diff options
| author | Jiri Slaby <jslaby@suse.cz> | 2011-10-12 05:32:43 -0400 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@suse.de> | 2011-10-18 17:22:37 -0400 |
| commit | fa90e1c935472281de314e6d7c9a37db9cbc2e4e (patch) | |
| tree | 2c89c0038c640b6bdb5caaef00401f22553b118a /include/linux/tty.h | |
| parent | c290f8358acaeffd8e0c551ddcc24d1206143376 (diff) | |
TTY: make tty_add_file non-failing
If tty_add_file fails at the point it is now, we have to revert all
the changes we did to the tty. It means either decrease all refcounts
if this was a tty reopen or delete the tty if it was newly allocated.
There was a try to fix this in v3.0-rc2 using tty_release in 0259894c7
(TTY: fix fail path in tty_open). But instead it introduced a NULL
dereference. It's because tty_release dereferences
filp->private_data, but that one is set even in our tty_add_file. And
when tty_add_file fails, it's still NULL/garbage. Hence tty_release
cannot be called there.
To circumvent the original leak (and the current NULL deref) we split
tty_add_file into two functions, making the latter non-failing. In
that case we may do the former early in open, where handling failures
is easy. The latter stays as it is now. So there is no change in
functionality.
The original bug (leak) was introduced by f573bd176 (tty: Remove
__GFP_NOFAIL from tty_add_file()). Thanks Dan for reporting this.
Later, we may split tty_release into more functions and call only some
of them in this fail path instead. (If at all possible.)
Introduced-in: v2.6.37-rc2
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: stable <stable@vger.kernel.org>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: Pekka Enberg <penberg@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'include/linux/tty.h')
| -rw-r--r-- | include/linux/tty.h | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/include/linux/tty.h b/include/linux/tty.h index 64c12a3e65f0..ff2925aa4e79 100644 --- a/include/linux/tty.h +++ b/include/linux/tty.h | |||
| @@ -471,7 +471,9 @@ extern void proc_clear_tty(struct task_struct *p); | |||
| 471 | extern struct tty_struct *get_current_tty(void); | 471 | extern struct tty_struct *get_current_tty(void); |
| 472 | extern void tty_default_fops(struct file_operations *fops); | 472 | extern void tty_default_fops(struct file_operations *fops); |
| 473 | extern struct tty_struct *alloc_tty_struct(void); | 473 | extern struct tty_struct *alloc_tty_struct(void); |
| 474 | extern int tty_add_file(struct tty_struct *tty, struct file *file); | 474 | extern int tty_alloc_file(struct file *file); |
| 475 | extern void tty_add_file(struct tty_struct *tty, struct file *file); | ||
| 476 | extern void tty_free_file(struct file *file); | ||
| 475 | extern void free_tty_struct(struct tty_struct *tty); | 477 | extern void free_tty_struct(struct tty_struct *tty); |
| 476 | extern void initialize_tty_struct(struct tty_struct *tty, | 478 | extern void initialize_tty_struct(struct tty_struct *tty, |
| 477 | struct tty_driver *driver, int idx); | 479 | struct tty_driver *driver, int idx); |