Check for tp->t_refcnt == 0 before doing anything in tty_open().

PR:		103520
MFC after:	1 week

2 files changed, 18 insertions, 0 deletions

diff --git a/sys/kern/tty.c b/sys/kern/tty.c
index f5b7d91..4701584 100644
--- a/sys/kern/tty.c
+++ b/sys/kern/tty.c
@@ -3067,6 +3067,12 @@ ttyopen(struct cdev *dev, int flag, int mode, struct thread *td)
 	struct tty	*tp;
 
 	tp = dev->si_tty;
+
+	/* XXX It can happen that devfs_open calls us with tp->t_refcnt == 0 */
+	if (tp == NULL || tp->t_refcnt == 0) {
+		return (ENXIO);
+	}
+
 	s = spltty();
 	/*
 	 * We jump to this label after all non-interrupted sleeps to pick
diff --git a/sys/kern/tty_pty.c b/sys/kern/tty_pty.c
index 155b046..c861d40 100644
--- a/sys/kern/tty_pty.c
+++ b/sys/kern/tty_pty.c
@@ -196,6 +196,12 @@ ptsopen(struct cdev *dev, int flag, int devtype, struct thread *td)
 		return(ENXIO);
 	pt = dev->si_drv1;
 	tp = dev->si_tty;
+
+        /* XXX It can happen that devfs_open calls us with tp->t_refcnt == 0 */
+	if (tp == NULL || tp->t_refcnt == 0) {
+		return (ENXIO);
+        }
+
 	if ((tp->t_state & TS_ISOPEN) == 0) {
 		ttyinitmode(tp, 1, 0);
 	} else if (tp->t_state & TS_XCLUDE && suser(td))
@@ -314,6 +320,12 @@ ptcopen(struct cdev *dev, int flag, int devtype, struct thread *td)
 	if (!dev->si_drv1)
 		return(ENXIO);
 	tp = dev->si_tty;
+
+	/* XXX It can happen that devfs_open calls us with tp->t_refcnt == 0 */
+        if (tp == NULL || tp->t_refcnt == 0) {
+                return (ENXIO);
+        }
+
 	if (tp->t_oproc)
 		return (EIO);
 	tp->t_timeout = -1;