Hi Greg,
Now that the bluetooth rfcomm tty refcounting is fixed in linux-next,
I'd like to add this patch which aborts tty_port destruction if the
tty has not yet been released. At least this problem won't show up
as some random memory corruption (as was happening with rfcomm).
Even though this only WARNs, the machine is likely to crash anyway
because the port indexes will not be in sync; the tty layer will
assume the port has been destructed while the tty_port obviously
has not.
Regards,
Peter Hurley (1):
tty: Prevent tty_port destruction if tty not released
drivers/tty/tty_port.c | 4 ++++
1 file changed, 4 insertions(+)
--
1.8.1.2
If the tty driver mistakenly drops the last port reference
before the tty has been released, issue a diagnostic and
abort the port destruction.
This will leak memory and may zombify the port, but might
otherwise keep the machine in runnable state.
Signed-off-by: Peter Hurley <[email protected]>
---
drivers/tty/tty_port.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/tty/tty_port.c b/drivers/tty/tty_port.c
index 9857f7e..c94d234 100644
--- a/drivers/tty/tty_port.c
+++ b/drivers/tty/tty_port.c
@@ -140,6 +140,10 @@ EXPORT_SYMBOL(tty_port_destroy);
static void tty_port_destructor(struct kref *kref)
{
struct tty_port *port = container_of(kref, struct tty_port, kref);
+
+ /* check if last port ref was dropped before tty release */
+ if (WARN_ON(port->itty))
+ return;
if (port->xmit_buf)
free_page((unsigned long)port->xmit_buf);
tty_port_destroy(port);
--
1.8.1.2