tty: Fix possible race in n_tty_read()

Fix possible panic caused by unlocked access to tty->read_cnt in while-loop condition in n_tty_read(). Signed-off-by: Stanislav Kozina <skozina@redhat.com> Signed-off-by: Alan Cox <alan@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

tty: Fix possible race in n_tty_read()
Fix possible panic caused by unlocked access to tty->read_cnt in while-loop condition in n_tty_read(). Signed-off-by: Stanislav Kozina <skozina@redhat.com> Signed-off-by: Alan Cox <alan@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
00aaae03 · Stanislav Kozina · Greg Kroah-Hartman · 857196e2 · 00aaae03
Commit 00aaae03 authored Aug 09, 2012 by Stanislav Kozina Committed by Greg Kroah-Hartman Aug 10, 2012
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 1 deletion

drivers/tty/n_tty.c drivers/tty/n_tty.c +5 -1

No files found.
--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -1838,13 +1838,13 @@ static ssize_t n_tty_read(struct tty_struct *tty, struct file *file,
 		if (tty->icanon && !L_EXTPROC(tty)) {
 			/* N.B. avoid overrun if nr == 0 */
+			spin_lock_irqsave(&tty->read_lock, flags);
 			while (nr && tty->read_cnt) {
 				int eol;
 				eol = test_and_clear_bit(tty->read_tail,
 						tty->read_flags);
 				c = tty->read_buf[tty->read_tail];
-				spin_lock_irqsave(&tty->read_lock, flags);
 				tty->read_tail = ((tty->read_tail+1) &
 						  (N_TTY_BUF_SIZE-1));
 				tty->read_cnt--;
@@ -1862,15 +1862,19 @@ static ssize_t n_tty_read(struct tty_struct *tty, struct file *file,
 					if (tty_put_user(tty, c, b++)) {
 						retval = -EFAULT;
 						b--;
+						spin_lock_irqsave(&tty->read_lock, flags);
 						break;
 					}
 					nr--;
 				}
 				if (eol) {
 					tty_audit_push(tty);
+					spin_lock_irqsave(&tty->read_lock, flags);
 					break;
 				}
+				spin_lock_irqsave(&tty->read_lock, flags);
 			}
+			spin_unlock_irqrestore(&tty->read_lock, flags);
 			if (retval)
 				break;
 		} else {