[PATCH 01/12] tty: Fix ldisc leak in failed tty_init_dev()

From: Peter Hurley
Date: Fri Nov 27 2015 - 21:26:47 EST


release_tty() leaks the ldisc instance when called directly (rather
than when releasing the file descriptor from tty_release()).

Since tty_ldisc_release() clears tty->ldisc, releasing the ldisc
instance at tty teardown if tty->ldisc is non-null is not in danger
of double-releasing the ldisc.

Remove deinitialize_tty_struct() now that free_tty_struct() always
performs the tty_ldisc_deinit().

Signed-off-by: Peter Hurley <peter@xxxxxxxxxxxxxxxxxx>
---
drivers/tty/pty.c | 5 ++---
drivers/tty/tty_io.c | 20 +++-----------------
drivers/tty/tty_ldisc.c | 5 +++--
include/linux/tty.h | 1 -
4 files changed, 8 insertions(+), 23 deletions(-)

diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c
index b311004..8cbe802 100644
--- a/drivers/tty/pty.c
+++ b/drivers/tty/pty.c
@@ -408,7 +408,7 @@ static int pty_common_install(struct tty_driver *driver, struct tty_struct *tty,
the easy way .. */
retval = tty_init_termios(tty);
if (retval)
- goto err_deinit_tty;
+ goto err_free_tty;

retval = tty_init_termios(o_tty);
if (retval)
@@ -447,8 +447,7 @@ static int pty_common_install(struct tty_driver *driver, struct tty_struct *tty,
err_free_termios:
if (legacy)
tty_free_termios(tty);
-err_deinit_tty:
- deinitialize_tty_struct(o_tty);
+err_free_tty:
free_tty_struct(o_tty);
err_put_module:
module_put(driver->other->owner);
diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
index eda8715..153b7b8 100644
--- a/drivers/tty/tty_io.c
+++ b/drivers/tty/tty_io.c
@@ -173,6 +173,7 @@ void free_tty_struct(struct tty_struct *tty)
{
if (!tty)
return;
+ tty_ldisc_deinit(tty);
put_device(tty->dev);
kfree(tty->write_buf);
tty->magic = 0xDEADDEAD;
@@ -1535,7 +1536,7 @@ struct tty_struct *tty_init_dev(struct tty_driver *driver, int idx)
tty_lock(tty);
retval = tty_driver_install_tty(driver, tty);
if (retval < 0)
- goto err_deinit_tty;
+ goto err_free_tty;

if (!tty->port)
tty->port = driver->ports[idx];
@@ -1557,9 +1558,8 @@ struct tty_struct *tty_init_dev(struct tty_driver *driver, int idx)
/* Return the tty locked so that it cannot vanish under the caller */
return tty;

-err_deinit_tty:
+err_free_tty:
tty_unlock(tty);
- deinitialize_tty_struct(tty);
free_tty_struct(tty);
err_module_put:
module_put(driver->owner);
@@ -3169,20 +3169,6 @@ struct tty_struct *alloc_tty_struct(struct tty_driver *driver, int idx)
}

/**
- * deinitialize_tty_struct
- * @tty: tty to deinitialize
- *
- * This subroutine deinitializes a tty structure that has been newly
- * allocated but tty_release cannot be called on that yet.
- *
- * Locking: none - tty in question must not be exposed at this point
- */
-void deinitialize_tty_struct(struct tty_struct *tty)
-{
- tty_ldisc_deinit(tty);
-}
-
-/**
* tty_put_char - write one character to a tty
* @tty: tty
* @ch: character
diff --git a/drivers/tty/tty_ldisc.c b/drivers/tty/tty_ldisc.c
index 3455908..9b3c11a 100644
--- a/drivers/tty/tty_ldisc.c
+++ b/drivers/tty/tty_ldisc.c
@@ -830,7 +830,7 @@ void tty_ldisc_init(struct tty_struct *tty)
}

/**
- * tty_ldisc_init - ldisc cleanup for new tty
+ * tty_ldisc_deinit - ldisc cleanup for new tty
* @tty: tty that was allocated recently
*
* The tty structure must not becompletely set up (tty_ldisc_setup) when
@@ -838,7 +838,8 @@ void tty_ldisc_init(struct tty_struct *tty)
*/
void tty_ldisc_deinit(struct tty_struct *tty)
{
- tty_ldisc_put(tty->ldisc);
+ if (tty->ldisc)
+ tty_ldisc_put(tty->ldisc);
tty->ldisc = NULL;
}

diff --git a/include/linux/tty.h b/include/linux/tty.h
index 8c8050d..9656c5d 100644
--- a/include/linux/tty.h
+++ b/include/linux/tty.h
@@ -510,7 +510,6 @@ extern int tty_alloc_file(struct file *file);
extern void tty_add_file(struct tty_struct *tty, struct file *file);
extern void tty_free_file(struct file *file);
extern void free_tty_struct(struct tty_struct *tty);
-extern void deinitialize_tty_struct(struct tty_struct *tty);
extern struct tty_struct *tty_init_dev(struct tty_driver *driver, int idx);
extern int tty_release(struct inode *inode, struct file *filp);
extern int tty_init_termios(struct tty_struct *tty);
--
2.6.3

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/