Re: [PATCH] race condition with drivers/char/vt.c (bug in vt_ioctl.c)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



* Steven Rostedt <[email protected]> wrote:

> I googled a little and found where this may have already happened in 
> the main line kernel:
> 
> http://seclists.org/lists/linux-kernel/2005/Aug/1603.html
> 
> So here's my proposal: 
> 
>   Instead of checking for tty->count == 1 in con_open, which we see is
> not reliable.  Just check for tty->driver_data == NULL.
> 
> This should work since it should always be NULL when we need to assign 
> it.  If we switch the events of the race, so that the init_dev went 
> first, the driver_data would not be NULL and would not need to be 
> allocated, because after init_dev tty->count would be greater than 1 
> (this is assuming the case that it is already allocated) and the 
> con_close would not deallocate it.  The tty_sem and console_sem and 
> order of events protect the tty->driver_data but not the tty->count.
> 
> Without the patch, I was able to get the system to BUG on bootup every 
> other time.  With the patch applied, I was able to bootup 6 out of 6 
> times without a single crash.

cool fix. I'm wondering, there's a whole lot of other 'tty->count == 1' 
checks in drivers/char/*.c, could some of those be racy too?

	Ingo
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]
  Powered by Linux