From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S932371AbcAMRjd (ORCPT <rfc822;w@1wt.eu>);
	Wed, 13 Jan 2016 12:39:33 -0500
Received: from mail-pf0-f177.google.com ([209.85.192.177]:34954 "EHLO
	mail-pf0-f177.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S932165AbcAMRjb (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Wed, 13 Jan 2016 12:39:31 -0500
Subject: Re: [PATCH 1/2 v2] pty: fix possible use after free of
 tty->driver_data
To: "Herton R. Krzesinski" <herton@redhat.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>
References: <1452521264-21766-1-git-send-email-herton@redhat.com>
 <1452521264-21766-2-git-send-email-herton@redhat.com>
Cc: linux-kernel@vger.kernel.org, Alan Cox <alan@linux.intel.com>,
        Jiri Slaby <jslaby@suse.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Josh Triplett <josh@joshtriplett.org>,
        Al Viro <viro@zeniv.linux.org.uk>, David Howells <dhowells@redhat.com>
From: Peter Hurley <peter@hurleysoftware.com>
Message-ID: <56968BD1.5090000@hurleysoftware.com>
Date: Wed, 13 Jan 2016 09:39:29 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
 Thunderbird/38.4.0
MIME-Version: 1.0
In-Reply-To: <1452521264-21766-2-git-send-email-herton@redhat.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 01/11/2016 06:07 AM, Herton R. Krzesinski wrote:
> This change fixes a bug for a corner case where we have the the last
> release from a pty master/slave coming from a previously opened /dev/tty
> file. When this happens, the tty->driver_data can be stale, due to all
> ptmx or pts/N files having already been closed before (and thus the inode
> related to these files, which tty->driver_data points to, being already
> freed/destroyed).
> 
> The fix here is to keep a reference on the opened master ptmx inode.
> We maintain the inode referenced until the final pty_unix98_shutdown,
> and only pass this inode to devpts_kill_index.

Ideally, the tty core should be bumping the inode count for the underlying
controlling tty but I'm not sure how to make that work atm, and this
fixes the (overwhelmingly) most common use-case.

Thanks again,

Reviewed-by: Peter Hurley <peter@hurleysoftware.com>