kernel-ark/drivers/char
Paul Mackerras f786648b89 [PATCH] Remove race between con_open and con_close
[ Same race and same patch also by Steven Rostedt <rostedt@goodmis.org> ]

I have a laptop (G3 powerbook) which will pretty reliably hit a race
between con_open and con_close late in the boot process and oops in
vt_ioctl due to tty->driver_data being NULL.

What happens is this: process A opens /dev/tty6; it comes into
con_open() (drivers/char/vt.c) and assign a non-NULL value to
tty->driver_data.  Then process A closes that and concurrently process
B opens /dev/tty6.  Process A gets through con_close() and clears
tty->driver_data, since tty->count == 1.  However, before process A
can decrement tty->count, we switch to process B (e.g. at the
down(&tty_sem) call at drivers/char/tty_io.c line 1626).

So process B gets to run and comes into con_open with tty->count == 2,
as tty->count is incremented (in init_dev) before con_open is called.
Because tty->count != 1, we don't set tty->driver_data.  Then when the
process tries to do anything with that fd, it oopses.

The simple and effective fix for this is to test tty->driver_data
rather than tty->count in con_open.  The testing and setting of
tty->driver_data is serialized with respect to the clearing of
tty->driver_data in con_close by the console_sem.  We can't get a
situation where con_open sees tty->driver_data != NULL and then
con_close on a different fd clears tty->driver_data, because
tty->count is incremented before con_open is called.  Thus this patch
eliminates the race, and in fact with this patch my laptop doesn't
oops.

