Patch "tty: Correct tty buffer flush." has been added to the 3.4-stable tree

[gregkh]

This is a note to let you know that I've just added the patch titled

    tty: Correct tty buffer flush.

to the 3.4-stable tree which can be found at:
    
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     tty-correct-tty-buffer-flush.patch
and it can be found in the queue-3.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From 689901ce9cedd2d34a5404dda146d0604cbc2a5e Mon Sep 17 00:00:00 2001
From: Ilya Zykov <i...@ilyx.ru>
Date: Mon, 4 Mar 2013 23:19:41 +0400
Subject: tty: Correct tty buffer flush.

From: Ilya Zykov <i...@ilyx.ru>

commit 64325a3be08d364a62ee8f84b2cf86934bc2544a upstream.

  The root of problem is carelessly zeroing pointer(in function 
__tty_buffer_flush()),
when another thread can use it. It can be cause of "NULL pointer dereference".
  Main idea of the patch, this is never free last (struct tty_buffer) in the 
active buffer.
Only flush the data for ldisc(buf->head->read = buf->head->commit).
At that moment driver can collect(write) data in buffer without conflict.
It is repeat behavior of flush_to_ldisc(), only without feeding data to ldisc.

Signed-off-by: Ilya Zykov <i...@ilyx.ru>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
Cc: Rui Xiang <rui.xi...@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---
 drivers/tty/tty_buffer.c |   11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

--- a/drivers/tty/tty_buffer.c
+++ b/drivers/tty/tty_buffer.c
@@ -114,11 +114,14 @@ static void __tty_buffer_flush(struct tt
 {
        struct tty_buffer *thead;
 
-       while ((thead = tty->buf.head) != NULL) {
-               tty->buf.head = thead->next;
-               tty_buffer_free(tty, thead);
+       if (tty->buf.head == NULL)
+               return;
+       while ((thead = tty->buf.head->next) != NULL) {
+               tty_buffer_free(tty, tty->buf.head);
+               tty->buf.head = thead;
        }
-       tty->buf.tail = NULL;
+       WARN_ON(tty->buf.head != tty->buf.tail);
+       tty->buf.head->read = tty->buf.head->commit;
 }
 
 /**


Patches currently in stable-queue which might be from i...@ilyx.ru are

queue-3.4/tty-correct-tty-buffer-flush.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html