aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/char
diff options
context:
space:
mode:
authorPaul Fulghum <paulkf@microgate.com>2006-04-11 01:54:18 -0400
committerLinus Torvalds <torvalds@g5.osdl.org>2006-04-11 09:18:43 -0400
commit9453a5adaf32aa0b31d1491819a083d403f645c1 (patch)
tree49acd011b03e437137fdf083e5c44cba27403a75 /drivers/char
parentacc8dadc0b3f007e6e60da77feb2efe2a19c5cda (diff)
[PATCH] ptmx: fix duplicate idr_remove
Remove duplicate call to idr_remove() in ptmx_open. Error during open can result in call to release_dev() followed by call to idr_remove(). release_dev already calls idr_remove so the second call can cause a stack dump in idr_remove()->sub_remove() flagging an attempt to release an already released entry. I reproduces this on a machine with a misconfigured X server (attempting to restart multiple times rapidly) getting the same error as the 1st link below. This also seems to be related to: http://marc.theaimsgroup.com/?l=selinux&m=110536513426735&w=2 http://marc.theaimsgroup.com/?l=selinux&m=110596994916785&w=2 The stack dump can occur on close (as well as open) as shown in the 1st instance above, possible from something like: process A - open (index=0), open fail to out1, release_dev calls idr_remove (index 0), down(sem) sleeps process B - open (index=0), open OK (idr allocated) process A - wake and call idr_remove on index 0 ... process B - close, release_dev, stack dump on idr_remove (index=0) because entry already removed Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'drivers/char')
-rw-r--r--drivers/char/tty_io.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/drivers/char/tty_io.c b/drivers/char/tty_io.c
index 6f58cacec341..b1f9a1582dd7 100644
--- a/drivers/char/tty_io.c
+++ b/drivers/char/tty_io.c
@@ -2195,6 +2195,7 @@ static int ptmx_open(struct inode * inode, struct file * filp)
2195 return 0; 2195 return 0;
2196out1: 2196out1:
2197 release_dev(filp); 2197 release_dev(filp);
2198 return retval;
2198out: 2199out:
2199 down(&allocated_ptys_lock); 2200 down(&allocated_ptys_lock);
2200 idr_remove(&allocated_ptys, index); 2201 idr_remove(&allocated_ptys, index);