From: ebiederm@xmission.com (Eric W. Biederman)
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Christian Brauner <christian.brauner@canonical.com>,
Christian Brauner <christian.brauner@ubuntu.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
Al Viro <viro@zeniv.linux.org.uk>
Subject: Re: [PATCH 0/1] devpts: use dynamic_dname() to generate proc name
Date: Wed, 16 Aug 2017 17:46:46 -0500 [thread overview]
Message-ID: <87pobvruzt.fsf@xmission.com> (raw)
In-Reply-To: <CA+55aFxXzwoDdN72m2oaV4XuxO0DGoT+Bp84i07VFpLQ3Ftcpw@mail.gmail.com> (Linus Torvalds's message of "Wed, 16 Aug 2017 14:03:14 -0700")
Linus Torvalds <torvalds@linux-foundation.org> writes:
> On Wed, Aug 16, 2017 at 1:30 PM, Linus Torvalds
> <torvalds@linux-foundation.org> wrote:
>>
>> I suspect the easiest fix is to just add a "mnt" argument to
>> devpts_acquire(), It shouldn't be too painful. Let me try.
>
> Ok, here's a *very* lightly tested patch. It might have new bugs, but
> it makes your test program DTRT.
>
> Al, mind going over this and making sure I didn't miss anything?
>
> And Christian, if you can beat on this, that would be good.
Linus reading through this it looks like your error handling is wrong.
> diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c
> index 284749fb0f6b..432f514e3f42 100644
> --- a/drivers/tty/pty.c
> +++ b/drivers/tty/pty.c
> @@ -793,6 +793,7 @@ static int ptmx_open(struct inode *inode, struct file *filp)
> struct tty_struct *tty;
> struct path *pts_path;
> struct dentry *dentry;
> + struct vfsmount *mnt;
> int retval;
> int index;
>
> @@ -805,7 +806,7 @@ static int ptmx_open(struct inode *inode, struct file *filp)
> if (retval)
> return retval;
>
> - fsi = devpts_acquire(filp);
> + fsi = devpts_acquire(filp, &mnt);
> if (IS_ERR(fsi)) {
> retval = PTR_ERR(fsi);
> goto out_free_file;
> @@ -849,9 +850,14 @@ static int ptmx_open(struct inode *inode, struct file *filp)
> pts_path = kmalloc(sizeof(struct path), GFP_KERNEL);
> if (!pts_path)
> goto err_release;
> - pts_path->mnt = filp->f_path.mnt;
> - pts_path->dentry = dentry;
> - path_get(pts_path);
> +
> + /*
> + * The mnt already got a ref from devpts_acquire(),
> + * so we only dget() on the dentry.
> + */
> + pts_path->mnt = mnt;
> + pts_path->dentry = dget(dentry);
> +
> tty->link->driver_data = pts_path;
>
> retval = ptm_driver->ops->open(tty, filp);
^^^^^^^
If this open fails the code jumps to err_put_path which falls
through into out_put_fsi. But it also does path_put(pts_path).
Which will result in a double mntput of mnt.
So I think err_path_put needs to be updated to just put the dentry,
and let the later mntput put the mount.
> @@ -874,6 +880,7 @@ static int ptmx_open(struct inode *inode, struct file *filp)
> devpts_kill_index(fsi, index);
> out_put_fsi:
> devpts_release(fsi);
> + mntput(mnt);
> out_free_file:
> tty_free_file(filp);
> return retval;
Eric
next prev parent reply other threads:[~2017-08-16 22:47 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-16 17:12 [PATCH 0/1] devpts: use dynamic_dname() to generate proc name Christian Brauner
2017-08-16 17:12 ` [PATCH 1/1] " Christian Brauner
2017-08-16 18:26 ` [PATCH 0/1] " Linus Torvalds
2017-08-16 18:48 ` Linus Torvalds
2017-08-16 19:48 ` Christian Brauner
2017-08-16 19:56 ` Linus Torvalds
2017-08-16 20:19 ` Linus Torvalds
2017-08-16 20:30 ` Linus Torvalds
2017-08-16 21:03 ` Linus Torvalds
2017-08-16 21:37 ` Christian Brauner
2017-08-16 21:45 ` Linus Torvalds
2017-08-16 21:55 ` Linus Torvalds
2017-08-16 22:05 ` Christian Brauner
2017-08-16 22:28 ` Christian Brauner
2017-08-23 15:31 ` Eric W. Biederman
2017-08-23 21:15 ` Christian Brauner
2017-08-16 22:46 ` Eric W. Biederman [this message]
2017-08-16 22:58 ` Linus Torvalds
2017-08-16 23:51 ` Eric W. Biederman
2017-08-17 0:08 ` Linus Torvalds
2017-08-17 1:24 ` Eric W. Biederman
2017-08-24 0:24 ` Stefan Lippers-Hollmann
2017-08-24 0:42 ` Linus Torvalds
2017-08-24 1:16 ` Linus Torvalds
2017-08-24 1:25 ` Eric W. Biederman
2017-08-24 1:32 ` Linus Torvalds
2017-08-24 1:49 ` Linus Torvalds
2017-08-24 2:01 ` Linus Torvalds
2017-08-24 3:11 ` Eric W. Biederman
2017-08-24 3:24 ` Linus Torvalds
2017-08-24 15:51 ` Eric W. Biederman
2017-08-24 4:24 ` Stefan Lippers-Hollmann
2017-08-24 15:54 ` Eric W. Biederman
2017-08-24 17:52 ` Linus Torvalds
2017-08-24 18:06 ` Linus Torvalds
2017-08-24 18:13 ` Linus Torvalds
2017-08-24 18:31 ` Linus Torvalds
2017-08-24 18:36 ` Linus Torvalds
2017-08-24 20:24 ` Stefan Lippers-Hollmann
2017-08-24 20:27 ` Linus Torvalds
2017-08-24 18:40 ` Eric W. Biederman
2017-08-24 18:51 ` Linus Torvalds
2017-08-24 19:23 ` Eric W. Biederman
2017-08-24 20:13 ` [PATCH v3] pty: Repair TIOCGPTPEER Eric W. Biederman
2017-08-24 21:01 ` Stefan Lippers-Hollmann
[not found] ` <CAPP7u0WHqDfxTW6hmc=DsmHuoALZcrWdU-Odu=FfoTX26SGHQg@mail.gmail.com>
2017-08-24 19:22 ` [PATCH 0/1] devpts: use dynamic_dname() to generate proc name Linus Torvalds
2017-08-24 19:25 ` Linus Torvalds
2017-08-24 20:43 ` Eric W. Biederman
2017-08-24 21:07 ` Linus Torvalds
2017-08-24 23:01 ` Eric W. Biederman
2017-08-24 23:27 ` Linus Torvalds
2017-08-24 23:37 ` Christian Brauner
2017-08-26 1:00 ` Linus Torvalds
2017-08-24 19:48 ` Eric W. Biederman
2017-08-17 1:37 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87pobvruzt.fsf@xmission.com \
--to=ebiederm@xmission.com \
--cc=christian.brauner@canonical.com \
--cc=christian.brauner@ubuntu.com \
--cc=linux-kernel@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox