pty: Fix packet mode setting race

Because pty_set_pktmode() does not claim the slave's ctrl_lock to clear ->ctrl_status (to avoid unnecessary lock nesting), pty_set_pktmode() may accidentally erase new ->ctrl_status updates. For example, CPU 0 | CPU 1 pty_set_pktmode() | pty_start() spin_lock(master's ctrl_lock) | tty->packet = 1 | | if (tty->link->packet) | spin_lock(slave's ctrl_lock) | tty->ctrl_status = TIOCPKT_START tty->link->ctrl_status = 0 | Ensure the clear of ->ctrl_status occurs before packet mode is set (and observable on another cpu). Signed-off-by: N Peter Hurley <peter@hurleysoftware.com> Reviewed-by: N Alan Cox <alan@linux.intel.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org>

pty: Fix packet mode setting race
Because pty_set_pktmode() does not claim the slave's ctrl_lock to clear ->ctrl_status (to avoid unnecessary lock nesting), pty_set_pktmode() may accidentally erase new ->ctrl_status updates. For example, CPU 0 | CPU 1 pty_set_pktmode() | pty_start() spin_lock(master's ctrl_lock) | tty->packet = 1 | | if (tty->link->packet) | spin_lock(slave's ctrl_lock) | tty->ctrl_status = TIOCPKT_START tty->link->ctrl_status = 0 | Ensure the clear of ->ctrl_status occurs before packet mode is set (and observable on another cpu). Signed-off-by: N Peter Hurley <peter@hurleysoftware.com> Reviewed-by: N Alan Cox <alan@linux.intel.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2622d73e · Peter Hurley · Greg Kroah-Hartman · 54e8e5fc · 2622d73e
隐藏空白更改
内联并排

Showing with 2 addition and 1 deletion

drivers/tty/pty.c drivers/tty/pty.c +2 -1

未找到文件。
--- a/drivers/tty/pty.c
+++ b/drivers/tty/pty.c
@@ -186,8 +186,9 @@ static int pty_set_pktmode(struct tty_struct *tty, int __user *arg)
 	spin_lock_irq(&tty->ctrl_lock);
 	if (pktmode) {
 		if (!tty->packet) {
-			tty->packet = 1;
 			tty->link->ctrl_status = 0;
+			smp_mb();
+			tty->packet = 1;
 		}
 	} else
 		tty->packet = 0;