tree 246cc25d07fc4085b1bf5913f84ffd9c53eef256
parent 3859f6a248cbdfbe7b41663f3a2b51f48e30b281
author Paul Mackerras <[EMAIL PROTECTED]> Sun, 28 Aug 2005 09:40:01 +1000
committer Linus Torvalds <[EMAIL PROTECTED]> Sun, 28 Aug 2005 08:03:42 -0700

[PATCH] Remove race between con_open and con_close

[ Same race and same patch also by Steven Rostedt <[EMAIL PROTECTED]> ]

I have a laptop (G3 powerbook) which will pretty reliably hit a race
between con_open and con_close late in the boot process and oops in
vt_ioctl due to tty->driver_data being NULL.

What happens is this: process A opens /dev/tty6; it comes into
con_open() (drivers/char/vt.c) and assign a non-NULL value to
tty->driver_data.  Then process A closes that and concurrently process
B opens /dev/tty6.  Process A gets through con_close() and clears
tty->driver_data, since tty->count == 1.  However, before process A
can decrement tty->count, we switch to process B (e.g. at the
down(&tty_sem) call at drivers/char/tty_io.c line 1626).

So process B gets to run and comes into con_open with tty->count == 2,
as tty->count is incremented (in init_dev) before con_open is called.
Because tty->count != 1, we don't set tty->driver_data.  Then when the
process tries to do anything with that fd, it oopses.

The simple and effective fix for this is to test tty->driver_data
rather than tty->count in con_open.  The testing and setting of
tty->driver_data is serialized with respect to the clearing of
tty->driver_data in con_close by the console_sem.  We can't get a
situation where con_open sees tty->driver_data != NULL and then
con_close on a different fd clears tty->driver_data, because
tty->count is incremented before con_open is called.  Thus this patch
eliminates the race, and in fact with this patch my laptop doesn't

Signed-off-by: Paul Mackerras <[EMAIL PROTECTED]>
[ Same patch
Signed-off-by: Steven Rostedt <[EMAIL PROTECTED]>
  in ]
Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]>

 drivers/char/vt.c |    2 +-
 1 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/char/vt.c b/drivers/char/vt.c
--- a/drivers/char/vt.c
+++ b/drivers/char/vt.c
@@ -2433,7 +2433,7 @@ static int con_open(struct tty_struct *t
        int ret = 0;
-       if (tty->count == 1) {
+       if (tty->driver_data == NULL) {
                ret = vc_allocate(currcons);
                if (ret == 0) {
                        struct vc_data *vc = vc_cons[currcons].d;
