serial: core: Flush ldisc after dropping port mutex in uart_close()

The tty buffers (and any line discipline buffers) must be flushed after
the UART hardware has shutdown; otherwise, a racing open on the same
tty may receive data from the previous session, which is a security
hazard. However, holding the port mutex while flushing the line
discipline buffers creates a lock inversion if the set_termios()
handler takes the port mutex (as it does in the followup patch,
'serial: Fix locking for uart driver set_termios method'.

Flush the ldisc buffers after dropping the port mutex; the tty lock
is still held which prevents a concurrent open() from advancing while
flushing. Since no new rx data is possible after uart_shutdown() until
a new open reinitializes the port, the later flush has no impact on
what data is being discarded.

Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
index 787d67f74bd922bf3206608a02fd89fcf37873d5..9d142972ee2d5649219b387c594cbb796221a7e6 100644 (file)
--- a/drivers/tty/serial/serial_core.c
+++ b/drivers/tty/serial/serial_core.c
@@ -1361,9 +1361,6 @@ static void uart_close(struct tty_struct *tty, struct file *filp)
 
        mutex_lock(&port->mutex);
        uart_shutdown(tty, state);
-
-       tty_ldisc_flush(tty);
-
        tty_port_tty_set(port, NULL);
        tty->closing = 0;
        spin_lock_irqsave(&port->lock, flags);
@@ -1390,6 +1387,8 @@ static void uart_close(struct tty_struct *tty, struct file *filp)
        wake_up_interruptible(&port->close_wait);
 
        mutex_unlock(&port->mutex);
+
+       tty_ldisc_flush(tty);
 }
 
 static void uart_wait_until_sent(struct tty_struct *tty, int timeout)