[PATCH] tty race on con_close and con_flush_chars

Robert Love (rml@tech9.net)
29 Oct 2001 20:04:27 -0500

There is a race in the console code between con_close and
con_flush_chars. n_tty_receive_buf writes to the tty queue and then
writes it out via con_flush_chars. The race arises in between the above
two operations; the console can close and thus zero tty->drive_data.
When con_flush_chars runs, it will dereference a null pointer.

The following fix, by Andrew Morton, merely checks if the tty still
exists because continuing. I am submitting the patch because the race
is uncovered often with a preemptive kernel. The fix is in the preempt
tree, but it should be pushed to mainline since it should affect SMP
too.

Linus and Alan, please apply.

diff -urN linux-2.4.13-ac5/drivers/char/console.c linux/drivers/char/console.c
--- linux-2.4.13-ac5/drivers/char/console.c Mon Oct 29 17:27:19 2001
+++ linux/drivers/char/console.c Mon Oct 29 17:28:24 2001
@@ -2387,9 +2387,15 @@
return;

pm_access(pm_con);
- acquire_console_sem();
- set_cursor(vt->vc_num);
- release_console_sem();
+ if (vt) {
+ /*
+ * If we raced with con_close(), `vt' may be null.
+ * Hence this bandaid. - akpm
+ */
+ acquire_console_sem();
+ set_cursor(vt->vc_num);
+ release_console_sem();
+ }
}

/*

Robert Love

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/