From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Max Staudt <max@enpas.org>
Cc: Jiri Slaby <jirislaby@kernel.org>,
linux-serial@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v1] tty: Register device *after* creating the cdev for a tty
Date: Wed, 28 May 2025 10:23:39 +0200 [thread overview]
Message-ID: <2025052801-human-aversion-3518@gregkh> (raw)
In-Reply-To: <20250526112523.23122-1-max@enpas.org>
On Mon, May 26, 2025 at 08:25:23PM +0900, Max Staudt wrote:
> This change makes the tty device file available only after the tty's
> backing character device is ready.
>
> Since 6a7e6f78c235975cc14d4e141fa088afffe7062c, the class device is
> registered before the cdev is created, and userspace may pick it up,
> yet open() will fail because the backing cdev doesn't exist yet.
> Userspace is racing the bottom half of tty_register_device_attr() here,
> specifically the call to tty_cdev_add().
>
> dev_set_uevent_suppress() was used to work around this, but this fails
> on embedded systems that rely on bare devtmpfs rather than udev.
> On such systems, the device file is created as part of device_add(),
> and userspace can pick it up via inotify, irrespective of uevent
> suppression.
>
> So let's undo the existing patch, and create the cdev first, and only
> afterwards register the class device in the kernel's device tree.
>
> However, this restores the original race of the cdev existing before the
> class device is registered, and an attempt to open it during this time
> will lead to tty->dev being assigned NULL by alloc_tty_struct().
>
> alloc_tty_struct() is called via tty_init_dev() when the tty is firstly
> opened, and is entered with tty_mutex held, so let's lock the critical
> section in tty_register_device_attr() with the same global mutex.
> This guarantees that tty->dev can be assigned a sane value.
As 0-day points out, I think this adds a new locking issue :(
But it's really hard to detect this, as you are doing both a revert and
a change in the same commit. Can you make this as 2 patches, one that
does the revert which would be "easy" to review, and the second one that
does the new fix? That way we can detect what is going on easier.
> Fixes: 6a7e6f78c235 ("tty: close race between device register and open")
> Signed-off-by: Max Staudt <max@enpas.org>
You also forgot to add cc: stable on this :(
thanks,
greg k-h
next prev parent reply other threads:[~2025-05-28 8:25 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-26 11:25 [PATCH v1] tty: Register device *after* creating the cdev for a tty Max Staudt
2025-05-28 7:06 ` kernel test robot
2025-05-28 8:23 ` Greg Kroah-Hartman [this message]
2025-05-28 13:31 ` Max
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2025052801-human-aversion-3518@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=jirislaby@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-serial@vger.kernel.org \
--cc=max@enpas.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.