From: Russell King <rmk+lkml@arm.linux.org.uk>
To: Greg KH <gregkh@suse.de>
Cc: Luiz Fernando Capitulino <lcapitulino@mandriva.com.br>,
linux-kernel@vger.kernel.org,
linux-usb-devel@lists.sourceforge.net
Subject: Re: [PATCH] - Fixes NULL pointer deference in usb-serial driver.
Date: Wed, 16 Nov 2005 17:54:09 +0000 [thread overview]
Message-ID: <20051116175409.GA30894@flint.arm.linux.org.uk> (raw)
In-Reply-To: <20051116172416.GA6310@suse.de>
On Wed, Nov 16, 2005 at 09:24:16AM -0800, Greg KH wrote:
> On Wed, Nov 16, 2005 at 03:16:34PM -0200, Luiz Fernando Capitulino wrote:
> > 1. Process A calls open() and tcgetattr(). When it calls close(), the specific
> > driver function put it to sleep at usb_serial.c:242 (I'm using pl2303 driver)
> >
> > 2. Process B calls open() and before the call to tcgetattr() it is put to
> > sleep.
> >
> > 3. Process A wakes up and finish the close procedure (which resets
> > 'port->tty->driver_data')
> >
> > 4. Process B wakes up, executes serial_ioctl() and gets a NULL pointer in
> > 'port->tty->driver_data'.
>
> Ugh, the tty core should really protect us from stuff like this,
> unfortunately, there is no locking there, yet. People are working on
> it...
No. It is quite correct to have an overlapping open and close with
TTYs. In fact, it's something which is rather fundamental to TTYs.
Consider: you have a modem connected to a serial like. You want to
use it for both callin and dial out.
Your box runs a getty on the line. The getty opens the port in non-
blocking mode, configures it, closes it and then re-opens it in blocking
mode. The open call waits for the DCD line to become active.
Meanwhile, you want to use the modem to call out, so you open the port
in non-blocking mode. This succeeds, and you eventually finish using
the port. You close it. This triggers a hang up in the usual way and
_then_ causes the first open call to return an EAGAIN error.
Hint: there's a VERY good reason the serial_core layer exists and
it's to get these kind of semantics (and bugs) centralised in one
place rather than spread across thousands of drivers.
--
Russell King
Linux kernel 2.6 ARM Linux - http://www.arm.linux.org.uk/
maintainer of: 2.6 Serial core
next prev parent reply other threads:[~2005-11-16 18:10 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-11-16 17:16 [PATCH] - Fixes NULL pointer deference in usb-serial driver Luiz Fernando Capitulino
2005-11-16 17:24 ` Greg KH
2005-11-16 17:54 ` Russell King [this message]
2005-11-23 19:12 ` Greg KH
2005-11-16 17:55 ` Luiz Fernando Capitulino
2005-11-16 17:49 ` Greg KH
2005-11-16 18:11 ` Luiz Fernando Capitulino
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20051116175409.GA30894@flint.arm.linux.org.uk \
--to=rmk+lkml@arm.linux.org.uk \
--cc=gregkh@suse.de \
--cc=lcapitulino@mandriva.com.br \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb-devel@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.