From: Jiri Olsa <jolsa@redhat.com>
To: Alan Cox <alan@linux.intel.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>,
Kay Sievers <kay.sievers@vrfy.org>,
Greg Kroah-Hartman <gregkh@suse.de>,
Arnd Bergmann <arnd@arndb.de>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: BUG: NULL pointer deref in tty port / uart
Date: Wed, 18 May 2011 16:26:31 +0200 [thread overview]
Message-ID: <20110518142631.GB2011@jolsa.brq.redhat.com> (raw)
In-Reply-To: <20110518004420.2b8f5da9@bob.linux.org.uk>
On Wed, May 18, 2011 at 12:44:20AM +0100, Alan Cox wrote:
> > echo 1 > /dev/ttyS4 # which blocks
> >
> > And on another console:
> >
> > cat /dev/ttyS4 # which blocks
> >
> > Then Ctrl + C the echo in the first console. This produces the
> > following trace:
>
> First cat is in tty_port_block_til_ready, second cat joins it there. ^C
> causes one to close, which wakes the second which goes around the loop
> again, tries to raise the carrier and explodes, it seems because
> someone trashed memory it is using.
>
> Not quite sure why at this point
>
> On the first exit of the open path port->count is 1 which is as we want
> it. Close takes it down to zero which triggers the port shutdown path
> which is as we want. We clean up port->tty and shut down the port.
> Seeing the second pending open we wake it which is when it goes kaboom
>
> Nothing obvious strikes me from reading the code.
hi,
have the same issue.. looks like we should not NULL the port->tty
if there's blocked open, but not sure what's exactly the logic
behind "port's block_open and count" ..
attached patch fixes it for me
wbr,
jirka
---
drivers/tty/serial/serial_core.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
index 733fe8e..86a40cb 100644
--- a/drivers/tty/serial/serial_core.c
+++ b/drivers/tty/serial/serial_core.c
@@ -1346,7 +1346,9 @@ static void uart_close(struct tty_struct *tty, struct file *filp)
tty_ldisc_flush(tty);
- tty_port_tty_set(port, NULL);
+ if (!tty_port_users(port))
+ tty_port_tty_set(port, NULL);
+
spin_lock_irqsave(&port->lock, flags);
tty->closing = 0;
--
1.7.1
next prev parent reply other threads:[~2011-05-18 14:26 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-05-17 23:12 BUG: NULL pointer deref in tty port / uart Frederic Weisbecker
2011-05-17 23:44 ` Alan Cox
2011-05-18 14:26 ` Jiri Olsa [this message]
2011-05-18 14:36 ` Alan Cox
2011-05-18 14:44 ` Jiri Olsa
2011-05-18 14:50 ` Alan Cox
2011-05-18 19:42 ` Greg KH
2011-05-19 11:19 ` Jiri Olsa
2011-05-19 12:51 ` Greg KH
2011-05-19 13:58 ` Jiri Olsa
2011-05-19 14:07 ` Frederic Weisbecker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110518142631.GB2011@jolsa.brq.redhat.com \
--to=jolsa@redhat.com \
--cc=alan@linux.intel.com \
--cc=arnd@arndb.de \
--cc=fweisbec@gmail.com \
--cc=gregkh@suse.de \
--cc=kay.sievers@vrfy.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.