Re: [PATCH] updated preempt-kernel

Andrew Morton (akpm@zip.com.au)
Sun, 21 Oct 2001 08:24:12 -0700


Colin Phipps wrote:
>
> [1.] NULL pointer deference in con_flush_chars with preempt patch
> [2.]
> Ok, running with preempt-kernel-rml-2.4.12-ac3-2.patch I had a crash
> yesterday. It occured when the machine was under
> light load, I had just exited X, and I was logging off a console - I may
> have hit ctrl-d twice. I did a little investigating myself, and the
> closest I could find in the archives was the problem mentioned in
> http://www.geocrawler.com/archives/3/35/1998/11/0/217652/ , except my
> crash is occuring at console close instead of open. It may not be
> preempt related, just preempt induced :-)
>

This one has been reported before.

n_tty_receive_buf() puts a character into the tty queue and
then calls con_flush_chars(), which touches tty->driver_data.

Problem is, there's a window between these two operations where the
device can be closed (especially if the char is "^D"!), and con_close()
will zero out tty->driver_data. Hence null pointer deref.

I don't really believe this explanation, because the timing's
wrong - the reader isn't woken until after the flush is called.
Hence it'll be very difficult to actually trigger this race.
It's probably something else. But a bit more sticking plaster
should make it appear to be fixed:

--- linux-2.4.12-ac3/drivers/char/console.c Mon Oct 15 16:04:23 2001
+++ ac/drivers/char/console.c Sun Oct 21 08:19:42 2001
@@ -2387,9 +2387,15 @@ static void con_flush_chars(struct tty_s
return;

pm_access(pm_con);
- acquire_console_sem();
- set_cursor(vt->vc_num);
- release_console_sem();
+ if (vt) {
+ /*
+ * If we raced with con_close(), `vt' may be null.
+ * Hence this bandaid. - akpm
+ */
+ acquire_console_sem();
+ set_cursor(vt->vc_num);
+ release_console_sem();
+ }
}

/*
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/