Re: [PATCH v1] tty: serial: 8250: Fix possible race in serial8250_em485_destroy()

From: Matwey V. Kornilov
Date: Thu Feb 11 2016 - 15:06:14 EST


I am sorry, please ignore it. There is no issue actually. The timer
handlers and rs485_config callbacks are protected by the same
spinlock, so they are never run in parallel.

2016-02-11 22:32 GMT+03:00 Matwey V. Kornilov <matwey@xxxxxxxxxx>:
> Fix possbile race in serial8250_em485_destroy() when timer handlers can
> dereference p->em485 which is alread destroyed but not yet NULLed.
>
> Signed-off-by: Matwey V. Kornilov <matwey@xxxxxxxxxx>
> ---
> I've found that Greg applied initial patchset, so this erratum goes as separate patch.
>
> drivers/tty/serial/8250/8250_port.c | 10 ++++++----
> 1 file changed, 6 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c
> index c908b77..d962de2 100644
> --- a/drivers/tty/serial/8250/8250_port.c
> +++ b/drivers/tty/serial/8250/8250_port.c
> @@ -617,14 +617,16 @@ EXPORT_SYMBOL_GPL(serial8250_em485_init);
> */
> void serial8250_em485_destroy(struct uart_8250_port *p)
> {
> - if (p->em485 == NULL)
> + struct uart_8250_em485 *em485 = p->em485;
> +
> + if (!em485)
> return;
>
> - del_timer(&p->em485->start_tx_timer);
> - del_timer(&p->em485->stop_tx_timer);
> + del_timer(&em485->start_tx_timer);
> + del_timer(&em485->stop_tx_timer);
>
> - kfree(p->em485);
> p->em485 = NULL;
> + kfree(em485);
> }
> EXPORT_SYMBOL_GPL(serial8250_em485_destroy);
>
> --
> 2.7.0
>



--
With best regards,
Matwey V. Kornilov.
Sternberg Astronomical Institute, Lomonosov Moscow State University, Russia
119991, Moscow, Universitetsky pr-k 13, +7 (495) 9392382