Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 92322b6f authored by Chandana Kishori Chiluveru's avatar Chandana Kishori Chiluveru
Browse files

tty: Fix possible NULL pointer dereference 



During processing of echo characters on terminal device,
n_tty_close can happen in parallel with fault inject
testing method and result in a NULL pointer dereference.

Fix this by validating the tty->disc_data inside
continue_process_echoes() and cancel delayed work before
disc_data become NULL.

Change-Id: I4d24a87f2943653b334251c53cdec1c7252a6099
Signed-off-by: default avatarChandana Kishori Chiluveru <cchiluve@codeaurora.org>
parent 9a711d9c

drivers/tty/n_tty.c

+11 −1
Original line number Diff line number Diff line
@@ -847,7 +847,12 @@ static void continue_process_echoes(struct work_struct *work) 
{

	struct tty_struct *tty =

		container_of(work, struct tty_struct, echo_delayed_work.work);

	struct n_tty_data *ldata = tty->disc_data;

	struct n_tty_data *ldata;



	/* Possible for n_tty_close() is called here and free the disc_data */

	ldata = tty->disc_data;

	if (!ldata)

		return;



	mutex_lock(&ldata->output_lock);

	tty->delayed_work = 0;
@@ -1918,6 +1923,11 @@ static void n_tty_close(struct tty_struct *tty) 
	if (tty->link)

		n_tty_packet_mode_flush(tty);



#if defined(CONFIG_TTY_FLUSH_LOCAL_ECHO)

	if (tty->echo_delayed_work.work.func)

		cancel_delayed_work_sync(&tty->echo_delayed_work);

#endif



	vfree(ldata);

	tty->disc_data = NULL;

}