From: Stanislav Kozina Date: Thu, 9 Aug 2012 13:48:58 +0000 (+0100) Subject: tty: Fix possible race in n_tty_read() X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=00aaae033e323af33740e7012a8ba4b0fa6dce20;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git tty: Fix possible race in n_tty_read() Fix possible panic caused by unlocked access to tty->read_cnt in while-loop condition in n_tty_read(). Signed-off-by: Stanislav Kozina Signed-off-by: Alan Cox Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c index 101790cea4ae..20de673a7730 100644 --- a/drivers/tty/n_tty.c +++ b/drivers/tty/n_tty.c @@ -1838,13 +1838,13 @@ do_it_again: if (tty->icanon && !L_EXTPROC(tty)) { /* N.B. avoid overrun if nr == 0 */ + spin_lock_irqsave(&tty->read_lock, flags); while (nr && tty->read_cnt) { int eol; eol = test_and_clear_bit(tty->read_tail, tty->read_flags); c = tty->read_buf[tty->read_tail]; - spin_lock_irqsave(&tty->read_lock, flags); tty->read_tail = ((tty->read_tail+1) & (N_TTY_BUF_SIZE-1)); tty->read_cnt--; @@ -1862,15 +1862,19 @@ do_it_again: if (tty_put_user(tty, c, b++)) { retval = -EFAULT; b--; + spin_lock_irqsave(&tty->read_lock, flags); break; } nr--; } if (eol) { tty_audit_push(tty); + spin_lock_irqsave(&tty->read_lock, flags); break; } + spin_lock_irqsave(&tty->read_lock, flags); } + spin_unlock_irqrestore(&tty->read_lock, flags); if (retval) break; } else {