NULL dereference in tty_open()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Dan Carpenter <dan.carpenter@oracle.com>
To: linux-kernel@vger.kernel.org
Subject: NULL dereference in tty_open()
Date: Tue, 4 Oct 2011 23:05:45 +0300	[thread overview]
Message-ID: <20111004200544.GA21192@elgon.mountain> (raw)

There is a NULL dereference here.  It was artificially triggered so
not a huge priority.

drivers/tty/tty_io.c
  1893          retval = tty_add_file(tty, filp);
  1894          if (retval) {
  1895                  tty_unlock();
  1896                  tty_release(inode, filp);
  1897                  return retval;
  1898          }

tty_add_file() is supposed to setup filp->private_data but the
allocation fails.  In tty_release() we call file_tty(filp),
__tty_fasync() and tty_del_file() which dereference
filp->private_data and Oops.

I looked at ptmx_open() to see how the error handling was done there.
That function only calls tty_release() if tty_add_file() succeeds,
so maybe we could just call devpts_kill_index() here and remove the
tty_release()?  I don't know the code well enough to say.

regards,
dan carpenter

next             reply	other threads:[~2011-10-04 20:05 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-10-04 20:05 Dan Carpenter [this message]
2011-10-05 14:22 ` NULL dereference in tty_open() [and other bugs there] Jiri Slaby
2011-10-12  9:32   ` [PATCH 1/4] TTY: drop driver reference in tty_open fail path Jiri Slaby
2011-10-12  9:32     ` [PATCH 2/4] TTY: make tty_add_file non-failing Jiri Slaby
2011-10-12  9:32     ` [PATCH 3/4] TTY: pty, release tty in all ptmx_open fail paths Jiri Slaby
2011-10-12 13:23       ` Arnd Bergmann
2011-10-12  9:32     ` [PATCH 4/4] TTY: call tty_driver_lookup_tty unconditionally Jiri Slaby
2011-10-12 20:59       ` Jiri Slaby
2011-10-16 19:20         ` Sukadev Bhattiprolu
2011-10-16 19:37           ` Jiri Slaby
2011-10-16 18:28     ` [PATCH 1/4] TTY: drop driver reference in tty_open fail path Sukadev Bhattiprolu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20111004200544.GA21192@elgon.mountain \
    --to=dan.carpenter@oracle.com \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.