Skip to content

Commit b027e22

Browse files
Gaurav Kohligregkh
Gaurav Kohli
authored and
gregkh
committed
tty: fix data race between tty_init_dev and flush of buf
There can be a race, if receive_buf call comes before tty initialization completes in n_tty_open and tty->disc_data may be NULL. CPU0 CPU1 ---- ---- 000|n_tty_receive_buf_common() n_tty_open() -001|n_tty_receive_buf2() tty_ldisc_open.isra.3() -002|tty_ldisc_receive_buf(inline) tty_ldisc_setup() Using ldisc semaphore lock in tty_init_dev till disc_data initializes completely. Signed-off-by: Gaurav Kohli <gkohli@codeaurora.org> Reviewed-by: Alan Cox <alan@linux.intel.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
1 parent 09df0b3 commit b027e22

File tree

3 files changed

+11
-3
lines changed

3 files changed

+11
-3
lines changed

drivers/tty/tty_io.c

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1323,6 +1323,9 @@ struct tty_struct *tty_init_dev(struct tty_driver *driver, int idx)
13231323
"%s: %s driver does not set tty->port. This will crash the kernel later. Fix the driver!\n",
13241324
__func__, tty->driver->name);
13251325

1326+
retval = tty_ldisc_lock(tty, 5 * HZ);
1327+
if (retval)
1328+
goto err_release_lock;
13261329
tty->port->itty = tty;
13271330

13281331
/*
@@ -1333,6 +1336,7 @@ struct tty_struct *tty_init_dev(struct tty_driver *driver, int idx)
13331336
retval = tty_ldisc_setup(tty, tty->link);
13341337
if (retval)
13351338
goto err_release_tty;
1339+
tty_ldisc_unlock(tty);
13361340
/* Return the tty locked so that it cannot vanish under the caller */
13371341
return tty;
13381342

@@ -1345,9 +1349,11 @@ struct tty_struct *tty_init_dev(struct tty_driver *driver, int idx)
13451349

13461350
/* call the tty release_tty routine to clean out this slot */
13471351
err_release_tty:
1348-
tty_unlock(tty);
1352+
tty_ldisc_unlock(tty);
13491353
tty_info_ratelimited(tty, "ldisc open failed (%d), clearing slot %d\n",
13501354
retval, idx);
1355+
err_release_lock:
1356+
tty_unlock(tty);
13511357
release_tty(tty, idx);
13521358
return ERR_PTR(retval);
13531359
}

drivers/tty/tty_ldisc.c

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -337,7 +337,7 @@ static inline void __tty_ldisc_unlock(struct tty_struct *tty)
337337
ldsem_up_write(&tty->ldisc_sem);
338338
}
339339

340-
static int tty_ldisc_lock(struct tty_struct *tty, unsigned long timeout)
340+
int tty_ldisc_lock(struct tty_struct *tty, unsigned long timeout)
341341
{
342342
int ret;
343343

@@ -348,7 +348,7 @@ static int tty_ldisc_lock(struct tty_struct *tty, unsigned long timeout)
348348
return 0;
349349
}
350350

351-
static void tty_ldisc_unlock(struct tty_struct *tty)
351+
void tty_ldisc_unlock(struct tty_struct *tty)
352352
{
353353
clear_bit(TTY_LDISC_HALTED, &tty->flags);
354354
__tty_ldisc_unlock(tty);

include/linux/tty.h

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -405,6 +405,8 @@ extern const char *tty_name(const struct tty_struct *tty);
405405
extern struct tty_struct *tty_kopen(dev_t device);
406406
extern void tty_kclose(struct tty_struct *tty);
407407
extern int tty_dev_name_to_number(const char *name, dev_t *number);
408+
extern int tty_ldisc_lock(struct tty_struct *tty, unsigned long timeout);
409+
extern void tty_ldisc_unlock(struct tty_struct *tty);
408410
#else
409411
static inline void tty_kref_put(struct tty_struct *tty)
410412
{ }

0 commit comments

Comments
 (0)