From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Pan Xinhui <xinhuix.pan@intel.com>,
Jiri Slaby <jslaby@suse.cz>
Subject: [PATCH 3.14 37/64] tty/n_gsm.c: fix a memory leak when gsmtty is removed
Date: Wed, 3 Jun 2015 20:43:05 +0900 [thread overview]
Message-ID: <20150603063930.031811725@linuxfoundation.org> (raw)
In-Reply-To: <20150603063928.472620468@linuxfoundation.org>
3.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pan Xinhui <xinhuix.pan@intel.com>
commit 8f9cfeed3eae86c70d3b04445a6f2036b27b6304 upstream.
when gsmtty_remove put dlci, it will cause memory leak if dlci->port's refcount is zero.
So we do the cleanup work in .cleanup callback instead.
dlci will be last put in two call chains.
1) gsmld_close -> gsm_cleanup_mux -> gsm_dlci_release -> dlci_put
2) gsmld_remove -> dlci_put
so there is a race. the memory leak depends on the race.
In call chain 2. we hit the memory leak. below comment tells.
release_tty -> tty_driver_remove_tty -> gsmtty_remove -> dlci_put -> tty_port_destructor (WARN_ON(port->itty) and return directly)
|
tty->port->itty = NULL;
|
tty_kref_put ---> release_one_tty -> gsmtty_cleanup (added by our patch)
So our patch fix the memory leak by doing the cleanup work after tty core did.
Signed-off-by: Pan Xinhui <xinhuix.pan@intel.com>
Fixes: dfabf7ffa30585
Acked-by: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/n_gsm.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/tty/n_gsm.c
+++ b/drivers/tty/n_gsm.c
@@ -3166,7 +3166,7 @@ static int gsmtty_break_ctl(struct tty_s
return gsmtty_modem_update(dlci, encode);
}
-static void gsmtty_remove(struct tty_driver *driver, struct tty_struct *tty)
+static void gsmtty_cleanup(struct tty_struct *tty)
{
struct gsm_dlci *dlci = tty->driver_data;
struct gsm_mux *gsm = dlci->gsm;
@@ -3174,7 +3174,6 @@ static void gsmtty_remove(struct tty_dri
dlci_put(dlci);
dlci_put(gsm->dlci[0]);
mux_put(gsm);
- driver->ttys[tty->index] = NULL;
}
/* Virtual ttys for the demux */
@@ -3195,7 +3194,7 @@ static const struct tty_operations gsmtt
.tiocmget = gsmtty_tiocmget,
.tiocmset = gsmtty_tiocmset,
.break_ctl = gsmtty_break_ctl,
- .remove = gsmtty_remove,
+ .cleanup = gsmtty_cleanup,
};
next prev parent reply other threads:[~2015-06-03 13:04 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-06-03 11:42 [PATCH 3.14 00/64] 3.14.44-stable review Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 01/64] staging: wlags49_h2: fix extern inline functions Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 02/64] staging, rtl8192e, LLVMLinux: Change extern inline to static inline Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 03/64] staging: rtl8712, rtl8712: avoid lots of build warnings Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 04/64] staging, rtl8192e, LLVMLinux: Remove unused inline prototype Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 05/64] kernel: use the gnu89 standard explicitly Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 06/64] qla2xxx: remove redundant declaration in qla_gbl.h Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 07/64] KVM: MMU: fix CR4.SMEP=1, CR0.WP=0 with shadow pages Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 08/64] net: socket: Fix the wrong returns for recvmsg and sendmsg Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 09/64] fs, omfs: add NULL terminator in the end up the token list Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 10/64] xfs: xfs_iozero can return positive errno Greg Kroah-Hartman
2015-06-03 13:15 ` Luis Henriques
2015-06-03 13:15 ` Luis Henriques
2015-06-03 11:42 ` [PATCH 3.14 11/64] lguest: fix out-by-one error in address checking Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 12/64] libceph: request a new osdmap if lingering request maps to no osd Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 13/64] xen/events: dont bind non-percpu VIRQs with percpu chip Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 14/64] hwmon: (ntc_thermistor) Ensure iio channel is of type IIO_VOLTAGE Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 15/64] hwmon: (nct6775) Add missing sysfs attribute initialization Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 16/64] lib: Fix strnlen_user() to not touch memory after specified maximum Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 17/64] d_walk() might skip too much Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 18/64] ALSA: hda - Add Conexant codecs CX20721, CX20722, CX20723 and CX20724 Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 19/64] ALSA: hda - Add headphone quirk for Lifebook E752 Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 21/64] ASoC: mc13783: Fix wrong mask value used in mc13xxx_reg_rmw() calls Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 