[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-serial
Subject:    [PATCH V2] [tty] Fix possible race in n_tty_read()
From:       Stanislav Kozina <skozina () redhat ! com>
Date:       2012-08-08 14:28:47
Message-ID: 5022779F.8060309 () redhat ! com
[Download RAW message or body]

Fix possible panic caused by unlocked access to tty->read_cnt in 
while-loop condition in n_tty_read().

Signed-off-by: Stanislav Kozina <skozina@redhat.com>
---
  drivers/tty/n_tty.c |    6 +++++-
  1 files changed, 5 insertions(+), 1 deletions(-)
  v1->v2: Add spin_unlock_irqrestore() call after the while loop

diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
index ee1c268..df21f39 100644
--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -1832,13 +1832,13 @@ do_it_again:

  		if (tty->icanon && !L_EXTPROC(tty)) {
  			/* N.B. avoid overrun if nr == 0 */
+			spin_lock_irqsave(&tty->read_lock, flags);
  			while (nr && tty->read_cnt) {
  				int eol;

  				eol = test_and_clear_bit(tty->read_tail,
  						tty->read_flags);
  				c = tty->read_buf[tty->read_tail];
-				spin_lock_irqsave(&tty->read_lock, flags);
  				tty->read_tail = ((tty->read_tail+1) &
  						  (N_TTY_BUF_SIZE-1));
  				tty->read_cnt--;
@@ -1856,15 +1856,19 @@ do_it_again:
  					if (tty_put_user(tty, c, b++)) {
  						retval = -EFAULT;
  						b--;
+						spin_lock_irqsave(&tty->read_lock, flags);
  						break;
  					}
  					nr--;
  				}
  				if (eol) {
  					tty_audit_push(tty);
+					spin_lock_irqsave(&tty->read_lock, flags);
  					break;
  				}
+				spin_lock_irqsave(&tty->read_lock, flags);
  			}
+			spin_unlock_irqrestore(&tty->read_lock, flags);
  			if (retval)
  				break;
  		} else {
-- 
1.7.1
--
To unsubscribe from this list: send the line "unsubscribe linux-serial" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[prev in list] [next in list] [prev in thread] [next in thread]