian.org
• Date: Sat, 15 May 2021 04:49:19 -0700 (PDT)
• Message-id: <609fb53f.1c69fb81.752b8.3290@mx.google.com>

Hi

This bug was filed for a very old kernel or the bug is old itself
without resolution.

If you can reproduce it with

- the current version in unstable/testing
- the latest kernel from backports

please reopen the bug, see https://www.debian.org/Bugs/server-control
for details.

Regards,
Salvatore

--- End Message ---