22/64] ASoC: uda1380: Avoid accessing i2c bus when codec is disabled Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 23/64] ASoC: wm8960: fix "RINPUT3" audio route error Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 24/64] ASoC: wm8994: correct BCLK DIV 348 to 384 Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 26/64] target/pscsi: Dont leak scsi_host if hba is VIRTUAL_HOST Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 27/64] xhci: fix isoc endpoint dequeue from advancing too far on transaction error Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 28/64] xhci: Solve full event ring by increasing TRBS_PER_SEGMENT to 256 Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 29/64] xhci: gracefully handle xhci_irq dead device Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 30/64] USB: visor: Match I330 phone more precisely Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 31/64] USB: pl2303: Remove support for Samsung I330 Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 32/64] USB: cp210x: add ID for KCF Technologies PRN device Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 33/64] usb-storage: Add NO_WP_DETECT quirk for Lacie 059f:0651 devices Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 34/64] usb: gadget: configfs: Fix interfaces array NULL-termination Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 35/64] powerpc: Align TOC to 256 bytes Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 36/64] mmc: atmel-mci: fix bad variable type for clkdiv Greg Kroah-Hartman
2015-06-03 11:43 ` Greg Kroah-Hartman [this message]
2015-06-03 11:43 ` [PATCH 3.14 38/64] ext4: fix NULL pointer dereference when journal restart fails Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 39/64] ext4: check for zero length extent explicitly Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 40/64] jbd2: fix r_count overflows leading to buffer overflow in journal recovery Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 41/64] libata: Add helper to determine when PHY events should be ignored Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 42/64] libata: Ignore spurious PHY event on LPM policy change Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 43/64] rt2x00: add new rt2800usb device DWA 130 Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 44/64] gpio: gpio-kempld: Fix get_direction return value Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 45/64] crypto: s390/ghash - Fix incorrect ghash icv buffer handling Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 46/64] mac80211: move WEP tailroom size check Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 48/64] ARM: fix missing syscall trace exit Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 49/64] tools/vm: fix page-flags build Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 50/64] mm, numa: really disable NUMA balancing by default on single node machines Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 51/64] svcrpc: fix potential GSSX_ACCEPT_SEC_CONTEXT decoding failures Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 52/64] thermal: step_wise: Revert optimization Greg Kroah-Hartman
2015-06-12 11:58 ` Luis Henriques
2015-06-12 11:58 ` Luis Henriques
2015-06-03 11:43 ` [PATCH 3.14 53/64] md/raid5: dont record new size if resize_stripes fails Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 54/64] md/raid0: fix restore to sector variable in raid0_make_request Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 55/64] rtlwifi: rtl8192cu: Fix kernel deadlock Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 56/64] Input: elantech - fix semi-mt protocol for v3 HW Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 57/64] storvsc: Set the SRB flags correctly when no data transfer is needed Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 58/64] sd: Disable support for 256 byte/sector disks Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 59/64] ACPI / init: Fix the ordering of acpi_reserve_resources() Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 60/64] drm/radeon: add new bonaire pci id Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 63/64] vfs: read file_handle only once in handle_to_path Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 64/64] fs/binfmt_elf.c:load_elf_binary(): return -EINVAL on zero-length mappings Greg Kroah-Hartman
2015-06-03 16:52 ` [PATCH 3.14 00/64] 3.14.44-stable review Shuah Khan
2015-06-03 18:15 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150603063930.031811725@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=jslaby@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=xinhuix.pan@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.