Description of problem: Alan pointed out a race in the code where hvc_remove is invoked. The recent virtio_console work is the first user of hvc_remove(). Alan describes it thus: The hvc_console assumes that a close and remove call can't occur at the same time. In addition tty_hangup(tty) is problematic as tty_hangup is asynchronous itself.... So this can happen hvc_close hvc_remove hung up ? - no lock tty = hp->tty unlock lock hp->tty = NULL unlock notify del kref_put the hvc struct close completes tty is destroyed tty_hangup dead tty tty->ops will be NULL NULL->... This patch adds some tty krefs and also converts to using tty_vhangup(). Reported-by: Alan Cox <alan.org.uk> Signed-off-by: Amit Shah <amit.shah> CC: Alan Cox <alan.org.uk> CC: linuxppc-dev CC: Rusty Russell <rusty.au> --- Alan, how does this version look? I've tested with multiple virtio_console ports. There's some other bug in the hvc_remove code that's unrelated: hot-removal of one console port results in all other hvc consoles to stop working. I'll look at that once this is finalised. drivers/char/hvc_console.c | 31 +++++++++++++++++++++---------- 1 files changed, 21 insertions(+), 10 deletions(-) http://patchwork.kernel.org/patch/83353/
http://patchwork.kernel.org/patch/83353/ http://lkml.org/lkml/2010/3/3/207
Statement: Not vulnerable. This issue did not affect the versions of KVM as shipped with Red Hat Enterprise Linux 5 as it does not contain the patch that introduced this vulnerability.
OK, thanks guys, I committed the fix for this to F-13 branch this morning.
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions