aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorIlya Zykov <ilya@ilyx.ru>2013-03-04 23:19:41 +0400
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2014-06-11 12:04:21 -0700
commita1843e9577d2bf2aea6c439be3bfa5038299e079 (patch)
tree2664137ce7970a9dc7fd9e840c0de461ad964333
parentf84f26e72c1286582da55dd76752ef4296faeccd (diff)
downloadlinux-linaro-stable-a1843e9577d2bf2aea6c439be3bfa5038299e079.tar.gz
tty: Correct tty buffer flush.
commit 64325a3be08d364a62ee8f84b2cf86934bc2544a upstream. The root of problem is carelessly zeroing pointer(in function __tty_buffer_flush()), when another thread can use it. It can be cause of "NULL pointer dereference". Main idea of the patch, this is never free last (struct tty_buffer) in the active buffer. Only flush the data for ldisc(buf->head->read = buf->head->commit). At that moment driver can collect(write) data in buffer without conflict. It is repeat behavior of flush_to_ldisc(), only without feeding data to ldisc. Signed-off-by: Ilya Zykov <ilya@ilyx.ru> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Cc: Rui Xiang <rui.xiang@huawei.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r--drivers/tty/tty_buffer.c11
1 files changed, 7 insertions, 4 deletions
diff --git a/drivers/tty/tty_buffer.c b/drivers/tty/tty_buffer.c
index 6c9b7cd6778a..4f02f9ce05c5 100644
--- a/drivers/tty/tty_buffer.c
+++ b/drivers/tty/tty_buffer.c
@@ -114,11 +114,14 @@ static void __tty_buffer_flush(struct tty_struct *tty)
{
struct tty_buffer *thead;
- while ((thead = tty->buf.head) != NULL) {
- tty->buf.head = thead->next;
- tty_buffer_free(tty, thead);
+ if (tty->buf.head == NULL)
+ return;
+ while ((thead = tty->buf.head->next) != NULL) {
+ tty_buffer_free(tty, tty->buf.head);
+ tty->buf.head = thead;
}
- tty->buf.tail = NULL;
+ WARN_ON(tty->buf.head != tty->buf.tail);
+ tty->buf.head->read = tty->buf.head->commit;
}
/**