mirrors/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2025-11-04 10:40:15 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

tty: fix data race between tty_init_dev and flush of buf

Browse source 
There can be a race, if receive_buf call comes before
tty initialization completes in n_tty_open and tty->disc_data
may be NULL.

CPU0					CPU1
----					----
 000|n_tty_receive_buf_common()   	n_tty_open()
-001|n_tty_receive_buf2()		tty_ldisc_open.isra.3()
-002|tty_ldisc_receive_buf(inline)	tty_ldisc_setup()

Using ldisc semaphore lock in tty_init_dev till disc_data
initializes completely.

Signed-off-by: Gaurav Kohli <gkohli@codeaurora.org>
Reviewed-by: Alan Cox <alan@linux.intel.com>
Cc: stable <stable@vger.kernel.org>

Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Gaurav Kohli 2018-01-23 13:16:34 +05:30 committed by Greg Kroah-Hartman
parent 09df0b3464
commit b027e2298b
3 changed files with 11 additions and 3 deletions
repo.diff.show_diff_stats Download patch file Download diff file Expand all files Collapse all files

8
drivers/tty/tty_io.c
View file

@ -1323,6 +1323,9 @@ struct tty_struct *tty_init_dev(struct tty_driver *driver, int idx)
"%s: %s driver does not set tty->port. This will crash the kernel later. Fix the driver!\n", "%s: %s driver does not set tty->port. This will crash the kernel later. Fix the driver!\n",
__func__, tty->driver->name); __func__, tty->driver->name);
retval = tty_ldisc_lock(tty, 5 * HZ);
if (retval)
goto err_release_lock;
tty->port->itty = tty; tty->port->itty = tty;
/* /*
@ -1333,6 +1336,7 @@ struct tty_struct *tty_init_dev(struct tty_driver *driver, int idx)
retval = tty_ldisc_setup(tty, tty->link); retval = tty_ldisc_setup(tty, tty->link);
if (retval) if (retval)
goto err_release_tty; goto err_release_tty;
tty_ldisc_unlock(tty);
/* Return the tty locked so that it cannot vanish under the caller */ /* Return the tty locked so that it cannot vanish under the caller */
return tty; return tty;
@ -1345,9 +1349,11 @@ struct tty_struct *tty_init_dev(struct tty_driver *driver, int idx)
/* call the tty release_tty routine to clean out this slot */ /* call the tty release_tty routine to clean out this slot */
err_release_tty: err_release_tty:
tty_unlock(tty); tty_ldisc_unlock(tty);
tty_info_ratelimited(tty, "ldisc open failed (%d), clearing slot %d\n", tty_info_ratelimited(tty, "ldisc open failed (%d), clearing slot %d\n",
retval, idx); retval, idx);
err_release_lock:
tty_unlock(tty);
release_tty(tty, idx); release_tty(tty, idx);
return ERR_PTR(retval); return ERR_PTR(retval);
} }

4
drivers/tty/tty_ldisc.c
View file

@ -337,7 +337,7 @@ static inline void __tty_ldisc_unlock(struct tty_struct *tty)
ldsem_up_write(&tty->ldisc_sem); ldsem_up_write(&tty->ldisc_sem);
} }
static int tty_ldisc_lock(struct tty_struct *tty, unsigned long timeout) int tty_ldisc_lock(struct tty_struct *tty, unsigned long timeout)
{ {
int ret; int ret;
@ -348,7 +348,7 @@ static int tty_ldisc_lock(struct tty_struct *tty, unsigned long timeout)
return 0; return 0;
} }
static void tty_ldisc_unlock(struct tty_struct *tty) void tty_ldisc_unlock(struct tty_struct *tty)
{ {
clear_bit(TTY_LDISC_HALTED, &tty->flags); clear_bit(TTY_LDISC_HALTED, &tty->flags);
__tty_ldisc_unlock(tty); __tty_ldisc_unlock(tty);

2
include/linux/tty.h
View file

@ -405,6 +405,8 @@ extern const char *tty_name(const struct tty_struct *tty);
extern struct tty_struct *tty_kopen(dev_t device); extern struct tty_struct *tty_kopen(dev_t device);
extern void tty_kclose(struct tty_struct *tty); extern void tty_kclose(struct tty_struct *tty);
extern int tty_dev_name_to_number(const char *name, dev_t *number); extern int tty_dev_name_to_number(const char *name, dev_t *number);
extern int tty_ldisc_lock(struct tty_struct *tty, unsigned long timeout);
extern void tty_ldisc_unlock(struct tty_struct *tty);
#else #else
static inline void tty_kref_put(struct tty_struct *tty) static inline void tty_kref_put(struct tty_struct *tty)
{ } { }