From: Peter Hurley <peter@hurleysoftware.com>
To: "Herton R. Krzesinski" <herton@redhat.com>
Cc: linux-kernel@vger.kernel.org, Alan Cox <alan@linux.intel.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Jiri Slaby <jslaby@suse.com>,
Andrew Morton <akpm@linux-foundation.org>,
Josh Triplett <josh@joshtriplett.org>,
Al Viro <viro@zeniv.linux.org.uk>,
David Howells <dhowells@redhat.com>
Subject: Re: [PATCH 2/2 v2] pty: make sure super_block is still valid in final /dev/tty close
Date: Sat, 16 Jan 2016 13:09:43 -0800 [thread overview]
Message-ID: <569AB197.7010108@hurleysoftware.com> (raw)
In-Reply-To: <20160114195658.GA3036@dhcppc10.redhat.com>
On 01/14/2016 11:56 AM, Herton R. Krzesinski wrote:
> Considering current pty code and multiple devpts instances, it's possible
> to umount a devpts file system while a program still has /dev/tty opened
> pointing to a previosuly closed pty pair in that instance. In the case all
> ptmx and pts/N files are closed, umount can be done. If the program closes
> /dev/tty after umount is done, devpts_kill_index will use now an invalid
> super_block, which was already destroyed in the umount operation after
> running ->kill_sb. This is another "use after free" type of issue, but now
> related to the allocated super_block instance.
>
> To avoid the problem (warning at ida_remove and potential crashes) for
> this specific case, I added two functions in devpts which grabs additional
> references to the super_block, which pty code now uses so it makes sure
> the super block structure is still valid until pty shutdown is done.
> I also moved the additional inode references to the same functions, which
> also covered similar case with inode being freed before /dev/tty final
> close/shutdown.
Thanks again.
Reviewed-by: Peter Hurley <peter@hurleysoftware.com>
next prev parent reply other threads:[~2016-01-16 21:09 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-11 14:07 pty: fix use after free issues at pty_unix98_shutdown Herton R. Krzesinski
2016-01-11 14:07 ` [PATCH 1/2 v2] pty: fix possible use after free of tty->driver_data Herton R. Krzesinski
2016-01-13 17:39 ` Peter Hurley
2016-01-13 18:28 ` Josh Triplett
2016-01-14 20:09 ` Herton R. Krzesinski
2016-01-14 21:27 ` Peter Hurley
2016-01-11 14:07 ` [PATCH 2/2] pty: make sure super_block is still valid in final /dev/tty close Herton R. Krzesinski
2016-01-13 17:54 ` Peter Hurley
2016-01-14 19:56 ` [PATCH 2/2 v2] " Herton R. Krzesinski
2016-01-16 21:09 ` Peter Hurley [this message]
2016-01-14 20:03 ` [PATCH 2/2] " Herton R. Krzesinski
2016-01-16 21:43 ` Peter Hurley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=569AB197.7010108@hurleysoftware.com \
--to=peter@hurleysoftware.com \
--cc=akpm@linux-foundation.org \
--cc=alan@linux.intel.com \
--cc=dhowells@redhat.com \
--cc=gregkh@linuxfoundation.org \
--cc=herton@redhat.com \
--cc=josh@joshtriplett.org \
--cc=jslaby@suse.com \
--cc=linux-kernel@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.