diff options
author | Paul Fulghum <paulkf@microgate.com> | 2006-04-11 01:54:18 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@g5.osdl.org> | 2006-04-11 09:18:43 -0400 |
commit | 9453a5adaf32aa0b31d1491819a083d403f645c1 (patch) | |
tree | 49acd011b03e437137fdf083e5c44cba27403a75 | |
parent | acc8dadc0b3f007e6e60da77feb2efe2a19c5cda (diff) |
[PATCH] ptmx: fix duplicate idr_remove
Remove duplicate call to idr_remove() in ptmx_open.
Error during open can result in call to release_dev() followed by call to
idr_remove(). release_dev already calls idr_remove so the second call can
cause a stack dump in idr_remove()->sub_remove() flagging an attempt to
release an already released entry.
I reproduces this on a machine with a misconfigured X server (attempting to
restart multiple times rapidly) getting the same error as the 1st link
below.
This also seems to be related to:
http://marc.theaimsgroup.com/?l=selinux&m=110536513426735&w=2
http://marc.theaimsgroup.com/?l=selinux&m=110596994916785&w=2
The stack dump can occur on close (as well as open) as shown
in the 1st instance above, possible from something like:
process A - open (index=0), open fail to out1,
release_dev calls idr_remove (index 0), down(sem) sleeps
process B - open (index=0), open OK (idr allocated)
process A - wake and call idr_remove on index 0
...
process B - close, release_dev, stack dump on idr_remove (index=0)
because entry already removed
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-rw-r--r-- | drivers/char/tty_io.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/drivers/char/tty_io.c b/drivers/char/tty_io.c index 6f58cacec341..b1f9a1582dd7 100644 --- a/drivers/char/tty_io.c +++ b/drivers/char/tty_io.c | |||
@@ -2195,6 +2195,7 @@ static int ptmx_open(struct inode * inode, struct file * filp) | |||
2195 | return 0; | 2195 | return 0; |
2196 | out1: | 2196 | out1: |
2197 | release_dev(filp); | 2197 | release_dev(filp); |
2198 | return retval; | ||
2198 | out: | 2199 | out: |
2199 | down(&allocated_ptys_lock); | 2200 | down(&allocated_ptys_lock); |
2200 | idr_remove(&allocated_ptys, index); | 2201 | idr_remove(&allocated_ptys, index); |