NULL dereference in tty_open()

From: Dan Carpenter
Date: Tue Oct 04 2011 - 16:05:51 EST

Next message: john stultz: "Re: [PATCH] dw_apb_timer: constify clocksource name"
Previous message: Christoph Lameter: "Re: big picture UDP/IP performance question re 2.6.18 -> 2.6.32"
Next in thread: Jiri Slaby: "Re: NULL dereference in tty_open() [and other bugs there]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

There is a NULL dereference here. It was artificially triggered so
not a huge priority.

drivers/tty/tty_io.c
1893 retval = tty_add_file(tty, filp);
1894 if (retval) {
1895 tty_unlock();
1896 tty_release(inode, filp);
1897 return retval;
1898 }

tty_add_file() is supposed to setup filp->private_data but the
allocation fails. In tty_release() we call file_tty(filp),
__tty_fasync() and tty_del_file() which dereference
filp->private_data and Oops.

I looked at ptmx_open() to see how the error handling was done there.
That function only calls tty_release() if tty_add_file() succeeds,
so maybe we could just call devpts_kill_index() here and remove the
tty_release()? I don't know the code well enough to say.

regards,
dan carpenter
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: john stultz: "Re: [PATCH] dw_apb_timer: constify clocksource name"
Previous message: Christoph Lameter: "Re: big picture UDP/IP performance question re 2.6.18 -> 2.6.32"
Next in thread: Jiri Slaby: "Re: NULL dereference in tty_open() [and other bugs there]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]