From: Peter Hurley Date: Tue, 2 Sep 2014 21:39:13 +0000 (-0400) Subject: serial: core: Fix x_char race X-Git-Tag: v3.18-rc1~129^2~70 X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=c235ccc1c4d6fd8b7d48b976b87416230ffd5149;p=users%2Fwilly%2Flinux.git serial: core: Fix x_char race The UART driver is expected to clear port->x_char after transmission while holding the port->lock. However, the serial core fails to take the port->lock before assigning port->xchar. This allows for the following race CPU 0 | CPU 1 | | serial8250_handle_irq | ... | serial8250_tx_chars | if (port->x_char) | serial_out(up, UART_TX, port->x_char) uart_send_xchar | port->x_char = ch | | port->x_char = 0 port->ops->start_tx() | | The x_char on CPU 0 will never be sent. Take the port->lock in uart_send_xchar() before assigning port->x_char. Signed-off-by: Peter Hurley Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c index 0742f77ac410..bd20cf51e912 100644 --- a/drivers/tty/serial/serial_core.c +++ b/drivers/tty/serial/serial_core.c @@ -600,12 +600,11 @@ static void uart_send_xchar(struct tty_struct *tty, char ch) if (port->ops->send_xchar) port->ops->send_xchar(port, ch); else { + spin_lock_irqsave(&port->lock, flags); port->x_char = ch; - if (ch) { - spin_lock_irqsave(&port->lock, flags); + if (ch) port->ops->start_tx(port); - spin_unlock_irqrestore(&port->lock, flags); - } + spin_unlock_irqrestore(&port->lock, flags); } }