NULL dereference in tty_open()

From: Dan Carpenter
Date: Tue Oct 04 2011 - 16:05:51 EST

There is a NULL dereference here. It was artificially triggered so
not a huge priority.

1893 retval = tty_add_file(tty, filp);
1894 if (retval) {
1895 tty_unlock();
1896 tty_release(inode, filp);
1897 return retval;
1898 }

tty_add_file() is supposed to setup filp->private_data but the
allocation fails. In tty_release() we call file_tty(filp),
__tty_fasync() and tty_del_file() which dereference
filp->private_data and Oops.

I looked at ptmx_open() to see how the error handling was done there.
That function only calls tty_release() if tty_add_file() succeeds,
so maybe we could just call devpts_kill_index() here and remove the
tty_release()? I don't know the code well enough to say.

dan carpenter
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at