[PATCH][RFC] ptmx fix duplicate idr_remove

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Paul Fulghum <paulkf@microgate.com>
To: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: [PATCH][RFC] ptmx fix duplicate idr_remove
Date: Tue, 04 Apr 2006 13:35:31 -0500	[thread overview]
Message-ID: <1144175731.3485.18.camel@amdx2.microgate.com> (raw)

Remove duplicate call to idr_remove() in ptmx_open.

Error during open can result in call to release_dev()
followed by call to idr_remove(). release_dev already
calls idr_remove so the second call can cause a stack
dump in idr_remove()->sub_remove() flagging an attempt
to release an already released entry.

I reproduces this on a machine with a misconfigured
X server (attempting to restart multiple times rapidly)
getting the same error as the 1st link below.

This also seems to be related to:
http://marc.theaimsgroup.com/?l=selinux&m=110536513426735&w=2
http://marc.theaimsgroup.com/?l=selinux&m=110596994916785&w=2

The stack dump can occur on close (as well as open) as shown
in the 1st instance above, possible from something like:
process A - open (index=0), open fail to out1,
  release_dev calls idr_remove (index 0), down(sem) sleeps
process B - open (index=0), open OK (idr allocated)
process A - wake and call idr_remove on index 0
...
process B - close, release_dev, stack dump on idr_remove (index=0)
  because entry already removed

Comments?

--- linux-2.6.16/drivers/char/tty_io.c	2006-03-19 23:53:29.000000000 -0600
+++ b/drivers/char/tty_io.c	2006-04-04 12:52:47.000000000 -0500
@@ -2188,6 +2188,7 @@ static int ptmx_open(struct inode * inod
 		return 0;
 out1:
 	release_dev(filp);
+	return retval;
 out:
 	down(&allocated_ptys_lock);
 	idr_remove(&allocated_ptys, index);

next             reply	other threads:[~2006-04-04 18:35 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-04-04 18:35 Paul Fulghum [this message]
2006-04-05  7:57 ` [PATCH][RFC] ptmx fix duplicate idr_remove Andrew Morton
2006-04-05 13:36   ` Paul Fulghum

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1144175731.3485.18.camel@amdx2.microgate.com \
    --to=paulkf@microgate.com \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.