From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751470AbdGRM2F (ORCPT <rfc822;w@1wt.eu>);
        Tue, 18 Jul 2017 08:28:05 -0400
Received: from aserp1040.oracle.com ([141.146.126.69]:29299 "EHLO
        aserp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751358AbdGRM2D (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 18 Jul 2017 08:28:03 -0400
Date: Tue, 18 Jul 2017 15:26:37 +0300
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Okash Khawaja <okash.khawaja@gmail.com>
Cc: Alan Cox <gnomes@lxorguk.ukuu.org.uk>,
        "devel@driverdev.osuosl.org" <devel@driverdev.osuosl.org>,
        Kirk Reiser <kirk@reisers.ca>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        "speakup@linux-speakup.org" <speakup@linux-speakup.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        Jiri Slaby <jslaby@suse.com>,
        Samuel Thibault <samuel.thibault@ens-lyon.org>,
        Chris Brannon <chris@the-brannons.com>
Subject: Re: [patch 0/3] Re: tty contention resulting from tty_open_by_device
 export
Message-ID: <20170718122637.l5v3re2gcjbxkzeq@mwanda>
References: <20170708083803.GA23080@kroah.com>
 <20170709114153.157783481@gmail.com>
 <20170710125233.2006733e@alans-desktop>
 <20170710123307.GA777@sanghar>
 <20170712192028.70bc0d54@alans-desktop>
 <20170713112954.GA665@sanghar>
 <20170717123145.GE24503@kroah.com>
 <3E107A3D-D8E2-43E5-8DCB-F9DE2F5AAAEA@gmail.com>
 <20170717230438.5c3bd397@alans-desktop>
 <20170718112952.GA564@sanghar>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20170718112952.GA564@sanghar>
User-Agent: NeoMutt/20170113 (1.7.2)
X-Source-IP: userv0021.oracle.com [156.151.31.71]
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Jul 18, 2017 at 12:29:52PM +0100, Okash Khawaja wrote:
> +struct tty_struct *tty_kopen(dev_t device)
> +{
> +       struct tty_struct *tty;
> +       struct tty_driver *driver = NULL;
> +       int index = -1;
> +
> +       mutex_lock(&tty_mutex);
> +       driver = tty_lookup_driver(device, NULL, &index);
> +       if (IS_ERR(driver)) {
> +               mutex_unlock(&tty_mutex);
> +               return ERR_CAST(driver);
> +       }
> +
> +       /* check whether we're reopening an existing tty */
> +       tty = tty_driver_lookup_tty(driver, NULL, index);
> +       if (IS_ERR(tty))
> +               goto out;
> +
> +       if (tty) {
> +               /* drop kref from tty_driver_lookup_tty() */
> +               tty_kref_put(tty);
> +               tty = ERR_PTR(-EBUSY);
> +       } else { /* tty_init_dev returns tty with the tty_lock held */
> +               tty = tty_init_dev(driver, index);
> +               tty_port_set_kopened(tty->port, 1);
                                       ^^^^^^^^^

tty_init_dev() can fail leading to an error pointer dereference here.

> +       }
> +out:
> +       mutex_unlock(&tty_mutex);
> +       tty_driver_kref_put(driver);
> +       return tty;
> +}
> +EXPORT_SYMBOL_GPL(tty_kopen);

regards,
dan carpenter