There is a race in the console code between con_close and
con_flush_chars. n_tty_receive_buf writes to the tty queue and then
writes it out via con_flush_chars. The race arises in between the above
two operations; the console can close and thus zero tty->drive_data.
When con_flush_chars runs, it will dereference a null pointer.
The following fix, by Andrew Morton, merely checks if the tty still
exists because continuing. I am submitting the patch because the race
is uncovered often with a preemptive kernel. The fix is in the preempt
tree, but it should be pushed to mainline since it should affect SMP
too.
Linus and Alan, please apply.
diff -urN linux-2.4.13-ac5/drivers/char/console.c linux/drivers/char/console.c
--- linux-2.4.13-ac5/drivers/char/console.c Mon Oct 29 17:27:19 2001
+++ linux/drivers/char/console.c Mon Oct 29 17:28:24 2001
@@ -2387,9 +2387,15 @@
return;
pm_access(pm_con);
- acquire_console_sem();
- set_cursor(vt->vc_num);
- release_console_sem();
+ if (vt) {
+ /*
+ * If we raced with con_close(), `vt' may be null.
+ * Hence this bandaid. - akpm
+ */
+ acquire_console_sem();
+ set_cursor(vt->vc_num);
+ release_console_sem();
+ }
}
/*
Robert Love
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Wed Oct 31 2001 - 21:00:38 EST