Bug 167288

Summary: FIX for oops in drivers/char/tty_io.c check_tty_count()
Product: Red Hat Enterprise Linux 3 Reporter: Fernando Luis Vazquez Cao <fernando>
Component: kernelAssignee: Don Howard <dhoward>
Status: CLOSED WONTFIX QA Contact: Brian Brock <bbrock>
Severity: high Docs Contact:
Priority: medium    
Version: 3.0CC: jbaron, petrides
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-10-19 18:54:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Fernando Luis Vazquez Cao 2005-09-01 11:48:10 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; ja-JP; rv:1.7.10) Gecko/20050822 Firefox/1.0.6 (Debian package 1.0.6-3)

Description of problem:
When I use kon (Kanji cONsole emulator) on a tty different from tty1 the kernel oopses. I first found this problem in Kernel 2.4.20-32.73smp but it seems to persist in recent RHEL3's kernels (I have checked 2.4.21-32). This bug was fixed in vanilla kernel v2.4.23.

What happens is that the debugging function check_tty_count() tries to walk a list_head that has been list_del()'d.

The patch below (included inline due to its brevity) should fix this:

--- drivers/char/tty_io.c.orig  2002-11-29 08:53:12.000000000 +0900
+++ drivers/char/tty_io.c       2005-09-01 16:27:23.000000000 +0900
@@ -1023,7 +1023,7 @@ static void release_mem(struct tty_struc
                }
                o_tty->magic = 0;
                (*o_tty->driver.refcount)--;
-               list_del(&o_tty->tty_files);
+               list_del_init(&o_tty->tty_files);
                free_tty_struct(o_tty);
        }

@@ -1035,7 +1035,7 @@ static void release_mem(struct tty_struc
        }
        tty->magic = 0;
        (*tty->driver.refcount)--;
-       list_del(&tty->tty_files);
+       list_del_init(&tty->tty_files);
        free_tty_struct(tty);
 }

Version-Release number of selected component (if applicable):
kernel-2.4.21-32

How reproducible:
Sometimes

Steps to Reproduce:
1. login to tty2 (not tty1)
2. start kon (Kanji cONsole emulator, console which support Japanese characters)
3. exit kon
4. logout

Actual Results:  The oops below occurs.

Aug 29 19:09:17 aiscprtn01 kernel: Unable to handle kernel NULL pointer dereference at virtual address 0000005c
Aug 29 19:09:17 aiscprtn01 kernel:  printing eip:
Aug 29 19:09:17 aiscprtn01 kernel: c01810d0
Aug 29 19:09:17 aiscprtn01 kernel: *pde = 00000000
Aug 29 19:09:17 aiscprtn01 kernel: Oops: 0000
Aug 29 19:09:17 aiscprtn01 kernel: autofs e1000 st usb-ohci usbcore ext3 jbd ips aic7xxx sd_mod scsi_mod
Aug 29 19:09:17 aiscprtn01 kernel: CPU:    0
Aug 29 19:09:17 aiscprtn01 kernel: EIP:    0010:[<c01810d0>]    Not tainted
Aug 29 19:09:17 aiscprtn01 kernel: EFLAGS: 00010213
Aug 29 19:09:17 aiscprtn01 kernel:
Aug 29 19:09:17 aiscprtn01 kernel: EIP is at check_tty_count [kernel] 0x30 (2.4.20-32.73smp)
Aug 29 19:09:17 aiscprtn01 kernel: eax: f70c29a8   ebx: 00000000   ecx: f70c2000   edx: 00000000
Aug 29 19:09:17 aiscprtn01 kernel: esi: f70c29a8   edi: 00000000   ebp: 00000000   esp: c8065efc
Aug 29 19:09:17 aiscprtn01 kernel: ds: 0018   es: 0018   ss: 0018
Aug 29 19:09:17 aiscprtn01 kernel: Process bash (pid: 3835, stackpage=c8065000)
Aug 29 19:09:17 aiscprtn01 kernel: Stack: f70c2000 f70c2000 c0181510 f70c2000 c025ca5f 00000000 00000efb f70c2000
Aug 29 19:09:17 aiscprtn01 kernel:        00000001 c8064000 c01817df f70c2000 c36b4ce4 c36b0140 c8064000 c011fd9b
Aug 29 19:09:17 aiscprtn01 kernel:        00000001 f55be780 0812369c 00000efb c8064000 c0183285 00000efb f70c2000
Aug 29 19:09:17 aiscprtn01 kernel: Call Trace:   [<c0181510>] do_tty_hangup [kernel] 0x80 (0xc8065f04))
Aug 29 19:09:17 aiscprtn01 kernel: [<c01817df>] disassociate_ctty [kernel] 0x2f (0xc8065f24))
Aug 29 19:09:17 aiscprtn01 kernel: [<c011fd9b>] do_exit [kernel] 0x28b (0xc8065f38))
Aug 29 19:09:17 aiscprtn01 kernel: [<c0183285>] tiocspgrp [kernel] 0x65 (0xc8065f50))
Aug 29 19:09:17 aiscprtn01 kernel: [<c0183688>] tty_ioctl [kernel] 0x278 (0xc8065f64))
Aug 29 19:09:17 aiscprtn01 kernel: [<c0146053>] filp_open [kernel] 0x53 (0xc8065f74))
Aug 29 19:09:17 aiscprtn01 kernel: [<c0108be3>] system_call [kernel] 0x33 (0xc8065fc0))
Aug 29 19:09:17 aiscprtn01 kernel:
Aug 29 19:09:17 aiscprtn01 kernel:
Aug 29 19:09:17 aiscprtn01 kernel: Code: 39 4a 5c 8b 12 8d 43 01 0f 44 d8 39 f2 75 f1 b0 01 86 05 1c

Expected Results:  The system should not crash.

Additional info:
Comment 2 RHEL Program Management 2007-10-19 18:54:55 UTC 
This bug is filed against RHEL 3, which is in maintenance phase.
During the maintenance phase, only security errata and select mission
critical bug fixes will be released for enterprise products. Since
this bug does not meet that criteria, it is now being closed.
 
For more information of the RHEL errata support policy, please visit:
http://www.redhat.com/security/updates/errata/
 
If you feel this bug is indeed mission critical, please contact your
support representative. You may be asked to provide detailed
information on how this bug is affecting you.