[BUG] RHEL 6 machine crashes while trying to read from a tty

RHEL 6 machine crashes while trying to read from a tty

Issue:

• kernel BUG at drivers/char/n_tty.c:1713!
• Kernel panic due to NULL pointer dereference at n_tty_read+0x2c9

Environment:

• Red Hat Enterprise Linux 6.1
• kernel-2.6.32-131.0.15.el6

Resolution:

A fix has been submitted upstream, and is looking to provide a fix in RHEL 6.4.

Root Cause:

In n_tty_read() the tty read_lock is taken AFTER reading the buffer:

   1819                 eol = test_and_clear_bit(tty->read_tail,
   1820                         tty->read_flags);
   1821                 c = tty->read_buf[tty->read_tail];
   1822                 spin_lock_irqsave(&tty->read_lock, flags);
        

In all other cases this lock is used for accessing the buffer, for example in reset_buffer_flags():

    170     spin_lock_irqsave(&tty->read_lock, flags);
    171     tty->read_head = tty->read_tail = tty->read_cnt = 0;
    172     spin_unlock_irqrestore(&tty->read_lock, flags);
        

This leads to a race condition:

CPU0                    CPU1
n_tty_read:             reset_buffer_flags:

while (nr && tty->read_cnt) {

                    spin_lock_irqsave(&tty->read_lock, flags);
                    tty->read_head = tty->read_tail = tty->read_cnt = 0;
                    spin_lock_irqsave(&tty->read_lock, flags);

  spin_lock_irqsave(&tty->read_lock, flags);

  tty->read_cnt--;

  spin_lock_irqsave(&tty->read_lock, flags);

  /* Now tty->read_cnt is negative */
         

The tty device may be closed while reading from the read buffer. This causes the panics.

Back to top...