tty: fix data race between tty_init_dev and flush of buf

There can be a race, if receive_buf call comes before tty initialization completes in n_tty_open and tty->disc_data may be NULL. CPU0 CPU1 ---- ---- 000|n_tty_receive_buf_common() n_tty_open() -001|n_tty_receive_buf2() tty_ldisc_open.isra.3() -002|tty_ldisc_receive_buf(inline) tty_ldisc_setup() Using ldisc semaphore lock in tty_init_dev till disc_data initializes completely. Signed-off-by: Gaurav Kohli <gkohli@codeaurora.org> Reviewed-by: Alan Cox <alan@linux.intel.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Gaurav Kohli <gkohli@codeaurora.org> 2018-01-23 02:46:34 -0500
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-01-23 02:57:37 -0500
commit: b027e2298bd588d6fa36ed2eda97447fb3eac078 (patch)
tree: 3b90cee88ac74c2828b90b67d67cf7adf6e9e310
parent: 09df0b3464e528c6a4ca2c48d9ff6d2fd7cbd775 (diff)
3 files changed, 11 insertions, 3 deletions
diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
index a6ca634411e1..688bd25aa6b0 100644
--- a/drivers/tty/tty_io.c
+++ b/drivers/tty/tty_io.c
@@ -1323,6 +1323,9 @@ struct tty_struct *tty_init_dev(struct tty_driver *driver, int idx)
                        "%s: %s driver does not set tty->port. This will crash the kernel later. Fix the driver!\n",
                        __func__, tty->driver->name);
+        retval = tty_ldisc_lock(tty, 5 * HZ);
+        if (retval)
+                goto err_release_lock;
        tty->port->itty = tty;
        /*
@@ -1333,6 +1336,7 @@ struct tty_struct *tty_init_dev(struct tty_driver *driver, int idx)
        retval = tty_ldisc_setup(tty, tty->link);
        if (retval)
                goto err_release_tty;
+        tty_ldisc_unlock(tty);
        /* Return the tty locked so that it cannot vanish under the caller */
        return tty;
@@ -1345,9 +1349,11 @@ err_module_put:
        /* call the tty release_tty routine to clean out this slot */
 err_release_tty:
-        tty_unlock(tty);
+        tty_ldisc_unlock(tty);
        tty_info_ratelimited(tty, "ldisc open failed (%d), clearing slot %d\n",
                             retval, idx);
+err_release_lock:
+        tty_unlock(tty);
        release_tty(tty, idx);
        return ERR_PTR(retval);
 }
diff --git a/drivers/tty/tty_ldisc.c b/drivers/tty/tty_ldisc.c
index 24ec5c7e6b20..4e7946c0484b 100644
--- a/drivers/tty/tty_ldisc.c
+++ b/drivers/tty/tty_ldisc.c
@@ -337,7 +337,7 @@ static inline void __tty_ldisc_unlock(struct tty_struct *tty)
        ldsem_up_write(&tty->ldisc_sem);
 }
-static int tty_ldisc_lock(struct tty_struct *tty, unsigned long timeout)
+int tty_ldisc_lock(struct tty_struct *tty, unsigned long timeout)
 {
        int ret;
@@ -348,7 +348,7 @@ static int tty_ldisc_lock(struct tty_struct *tty, unsigned long timeout)
        return 0;
 }
-static void tty_ldisc_unlock(struct tty_struct *tty)
+void tty_ldisc_unlock(struct tty_struct *tty)
 {
        clear_bit(TTY_LDISC_HALTED, &tty->flags);
        __tty_ldisc_unlock(tty);
diff --git a/include/linux/tty.h b/include/linux/tty.h
index 7ac8ba208b1f..0a6c71e0ad01 100644
--- a/include/linux/tty.h
+++ b/include/linux/tty.h
@@ -405,6 +405,8 @@ extern const char *tty_name(const struct tty_struct *tty);
 extern struct tty_struct *tty_kopen(dev_t device);
 extern void tty_kclose(struct tty_struct *tty);
 extern int tty_dev_name_to_number(const char *name, dev_t *number);
+extern int tty_ldisc_lock(struct tty_struct *tty, unsigned long timeout);
+extern void tty_ldisc_unlock(struct tty_struct *tty);
 #else
 static inline void tty_kref_put(struct tty_struct *tty)
 { }
author	Gaurav Kohli <gkohli@codeaurora.org>	2018-01-23 02:46:34 -0500
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2018-01-23 02:57:37 -0500
commit	b027e2298bd588d6fa36ed2eda97447fb3eac078 (patch)
tree	3b90cee88ac74c2828b90b67d67cf7adf6e9e310
parent	09df0b3464e528c6a4ca2c48d9ff6d2fd7cbd775 (diff)