Signed-off-by: Paul Mackerras <paulus@samba.org>
[ Same patch
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
  in http://marc.theaimsgroup.com/?l=linux-kernel&m=112450820432121&w=2 ]
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-08-27 18:03:42 -07:00
..
agp [PATCH] agp: restore APBASE after setting APSIZE 2005-07-29 15:01:15 -07:00
drm [PATCH] drm: via: fix sparse warnings 2005-07-27 16:25:54 -07:00
ftape [PATCH] printk: drivers/char/ftape/compressor/zftape-compress.c 2005-06-25 16:25:02 -07:00
ip2 [PATCH] drivers/char/ip2*: cleanups 2005-06-25 16:25:06 -07:00
ipmi [PATCH] clean up inline static vs static inline 2005-07-27 16:26:20 -07:00
mwave [PATCH] drivers/char/mwave/tp3780i.c: remove dead code 2005-06-25 16:25:05 -07:00
pcmcia [PATCH] pcmcia: remove references to pcmcia/version.h 2005-07-07 18:24:07 -07:00
rio [PATCH] turn many #if $undefined_string into #ifdef $undefined_string 2005-07-27 16:26:08 -07:00
tpm [PATCH] tpm_infineon: Support for new TPM 1.2 and PNPACPI 2005-08-05 12:22:37 -07:00
watchdog [PATCH] i8xx_tco.c: arm watchdog only when started 2005-08-09 12:08:21 -07:00
amiserial.c [PATCH] Serial: remove unnecessary register_serial/unregister_serial 2005-06-25 16:24:25 -07:00
applicom.c [PATCH] printk: drivers/char/applicom.c 2005-06-25 16:25:01 -07:00
applicom.h
cd1865.h
ChangeLog
consolemap.c
cp437.uni
cyclades.c
decserial.c
defkeymap.c_shipped
defkeymap.map
digi1.h
digi.h
digiFep1.h
digiPCI.h
ds1286.c
ds1302.c
ds1620.c [PATCH] char/ds1620: use msleep() instead of schedule_timeout() 2005-06-25 16:24:57 -07:00
dsp56k.c [PATCH] class: convert drivers/char/* to use the new class api instead of class_simple 2005-06-20 15:15:08 -07:00
dtlk.c
ec3104_keyb.c
efirtc.c
epca.c
epca.h
epcaconfig.h
esp.c
generic_nvram.c
generic_serial.c
genrtc.c
hangcheck-timer.c [PATCH] In hangcheck-timer.c call emergency_restart() 2005-07-26 14:35:44 -07:00
hpet.c [PATCH] hpet: do_div fix 2005-06-25 16:24:40 -07:00
hvc_console.c [PATCH] hvc_console: Register ops when setting up hvc_console 2005-07-07 18:23:39 -07:00
hvc_vio.c [PATCH] hvc_console: Separate the NUL character filtering from get_hvc_chars 2005-07-07 18:23:40 -07:00
hvcs.c [PATCH] Driver Core: drivers/base - drivers/i2c/chips/adm1026.c: update device attribute callbacks 2005-06-20 15:15:32 -07:00
hvsi.c [PATCH] hvc_console: Use hvc_get_chars in hvsi code 2005-07-07 18:23:40 -07:00
hw_random.c [PATCH] PCI: clean up dynamic pci id logic 2005-07-01 13:35:50 -07:00
i8k.c [PATCH] I8K: add new BIOS signatures 2005-06-25 16:24:25 -07:00
ip2.c
ip2main.c [PATCH] drivers/char/ip2*: cleanups 2005-06-25 16:25:06 -07:00
ip27-rtc.c
isicom.c [PATCH] drivers/char/isicom.c: section fixes 2005-06-25 16:25:00 -07:00
istallion.c [PATCH] drivers/char/istallion.c: remove an unneeded variable 2005-06-25 16:25:03 -07:00
ite_gpio.c
Kconfig [PATCH] Kconfig fix (sparc32 drivers/char dependencies) 2005-08-23 18:43:43 -07:00
keyboard.c Input: check keycodesize when adjusting keymaps 2005-07-24 00:50:03 -05:00
lcd.c
lcd.h
lp.c [PATCH] class: convert drivers/char/* to use the new class api instead of class_simple 2005-06-20 15:15:08 -07:00
Makefile [PATCH] hvc_console: Separate hvc_console and vio code 2 2005-07-07 18:23:39 -07:00
mbcs.c [PATCH] Driver Core: drivers/base - drivers/i2c/chips/adm1026.c: update device attribute callbacks 2005-06-20 15:15:32 -07:00
mbcs.h
mem.c Fix up mmap of /dev/kmem 2005-08-13 14:22:59 -07:00
misc.c [PATCH] ppc32: Remove CONFIG_PMAC_PBOOK 2005-06-27 15:11:43 -07:00
mmtimer.c
moxa.c [PATCH] pci: remove deprecates 2005-06-27 21:52:38 -07:00
mxser.c
mxser.h
n_hdlc.c [PATCH] Convert users to tty_unregister_ldisc() 2005-06-23 09:45:36 -07:00
n_r3964.c [PATCH] Convert users to tty_unregister_ldisc() 2005-06-23 09:45:36 -07:00
n_tty.c [PATCH] tty output lossage fix 2005-07-07 18:23:45 -07:00
nvram.c [PATCH] drivers/char/nvram.c: possible cleanups 2005-06-25 16:25:03 -07:00
nwbutton.c
nwbutton.h
nwflash.c
ppdev.c [PATCH] class: convert drivers/char/* to use the new class api instead of class_simple 2005-06-20 15:15:08 -07:00
pty.c
qtronix.c
qtronixmap.c_shipped
qtronixmap.map
random.c [PATCH] mostly_read data section 2005-07-07 18:23:46 -07:00
raw.c [PATCH] class: convert drivers/char/* to use the new class api instead of class_simple 2005-06-20 15:15:08 -07:00
riscom8_reg.h
riscom8.c
riscom8.h
rocket_int.h [PATCH] drivers/char/rocket.c: cleanups 2005-06-25 16:25:04 -07:00
rocket.c [PATCH] rocket.c: Fix ldisc ref count handling 2005-07-15 09:54:51 -07:00
rocket.h
rtc.c [PATCH] rtc: msleep() cannot be used from interrupt 2005-08-05 06:57:44 -07:00
s3c2410-rtc.c
scan_keyb.c
scan_keyb.h
scc.h
scx200_gpio.c
selection.c
ser_a2232.c
ser_a2232.h
ser_a2232fw.ax
ser_a2232fw.h
serial167.c
snsc_event.c
snsc.c [PATCH] Fix typo in scdrv_init() 2005-06-20 15:15:27 -07:00
snsc.h
sonypi.c Input: make name, phys and uniq be 'const char *' because once 2005-06-30 00:50:38 -05:00
specialix_io8.h
specialix.c
stallion.c [PATCH] class: convert drivers/char/* to use the new class api instead of class_simple 2005-06-20 15:15:08 -07:00
sx.c
sx.h
sxboards.h
sxwindow.h
synclink.c
synclinkmp.c
sysrq.c [PATCH] Update sysrq-B to use emergency_restart() 2005-07-26 14:35:43 -07:00
tb0219.c [PATCH] TB0219: add PCI IRQ initialization 2005-07-12 16:01:02 -07:00
tipar.c [PATCH] drivers/char/tipar.c: off by one array access 2005-06-28 21:20:29 -07:00
toshiba.c [PATCH] Toshiba driver cleanup 2005-06-25 16:24:24 -07:00
tty_io.c [PATCH] char/tty_io: replace schedule_timeout() with msleep_interruptible() 2005-06-25 16:24:58 -07:00
tty_ioctl.c [PATCH] coverity: tty_ldisc_ref return null check 2005-06-28 21:20:34 -07:00
vc_screen.c [PATCH] class: convert drivers/char/* to use the new class api instead of class_simple 2005-06-20 15:15:08 -07:00
viocons.c
viotape.c [PATCH] class: convert drivers/char/* to use the new class api instead of class_simple 2005-06-20 15:15:08 -07:00
vme_scc.c
vr41xx_giu.c [PATCH] mips: add vr41xx gpio support 2005-06-21 18:46:32 -07:00
vr41xx_rtc.c
vt_ioctl.c [PATCH] Adapt drivers/char/vt_ioctl.c to non-x86 2005-06-28 21:20:30 -07:00
vt.c [PATCH] Remove race between con_open and con_close 2005-08-27 18:03:42 -07:00