From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linuxfoundation.org ([140.211.169.12]:33490 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1033336AbeBOOhx (ORCPT ); Thu, 15 Feb 2018 09:37:53 -0500 Subject: Patch "devpts: fix error handling in devpts_mntget()" has been added to the 4.15-stable tree To: ebiggers@google.com, gregkh@linuxfoundation.org, syzkaller@googlegroups.com, torvalds@linux-foundation.org Cc: , From: Date: Thu, 15 Feb 2018 15:37:47 +0100 Message-ID: <15187054679934@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org List-ID: This is a note to let you know that I've just added the patch titled devpts: fix error handling in devpts_mntget() to the 4.15-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: devpts-fix-error-handling-in-devpts_mntget.patch and it can be found in the queue-4.15 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >>From c9cc8d01fb04117928830449388512a5047569c9 Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Wed, 31 Jan 2018 00:49:18 -0800 Subject: devpts: fix error handling in devpts_mntget() From: Eric Biggers commit c9cc8d01fb04117928830449388512a5047569c9 upstream. If devpts_ptmx_path() returns an error code, then devpts_mntget() dereferences an ERR_PTR(): BUG: unable to handle kernel paging request at fffffffffffffff5 IP: devpts_mntget+0x13f/0x280 fs/devpts/inode.c:173 Fix it by returning early in the error paths. Reproducer: #define _GNU_SOURCE #include #include #include #define TIOCGPTPEER _IO('T', 0x41) int main() { for (;;) { int fd = open("/dev/ptmx", 0); unshare(CLONE_NEWNS); ioctl(fd, TIOCGPTPEER, 0); } } Fixes: 311fc65c9fb9 ("pty: Repair TIOCGPTPEER") Reported-by: syzbot Signed-off-by: Eric Biggers Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- fs/devpts/inode.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/fs/devpts/inode.c +++ b/fs/devpts/inode.c @@ -168,11 +168,11 @@ struct vfsmount *devpts_mntget(struct fi dput(path.dentry); if (err) { mntput(path.mnt); - path.mnt = ERR_PTR(err); + return ERR_PTR(err); } if (DEVPTS_SB(path.mnt->mnt_sb) != fsi) { mntput(path.mnt); - path.mnt = ERR_PTR(-ENODEV); + return ERR_PTR(-ENODEV); } return path.mnt; } Patches currently in stable-queue which might be from ebiggers@google.com are queue-4.15/pipe-fix-off-by-one-error-when-checking-buffer-limits.patch queue-4.15/crypto-hash-annotate-algorithms-taking-optional-key.patch queue-4.15/crypto-cryptd-pass-through-absence-of-setkey.patch queue-4.15/crypto-hash-prevent-using-keyed-hashes-without-setting-key.patch queue-4.15/ubifs-free-the-encrypted-symlink-target.patch queue-4.15/pipe-actually-allow-root-to-exceed-the-pipe-buffer-limits.patch queue-4.15/kernel-relay.c-revert-kernel-relay.c-fix-potential-memory-leak.patch queue-4.15/nfs-reject-request-for-id_legacy-key-without-auxdata.patch queue-4.15/crypto-poly1305-remove-setkey-method.patch queue-4.15/crypto-sha512-mb-initialize-pending-lengths-correctly.patch queue-4.15/devpts-fix-error-handling-in-devpts_mntget.patch queue-4.15/crypto-hash-introduce-crypto_hash_alg_has_setkey.patch queue-4.15/crypto-mcryptd-pass-through-absence-of-setkey.patch