VT ioctl race fix

When calling the RELDISP VT ioctl, we are reading vt_newvt while the console workqueue could be messing with it (through change_console()). We fix this race by taking the console semaphore before reading vt_newvt. Signed-off-by: Samuel Ortiz <sameo@openedhand.com> Acked-by: Antonino Daplas <adaplas@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-10-01 01:20:12 -07:00 · 2007-10-01 01:20:12 -07:00 · 8792f961ba
parent 4047727e5a
commit 8792f961ba
1 changed files with 5 additions and 3 deletions
--- a/drivers/char/vt_ioctl.c
+++ b/drivers/char/vt_ioctl.c
@ -770,6 +770,7 @@ int vt_ioctl(struct tty_struct *tty, struct file * file,
 		/*
 		 * Switching-from response
 		 */
+		acquire_console_sem();
 		if (vc->vt_newvt >= 0) {
 			if (arg == 0)
 				/*
@ -784,7 +785,6 @@ int vt_ioctl(struct tty_struct *tty, struct file * file,
 				 * complete the switch.
 				 */
 				int newvt;
-				acquire_console_sem();
 				newvt = vc->vt_newvt;
 				vc->vt_newvt = -1;
 				i = vc_allocate(newvt);
@ -798,7 +798,6 @@ int vt_ioctl(struct tty_struct *tty, struct file * file,
 				 * other console switches..
 				 */
 				complete_change_console(vc_cons[newvt].d);
-				release_console_sem();
 			}
 		}

@ -810,9 +809,12 @@ int vt_ioctl(struct tty_struct *tty, struct file * file,
 			/*
 			 * If it's just an ACK, ignore it
 			 */
-			if (arg != VT_ACKACQ)
+			if (arg != VT_ACKACQ) {
+				release_console_sem();
 				return -EINVAL;
+			}
 		}
+		release_console_sem();

 		return 0;