VT ioctl race fix
authorSamuel Ortiz <sameo@openedhand.com>
Mon, 1 Oct 2007 08:20:12 +0000 (01:20 -0700)
committerLinus Torvalds <torvalds@woody.linux-foundation.org>
Mon, 1 Oct 2007 14:52:23 +0000 (07:52 -0700)
When calling the RELDISP VT ioctl, we are reading vt_newvt while the
console workqueue could be messing with it (through change_console()).  We
fix this race by taking the console semaphore before reading vt_newvt.

Signed-off-by: Samuel Ortiz <sameo@openedhand.com>
Acked-by: Antonino Daplas <adaplas@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
drivers/char/vt_ioctl.c

index 045e6888d15baf60f421251f6ef6c881ec0996a5..c799b7f7bbb35d4cba1dd4643a61677d05cd5836 100644 (file)
@@ -770,6 +770,7 @@ int vt_ioctl(struct tty_struct *tty, struct file * file,
                /*
                 * Switching-from response
                 */
+               acquire_console_sem();
                if (vc->vt_newvt >= 0) {
                        if (arg == 0)
                                /*
@@ -784,7 +785,6 @@ int vt_ioctl(struct tty_struct *tty, struct file * file,
                                 * complete the switch.
                                 */
                                int newvt;
-                               acquire_console_sem();
                                newvt = vc->vt_newvt;
                                vc->vt_newvt = -1;
                                i = vc_allocate(newvt);
@@ -798,7 +798,6 @@ int vt_ioctl(struct tty_struct *tty, struct file * file,
                                 * other console switches..
                                 */
                                complete_change_console(vc_cons[newvt].d);
-                               release_console_sem();
                        }
                }
 
@@ -810,9 +809,12 @@ int vt_ioctl(struct tty_struct *tty, struct file * file,
                        /*
                         * If it's just an ACK, ignore it
                         */
-                       if (arg != VT_ACKACQ)
+                       if (arg != VT_ACKACQ) {
+                               release_console_sem();
                                return -EINVAL;
+                       }
                }
+               release_console_sem();
 
                return 0;