um: fix oopsable race in line_close()

tty->count is decremented only after ->close() had been called and several tasks can hit it in parallel. As the result, using tty->count to check if you are the last one is broken. We end up leaving line->tty not reset to NULL and the next IRQ on that sucker will blow up trying to dereference pointers from kfree'd struct tty. Fix is obvious: we need to use a counter of our own. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Richard Weinberger <richard@nod.at> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
author: Al Viro <viro@ftp.linux.org.uk> 2011-09-14 19:21:25 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2011-09-14 21:09:37 -0400
commit: f71f94845e0126884eca8ce57a92e30b189c8e71 (patch)
tree: 4284aa9143c6f1b5969da372a81bc75ba7ef4e3e /arch/um/drivers
parent: fbfe9c847edf57ac8232aeafb290f272289893a3 (diff)
1 files changed, 12 insertions, 13 deletions
diff --git a/arch/um/drivers/line.c b/arch/um/drivers/line.c
index d51c404239a8..c5bff1ddeabc 100644
--- a/arch/um/drivers/line.c
+++ b/arch/um/drivers/line.c
@@ -399,8 +399,8 @@ int line_setup_irq(int fd, int input, int output, struct line *line, void *data)
 * is done under a spinlock.  Checking whether the device is in use is
 * line->tty->count > 1, also under the spinlock.
 *
- * tty->count serves to decide whether the device should be enabled or
+ * line->count serves to decide whether the device should be enabled or
- * disabled on the host.  If it's equal to 1, then we are doing the
+ * disabled on the host.  If it's equal to 0, then we are doing the
 * first open or last close.  Otherwise, open and close just return.
 */
@@ -414,16 +414,16 @@ int line_open(struct line *lines, struct tty_struct *tty)
                goto out_unlock;
        err = 0;
-        if (tty->count > 1)
+        if (line->count++)
                goto out_unlock;
-        spin_unlock(&line->count_lock);
+        BUG_ON(tty->driver_data);
        tty->driver_data = line;
        line->tty = tty;
+        spin_unlock(&line->count_lock);
        err = enable_chan(line);
-        if (err)
+        if (err) /* line_close() will be called by our caller */
                return err;
        INIT_DELAYED_WORK(&line->task, line_timer_cb);
@@ -436,7 +436,7 @@ int line_open(struct line *lines, struct tty_struct *tty)
        chan_window_size(&line->chan_list, &tty->winsize.ws_row,
                         &tty->winsize.ws_col);
-        return err;
+        return 0;
 out_unlock:
        spin_unlock(&line->count_lock);
@@ -460,17 +460,16 @@ void line_close(struct tty_struct *tty, struct file * filp)
        flush_buffer(line);
        spin_lock(&line->count_lock);
-        if (!line->valid)
+        BUG_ON(!line->valid);
-                goto out_unlock;
-        if (tty->count > 1)
+        if (--line->count)
                goto out_unlock;
-        spin_unlock(&line->count_lock);
        line->tty = NULL;
        tty->driver_data = NULL;
+        spin_unlock(&line->count_lock);
        if (line->sigio) {
                unregister_winch(tty);
                line->sigio = 0;
@@ -498,7 +497,7 @@ static int setup_one_line(struct line *lines, int n, char *init, int init_prio,
        spin_lock(&line->count_lock);
-        if (line->tty != NULL) {
+        if (line->count) {
                *error_out = "Device is already open";
                goto out;
        }
author	Al Viro <viro@ftp.linux.org.uk>	2011-09-14 19:21:25 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2011-09-14 21:09:37 -0400
commit	f71f94845e0126884eca8ce57a92e30b189c8e71 (patch)
tree	4284aa9143c6f1b5969da372a81bc75ba7ef4e3e /arch/um/drivers
parent	fbfe9c847edf57ac8232aeafb290f272289893a3 (diff)