Re: [patch 0/3] Re: tty contention resulting from tty_open_by_device export
From: Dan Carpenter
Date: Tue Jul 18 2017 - 08:28:09 EST
On Tue, Jul 18, 2017 at 12:29:52PM +0100, Okash Khawaja wrote:
> +struct tty_struct *tty_kopen(dev_t device)
> +{
> + struct tty_struct *tty;
> + struct tty_driver *driver = NULL;
> + int index = -1;
> +
> + mutex_lock(&tty_mutex);
> + driver = tty_lookup_driver(device, NULL, &index);
> + if (IS_ERR(driver)) {
> + mutex_unlock(&tty_mutex);
> + return ERR_CAST(driver);
> + }
> +
> + /* check whether we're reopening an existing tty */
> + tty = tty_driver_lookup_tty(driver, NULL, index);
> + if (IS_ERR(tty))
> + goto out;
> +
> + if (tty) {
> + /* drop kref from tty_driver_lookup_tty() */
> + tty_kref_put(tty);
> + tty = ERR_PTR(-EBUSY);
> + } else { /* tty_init_dev returns tty with the tty_lock held */
> + tty = tty_init_dev(driver, index);
> + tty_port_set_kopened(tty->port, 1);
^^^^^^^^^
tty_init_dev() can fail leading to an error pointer dereference here.
> + }
> +out:
> + mutex_unlock(&tty_mutex);
> + tty_driver_kref_put(driver);
> + return tty;
> +}
> +EXPORT_SYMBOL_GPL(tty_kopen);
regards,
dan carpenter