Bug#849474: repeated console pasting with TIOCLINUX+TIOCL_PASTESEL hung process

[Bill Allombert]

Package: src:linux
Version: 3.16.36-1+deb8u2
Severity: normal

Dear Linux team,

I found that quickly repeatedly pasting lot of text in the console using
the TIOCLINUX system call and the TIOCL_PASTESEL option cause the
calling process to hung in kernel mode, making it unkillable while
using 100% CPU, and hanging the shutdown of the system and other
negative effect.

This syscall requires the user to be root, however software like gpm and
consolation allow a non priviledged user to do it, by selecting a big
chunk of text and pasting it several time a second (with the mouse).

This can be automated using the attached program
(warning, this is slightly dangerous since it copy-paste dummy text to
the console, be careful. It is safer to use it in a X terminal since then
the pasted text is sent to the underlying VT which is disabled, but it
is less reliable)

gcc -O3 -Wall crash.c -o crash
sudo ./crash

I found that the larger the number of pasted characters and the faster it is 
done,
the quicker the process hangs.

-- Package-specific info:
** Version:
Linux version 3.16.0-4-amd64 (debian-kernel@lists.debian.org) (gcc version 
4.8.4 (Debian 4.8.4-1) ) #1 SMP Debian 3.16.36-1+deb8u2 (2016-10-19)

** Command line:
BOOT_IMAGE=/boot/vmlinuz-3.16.0-4-amd64 
root=UUID=f91ea73c-a9e5-440f-98eb-f99554b362e1 ro quiet

** Not tainted

Log:

Dec 27 14:02:16 yellowpig kernel: [  240.410094] INFO: task kworker/1:2:226 
blocked for more than 120 seconds.
Dec 27 14:02:16 yellowpig kernel: [  240.414447]       Not tainted 
3.16.0-4-amd64 #1
Dec 27 14:02:16 yellowpig kernel: [  240.419214] "echo 0 > 
/proc/sys/kernel/hung_task_timeout_secs" disables this message.
Dec 27 14:02:16 yellowpig kernel: [  240.423708] kworker/1:2     D 
ffff8802434eefb8     0   226      2 0x00000000
Dec 27 14:02:16 yellowpig kernel: [  240.423744] Workqueue: events 
flush_to_ldisc
Dec 27 14:02:16 yellowpig kernel: [  240.423756]  ffff8802434eeb60 
0000000000000046 0000000000012f40 ffff880243b17fd8
Dec 27 14:02:16 yellowpig kernel: [  240.423764]  0000000000012f40 
ffff8802434eeb60 ffff88024e81e428 ffff880243b17dd0
Dec 27 14:02:16 yellowpig kernel: [  240.423772]  ffff88024e81e42c 
ffff8802434eeb60 00000000ffffffff ffff88024e81e430
Dec 27 14:02:16 yellowpig kernel: [  240.423780] Call Trace:
Dec 27 14:02:16 yellowpig kernel: [  240.423797]  [<ffffffff815151d5>] ? 
schedule_preempt_disabled+0x25/0x70
Dec 27 14:02:16 yellowpig kernel: [  240.423824]  [<ffffffff81516c33>] ? 
__mutex_lock_slowpath+0xd3/0x1c0
Dec 27 14:02:16 yellowpig kernel: [  240.423836]  [<ffffffff81074076>] ? 
lock_timer_base.isra.35+0x26/0x50
Dec 27 14:02:16 yellowpig kernel: [  240.423844]  [<ffffffff81516d3b>] ? 
mutex_lock+0x1b/0x2a
Dec 27 14:02:16 yellowpig kernel: [  240.423865]  [<ffffffff8137202a>] ? 
flush_to_ldisc+0x4a/0x140
Dec 27 14:02:16 yellowpig kernel: [  240.423875]  [<ffffffff81082b73>] ? 
process_one_work+0x143/0x430
Dec 27 14:02:16 yellowpig kernel: [  240.423889]  [<ffffffff810832f3>] ? 
worker_thread+0x113/0x4f0
Dec 27 14:02:16 yellowpig kernel: [  240.423898]  [<ffffffff81514951>] ? 
__schedule+0x2b1/0x6f0
Dec 27 14:02:16 yellowpig kernel: [  240.423912]  [<ffffffff810831e0>] ? 
rescuer_thread+0x2d0/0x2d0
Dec 27 14:02:16 yellowpig kernel: [  240.423921]  [<ffffffff810894bd>] ? 
kthread+0xbd/0xe0
Dec 27 14:02:16 yellowpig kernel: [  240.423940]  [<ffffffff81089400>] ? 
kthread_create_on_node+0x180/0x180
Dec 27 14:02:16 yellowpig kernel: [  240.423953]  [<ffffffff815184d8>] ? 
ret_from_fork+0x58/0x90
Dec 27 14:02:16 yellowpig kernel: [  240.423962]  [<ffffffff81089400>] ? 
kthread_create_on_node+0x180/0x180

Cheers,
-- 
Bill. <ballo...@debian.org>

Imagine a large red swirl here. 

/* Copyright © 2016 Bill Allombert

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
  the Free Software Foundation; either version 2 of the License, or
  (at your option) any later version.

  This program is distributed in the hope that it will be useful,
  but WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  GNU General Public License for more details.

  Check the License for details. You should have received a copy of it, along
  with the package; see the file 'COPYING'. If not, write to the Free Software
  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/

#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <linux/tiocl.h>
#include <stdint.h>
#include <linux/kd.h>
#include <time.h>

static void
select(void)
{
  int fd;
  struct {
    char argp[2]; /*Force struct alignment*/
    struct tiocl_selection sel;
  } s;
  s.argp[0] = 0; /* unused */
  s.argp[1] = TIOCL_SETSEL;
  s.sel.xs = 1;
  s.sel.ys = 1;
  s.sel.xe = 10;
  s.sel.ye = 10;
  s.sel.sel_mode = TIOCL_SELCHAR;
  fd = open("/dev/tty0",O_RDONLY);
  if (ioctl(fd, TIOCLINUX, ((char*)&s)+1) < 0)
    perror("selection: TIOCLINUX");
  close(fd);
}

void paste(void)
{
  int fd;
  char subcode = TIOCL_PASTESEL;
  fd = open("/dev/tty0", O_RDWR);
  if (ioctl(fd, TIOCLINUX, &subcode)<0)
    perror("paste: TIOCLINUX");
  close(fd);
}

int main(void)
{
  int n=0, i;
  struct timespec req, rem;
  req.tv_sec  = 0;
  req.tv_nsec = 200000000;
  for(i=0; i<25*130; i++) fputc('@',stderr);
  select();
  while(1)
  {
    fprintf(stderr,"try %d\n",n++);
    paste();
    nanosleep(&req, &rem);
  }
}