Re: [PATCH] race condition with drivers/char/vt.c (bug in vt_ioctl.c)
From: Ingo Molnar
Date: Mon Aug 22 2005 - 17:36:36 EST
* Steven Rostedt <rostedt@xxxxxxxxxxx> wrote:
> I googled a little and found where this may have already happened in
> the main line kernel:
>
> http://seclists.org/lists/linux-kernel/2005/Aug/1603.html
>
> So here's my proposal:
>
> Instead of checking for tty->count == 1 in con_open, which we see is
> not reliable. Just check for tty->driver_data == NULL.
>
> This should work since it should always be NULL when we need to assign
> it. If we switch the events of the race, so that the init_dev went
> first, the driver_data would not be NULL and would not need to be
> allocated, because after init_dev tty->count would be greater than 1
> (this is assuming the case that it is already allocated) and the
> con_close would not deallocate it. The tty_sem and console_sem and
> order of events protect the tty->driver_data but not the tty->count.
>
> Without the patch, I was able to get the system to BUG on bootup every
> other time. With the patch applied, I was able to bootup 6 out of 6
> times without a single crash.
cool fix. I'm wondering, there's a whole lot of other 'tty->count == 1'
checks in drivers/char/*.c, could some of those be racy too?
Ingo
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/