tty_open can return to userspace holding tty_mutex

__tty_open could return (to userspace) holding the tty_mutex thanks to a regression introduced by 4a2b5fddd5 ("Move tty lookup/reopen to caller"). This was found by bisecting an fsfuzzer problem. Admittedly I have no idea how it managed to tickle this 100% reliably, but it is clearly a regression and when hit leaves the box in a completely unusable state. This patch lets the fsfuzzer test complete every time. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: Alan Cox <alan@lxorguk.ukuu.org.uk> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-01-27 11:50:37 +00:00 · 2009-01-27 11:50:37 +00:00 · 808ffa3d30
commit 808ffa3d30
parent 5ee8100721
1 changed files with 3 additions and 1 deletions
--- a/drivers/char/tty_io.c
+++ b/drivers/char/tty_io.c
@ -1817,8 +1817,10 @@ got_driver:
 		/* check whether we're reopening an existing tty */
 		tty = tty_driver_lookup_tty(driver, inode, index);

-		if (IS_ERR(tty))
+		if (IS_ERR(tty)) {
+			mutex_unlock(&tty_mutex);
 			return PTR_ERR(tty);
+		}
 	}

 	if (tty) {