From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752787AbcAPVJt (ORCPT <rfc822;w@1wt.eu>);
	Sat, 16 Jan 2016 16:09:49 -0500
Received: from mail-pa0-f48.google.com ([209.85.220.48]:36293 "EHLO
	mail-pa0-f48.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752672AbcAPVJs (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Sat, 16 Jan 2016 16:09:48 -0500
Subject: Re: [PATCH 2/2 v2] pty: make sure super_block is still valid in final
 /dev/tty close
To: "Herton R. Krzesinski" <herton@redhat.com>
References: <1452521264-21766-1-git-send-email-herton@redhat.com>
 <1452521264-21766-3-git-send-email-herton@redhat.com>
 <56968F3B.20502@hurleysoftware.com>
 <20160114195658.GA3036@dhcppc10.redhat.com>
Cc: linux-kernel@vger.kernel.org, Alan Cox <alan@linux.intel.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Jiri Slaby <jslaby@suse.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Josh Triplett <josh@joshtriplett.org>,
        Al Viro <viro@zeniv.linux.org.uk>, David Howells <dhowells@redhat.com>
From: Peter Hurley <peter@hurleysoftware.com>
Message-ID: <569AB197.7010108@hurleysoftware.com>
Date: Sat, 16 Jan 2016 13:09:43 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
 Thunderbird/38.4.0
MIME-Version: 1.0
In-Reply-To: <20160114195658.GA3036@dhcppc10.redhat.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 01/14/2016 11:56 AM, Herton R. Krzesinski wrote:
> Considering current pty code and multiple devpts instances, it's possible
> to umount a devpts file system while a program still has /dev/tty opened
> pointing to a previosuly closed pty pair in that instance. In the case all
> ptmx and pts/N files are closed, umount can be done. If the program closes
> /dev/tty after umount is done, devpts_kill_index will use now an invalid
> super_block, which was already destroyed in the umount operation after
> running ->kill_sb. This is another "use after free" type of issue, but now
> related to the allocated super_block instance.
> 
> To avoid the problem (warning at ida_remove and potential crashes) for
> this specific case, I added two functions in devpts which grabs additional
> references to the super_block, which pty code now uses so it makes sure
> the super block structure is still valid until pty shutdown is done.
> I also moved the additional inode references to the same functions, which
> also covered similar case with inode being freed before /dev/tty final
> close/shutdown.

Thanks again.

Reviewed-by: Peter Hurley <peter@hurleysoftware.com>