[PATCH 4.9 133/137] serial: fix race between flush_to_ldisc and tty_open

From: Greg Kroah-Hartman
Date: Mon Feb 11 2019 - 10:10:49 EST

4.9-stable review patch. If anyone has any objections, please let me know.


From: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

commit fedb5760648a291e949f2380d383b5b2d2749b5e upstream.

There still is a race window after the commit b027e2298bd588
("tty: fix data race between tty_init_dev and flush of buf"),
and we encountered this crash issue if receive_buf call comes
before tty initialization completes in tty_open and
tty->driver_data may be NULL.

---- ----
/*tty->driver_data is NULL*/
/*init tty->driver_data*/

it can be fixed by extending ldisc semaphore lock in tty_init_dev
to driver_data initialized completely after tty->ops->open(), but
this will lead to get lock on one function and unlock in some other
function, and hard to maintain, so fix this race only by checking
tty->driver_data when receiving, and return if tty->driver_data
is NULL, and n_tty_receive_buf_common maybe calls uart_unthrottle,
so add the same check.

Because the tty layer knows nothing about the driver associated with the
device, the tty layer can not do anything here, it is up to the tty
driver itself to check for this type of race. Fix up the serial driver
to correctly check to see if it is finished binding with the device when
being called, and if not, abort the tty calls.

[Description and problem report and testing from Li RongQing, I rewrote
the patch to be in the serial layer, not in the tty core - gregkh]

Reported-by: Li RongQing <lirongqing@xxxxxxxxx>
Tested-by: Li RongQing <lirongqing@xxxxxxxxx>
Signed-off-by: Wang Li <wangli39@xxxxxxxxx>
Signed-off-by: Zhang Yu <zhangyu31@xxxxxxxxx>
Signed-off-by: Li RongQing <lirongqing@xxxxxxxxx>
Cc: stable <stable@xxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

drivers/tty/serial/serial_core.c | 6 ++++++
1 file changed, 6 insertions(+)

--- a/drivers/tty/serial/serial_core.c
+++ b/drivers/tty/serial/serial_core.c
@@ -141,6 +141,9 @@ static void uart_start(struct tty_struct
struct uart_port *port;
unsigned long flags;

+ if (!state)
+ return;
port = uart_port_lock(state, flags);
uart_port_unlock(port, flags);
@@ -717,6 +720,9 @@ static void uart_unthrottle(struct tty_s
struct uart_port *port;
upstat_t mask = 0;

+ if (!state)
+ return;
port = uart_port_ref(state);
if (!port)