tty: fix data race in tty_ldisc_ref_wait()

dvyukov · gregkh · commit a4a3e061149f · 2017-03-17T14:07:10.000+09:00
tty_ldisc_ref_wait() checks tty-&gt;ldisc under tty-&gt;ldisc_sem.
But if ldisc==NULL it releases them sem and reloads
tty-&gt;ldisc without holding the sem. This is wrong and
can lead to returning non-NULL ldisc without protection.

Don't reload tty-&gt;ldisc second time.

Signed-off-by: Dmitry Vyukov &lt;dvyukov@google.com&gt;
Cc: syzkaller@googlegroups.com
Cc: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Cc: Jiri Slaby &lt;jslaby@suse.com&gt;
Cc: Peter Hurley &lt;peter@hurleysoftware.com&gt;
Cc: One Thousand Gnomes &lt;gnomes@lxorguk.ukuu.org.uk&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
diff --git a/drivers/tty/tty_ldisc.c b/drivers/tty/tty_ldisc.c
@@ -271,10 +271,13 @@ const struct file_operations tty_ldiscs_proc_fops = {
 
 struct tty_ldisc *tty_ldisc_ref_wait(struct tty_struct *tty)
 {
+	struct tty_ldisc *ld;
+
 	ldsem_down_read(&tty->ldisc_sem, MAX_SCHEDULE_TIMEOUT);
-	if (!tty->ldisc)
+	ld = tty->ldisc;
+	if (!ld)
 		ldsem_up_read(&tty->ldisc_sem);
-	return tty->ldisc;
+	return ld;
 }
 EXPORT_SYMBOL_GPL(tty_ldisc_ref_wait);
 

Original file line number	Diff line number	Diff line change
`@@ -271,10 +271,13 @@ const struct file_operations tty_ldiscs_proc_fops = {`
`271`	`271`
`272`	`272`	`struct tty_ldisc tty_ldisc_ref_wait(struct tty_struct tty)`
`273`	`273`	`{`
	`274`	`+ struct tty_ldisc *ld;`
	`275`	`+`
`274`	`276`	`ldsem_down_read(&tty->ldisc_sem, MAX_SCHEDULE_TIMEOUT);`
`275`		`- if (!tty->ldisc)`
	`277`	`+ ld = tty->ldisc;`
	`278`	`+ if (!ld)`
`276`	`279`	`ldsem_up_read(&tty->ldisc_sem);`
`277`		`- return tty->ldisc;`
	`280`	`+ return ld;`
`278`	`281`	`}`
`279`	`282`	`EXPORT_SYMBOL_GPL(tty_ldisc_ref_wait);`
`280`	`283`