[PATCH] ttyprintk: Add TTY hangup callback.

Wed, 14 Apr 2021 17:22:31 -0700 

syzbot is reporting hung task due to flood of

  tty_warn(tty, "%s: tty->count = 1 port count = %d\n", __func__,
           port->count);

message [1], for ioctl(TIOCVHANGUP) prevents tty_port_close() from
decrementing port->count due to tty_hung_up_p() == true.

----------
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <unistd.h>

int main(int argc, char *argv[])
{
        int i;
        int fd[10];

        for (i = 0; i < 10; i++)
                fd[i] = open("/dev/ttyprintk", O_WRONLY);
        ioctl(fd[0], TIOCVHANGUP);
        for (i = 0; i < 10; i++)
                close(fd[i]);
        close(open("/dev/ttyprintk", O_WRONLY));
        return 0;
}
----------

When TTY hangup happens, port->count needs to be reset via
"struct tty_operations"->hangup callback.

[1] 
https://syzkaller.appspot.com/bug?id=39ea6caa479af471183997376dc7e90bc7d64a6a

Reported-by: syzbot <syzbot+43e93968b964e369d...@syzkaller.appspotmail.com>
Reported-by: syzbot <syzbot+3ed715090790806d8...@syzkaller.appspotmail.com>
Tested-by: syzbot <syzbot+43e93968b964e369d...@syzkaller.appspotmail.com>
Signed-off-by: Tetsuo Handa <penguin-ker...@i-love.sakura.ne.jp>
Fixes: 24b4b67d17c308aa ("add ttyprintk driver")
---
 drivers/char/ttyprintk.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/drivers/char/ttyprintk.c b/drivers/char/ttyprintk.c
index 6a0059e508e3..93f5d11c830b 100644
--- a/drivers/char/ttyprintk.c
+++ b/drivers/char/ttyprintk.c
@@ -158,12 +158,23 @@ static int tpk_ioctl(struct tty_struct *tty,
        return 0;
 }
 
+/*
+ * TTY operations hangup function.
+ */
+static void tpk_hangup(struct tty_struct *tty)
+{
+       struct ttyprintk_port *tpkp = tty->driver_data;
+
+       tty_port_hangup(&tpkp->port);
+}
+
 static const struct tty_operations ttyprintk_ops = {
        .open = tpk_open,
        .close = tpk_close,
        .write = tpk_write,
        .write_room = tpk_write_room,
        .ioctl = tpk_ioctl,
+       .hangup = tpk_hangup,
 };
 
 static const struct tty_port_operations null_ops = { };
-- 
2.18.4

Reply via email to