From: ebiederm@xmission.com (Eric W. Biederman)
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Christian Brauner <christian.brauner@canonical.com>,
Christian Brauner <christian.brauner@ubuntu.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
Al Viro <viro@zeniv.linux.org.uk>
Subject: Re: [PATCH 0/1] devpts: use dynamic_dname() to generate proc name
Date: Wed, 16 Aug 2017 17:46:46 -0500 [thread overview]
Message-ID: <87pobvruzt.fsf@xmission.com> (raw)
In-Reply-To: <CA+55aFxXzwoDdN72m2oaV4XuxO0DGoT+Bp84i07VFpLQ3Ftcpw@mail.gmail.com> (Linus Torvalds's message of "Wed, 16 Aug 2017 14:03:14 -0700")
Linus Torvalds <torvalds@linux-foundation.org> writes:
> On Wed, Aug 16, 2017 at 1:30 PM, Linus Torvalds
> <torvalds@linux-foundation.org> wrote:
>>
>> I suspect the easiest fix is to just add a "mnt" argument to
>> devpts_acquire(), It shouldn't be too painful. Let me try.
>
> Ok, here's a *very* lightly tested patch. It might have new bugs, but
> it makes your test program DTRT.
>
> Al, mind going over this and making sure I didn't miss anything?
>
> And Christian, if you can beat on this, that would be good.
Linus reading through this it looks like your error handling is wrong.
> diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c
> index 284749fb0f6b..432f514e3f42 100644
> --- a/drivers/tty/pty.c
> +++ b/drivers/tty/pty.c
> @@ -793,6 +793,7 @@ static int ptmx_open(struct inode *inode, struct file *filp)
> struct tty_struct *tty;
> struct path *pts_path;
> struct dentry *dentry;
> + struct vfsmount *mnt;
> int retval;
> int index;
>
> @@ -805,7 +806,7 @@ static int ptmx_open(struct inode *inode, struct file *filp)
> if (retval)
> return retval;
>
> - fsi = devpts_acquire(filp);
> + fsi = devpts_acquire(filp, &mnt);
> if (IS_ERR(fsi)) {
> retval = PTR_ERR(fsi);
> goto out_free_file;
> @@ -849,9 +850,14 @@ static int ptmx_open(struct inode *inode, struct file *filp)
> pts_path = kmalloc(sizeof(struct path), GFP_KERNEL);
> if (!pts_path)
> goto err_release;
> - pts_path->mnt = filp->f_path.mnt;
> - pts_path->dentry = dentry;
> - path_get(pts_path);
> +
> + /*
> + * The mnt already got a ref from devpts_acquire(),
> + * so we only dget() on the dentry.
> + */
> + pts_path->mnt = mnt;
> + pts_path->dentry = dget(dentry);
> +
> tty->link->driver_data = pts_path;
>
> retval = ptm_driver->ops->open(tty, filp);
^^^^^^^
If this open fails the code jumps to err_put_path which falls
through into out_put_fsi. But it also does path_put(pts_path).
Which will result in a double mntput of mnt.
So I think err_path_put needs to be updated to just put the dentry,
and let the later mntput put the mount.
> @@ -874,6 +880,7 @@ static int ptmx_open(struct inode *inode, struct file *filp)
> devpts_kill_index(fsi, index);
> out_put_fsi:
> devpts_release(fsi);
> + mntput(mnt);
> out_free_file:
> tty_free_file(filp);
> return retval;
Eric
next prev parent reply other threads:[~2017-08-16 22:47 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-16 17:12 [PATCH 0/1] devpts: use dynamic_dname() to generate proc name Christian Brauner
2017-08-16 17:12 ` [PATCH 1/1] " Christian Brauner
2017-08-16 18:26 ` [PATCH 0/1] " Linus Torvalds
2017-08-16 18:48 ` Linus Torvalds
2017-08-16 19:48 ` Christian Brauner
2017-08-16 19:56 ` Linus Torvalds
2017-08-16 20:19 ` Linus Torvalds
2017-08-16 20:30 ` Linus Torvalds
2017-08-16 21:03 ` Linus Torvalds
2017-08-16 21:37 ` Christian Brauner
2017-08-16 21:45 ` Linus Torvalds
2017-08-16 21:55 ` Linus Torvalds
2017-08-16 22:05 ` Christian Brauner
2017-08-16 22:28 ` Christian Brauner
2017-08-23 15:31 ` Eric W. Biederman
2017-08-23 21:15 ` Christian Brauner
2017-08-16 22:46 ` Eric W. Biederman [this message]
2017-08-16 22:58 ` Linus Torvalds
2017-08-16 23:51 ` Eric W. Biederman
2017-08-17 0:08 ` Linus Torvalds
2017-08-17 1:24 ` Eric W. Biederman
2017-08-24 0:24 ` Stefan Lippers-Hollmann
2017-08-24 0:42 ` Linus Torvalds
2017-08-24 1:16 ` Linus Torvalds
2017-08-24 1:25 ` Eric W. Biederman
2017-08-24 1:32 ` Linus Torvalds
2017-08-24 1:49 ` Linus Torvalds
2017-08-24 2:01 ` Linus Torvalds
2017-08-24 3:11 ` Eric W. Biederman
2017-08-24 3:24 ` Linus Torvalds
2017-08-24 15:51 ` Eric W. Biederman
2017-08-24 4:24 ` Stefan Lippers-Hollmann
2017-08-24 15:54 ` Eric W. Biederman
2017-08-24 17:52 ` Linus Torvalds
2017-08-24 18:06 ` Linus Torvalds
2017-08-24 18:13 ` Linus Torvalds
2017-08-24 18:31 ` Linus Torvalds
2017-08-24 18:36 ` Linus Torvalds
2017-08-24 20:24 ` Stefan Lippers-Hollmann
2017-08-24 20:27 ` Linus Torvalds
2017-08-24 18:40 ` Eric W. Biederman
2017-08-24 18:51 ` Linus Torvalds
2017-08-24 19:23 ` Eric W. Biederman
2017-08-24 20:13 ` [PATCH v3] pty: Repair TIOCGPTPEER Eric W. Biederman
2017-08-24 21:01 ` Stefan Lippers-Hollmann
[not found] ` <CAPP7u0WHqDfxTW6hmc=DsmHuoALZcrWdU-Odu=FfoTX26SGHQg@mail.gmail.com>
2017-08-24 19:22 ` [PATCH 0/1] devpts: use dynamic_dname() to generate proc name Linus Torvalds
2017-08-24 19:25 ` Linus Torvalds
2017-08-24 20:43 ` Eric W. Biederman
2017-08-24 21:07 ` Linus Torvalds
2017-08-24 23:01 ` Eric W. Biederman
2017-08-24 23:27 ` Linus Torvalds
2017-08-24 23:37 ` Christian Brauner
2017-08-26 1:00 ` Linus Torvalds
2017-08-24 19:48 ` Eric W. Biederman
2017-08-17 1:37 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87pobvruzt.fsf@xmission.com \
--to=ebiederm@xmission.com \
--cc=christian.brauner@canonical.com \
--cc=christian.brauner@ubuntu.com \
--cc=linux-kernel@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.