Fix possible panic caused by unlocked access to tty->read_cnt in
while-loop condition in n_tty_read().
Signed-off-by: Stanislav Kozina <skozina@xxxxxxxxxx>
---
drivers/tty/n_tty.c | 6 +++++-
1 files changed, 5 insertions(+), 1 deletions(-)
v1->v2: Add spin_unlock_irqrestore() call after the while loop
diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
index ee1c268..df21f39 100644
--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -1832,13 +1832,13 @@ do_it_again:
if (tty->icanon && !L_EXTPROC(tty)) {
/* N.B. avoid overrun if nr == 0 */
+ spin_lock_irqsave(&tty->read_lock, flags);
while (nr && tty->read_cnt) {
int eol;
eol = test_and_clear_bit(tty->read_tail,
tty->read_flags);
c = tty->read_buf[tty->read_tail];
- spin_lock_irqsave(&tty->read_lock, flags);
tty->read_tail = ((tty->read_tail+1) &
(N_TTY_BUF_SIZE-1));
tty->read_cnt--;
@@ -1856,15 +1856,19 @@ do_it_again:
if (tty_put_user(tty, c, b++)) {
retval = -EFAULT;
b--;
+ spin_lock_irqsave(&tty->read_lock, flags);
break;
}
nr--;
}
if (eol) {
tty_audit_push(tty);
+ spin_lock_irqsave(&tty->read_lock, flags);
break;
}
+ spin_lock_irqsave(&tty->read_lock, flags);
}
+ spin_unlock_irqrestore(&tty->read_lock, flags);
if (retval)
break;
} else {
--
1.7.1
--
To unsubscribe from this list: send the line "unsubscribe linux-serial" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
