MIME-Version: 1.0
In-Reply-To: <87wpskyds7.fsf_-_@x220.int.ebiederm.org>
References: <43AD2BA7-B594-4299-95F3-D86FD38AF21B@zytor.com>
	<87egexpf4o.fsf@x220.int.ebiederm.org>
	<CA+55aFw9Bg+Zh_T4zP487n3ieaxoMHgZ_nNJVdpSR4kQK9gQ9w@mail.gmail.com>
	<1CB621EF-1647-463B-A144-D611DB150E15@zytor.com>
	<20151208223135.GA8352@kroah.com>
	<87oae0h2bo.fsf@x220.int.ebiederm.org>
	<56677DE3.5040705@zytor.com>
	<20151209012311.GA11794@kroah.com>
	<84B136DF-55E4-476A-9CB2-062B15677EE5@zytor.com>
	<20151209013859.GA12442@kroah.com>
	<20151209083225.GA30452@1wt.eu>
	<87wpskyds7.fsf_-_@x220.int.ebiederm.org>
Date: Fri, 11 Dec 2015 12:50:23 -0800
Message-ID: <CA+55aFxvB+eNbhzmadf7vVA16VGTdC8CsPZrrE13ha0aBHcHBA@mail.gmail.com>
Subject: Re: [PATCH] devpts: Sensible /dev/ptmx & force newinstance
From: Linus Torvalds <torvalds@linux-foundation.org>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Greg KH <greg@kroah.com>, Jiri Slaby <jslaby@suse.com>,
        "H. Peter Anvin" <hpa@zytor.com>,
        Aurelien Jarno <aurelien@aurel32.net>,
        Andy Lutomirski <luto@amacapital.net>,
        Florian Weimer <fw@deneb.enyo.de>, Al Viro <viro@zeniv.linux.org.uk>,
        Serge Hallyn <serge.hallyn@ubuntu.com>, Jann Horn <jann@thejh.net>,
        "security@kernel.org" <security@kernel.org>,
        "security@ubuntu.com >> security" <security@ubuntu.com>,
        security@debian.org, Willy Tarreau <w@1wt.eu>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1979
Lines: 57

On Fri, Dec 11, 2015 at 11:40 AM, Eric W. Biederman
<ebiederm@xmission.com> wrote:
>
>
> +struct inode *devpts_ptmx(struct inode *inode, struct file *filp)
> +{
> +#ifdef CONFIG_DEVPTS_MULTIPLE_INSTANCES
> +       struct path path, old;
> +       struct super_block *sb;
> +       struct dentry *root;
> +
> +       if (inode->i_sb->s_magic == DEVPTS_SUPER_MAGIC)
> +               return inode;
> +
> +       old = filp->f_path;
> +       path = old;
> +       path_get(&path);
> +       if (kern_path_pts(&path)) {
> +               path_put(&path);
> +               return ERR_PTR(-EINVAL);
> +       }

So this is definitely crap.

You can't return an error. You should just return the old inode. If
somebody doesn't have /dev/pts/ mounted there, the legacy /dev/ptmx
should still work, not return ENOENT or whatever.

> +       sb = path.mnt->mnt_sb;
> +       if (sb->s_magic != DEVPTS_SUPER_MAGIC) {
> +               path_put(&path);
> +               return ERR_PTR(-EINVAL);
> +       }

Same deal. Returning an error is wrong.

Of, alternatively, make the caller not consider an error an error, but
fall back to the old behavior in the caller.

> +       /*
> +        * Update filp with the new path so that userspace can use
> +        * fstat to know which instance of devpts is open, and so
> +        * userspace can use readlink /proc/self/fd/NNN to find the
> +        * path to the devpts filesystem for reporting slave inodes.
> +        */

Hmm. I'm not 100% convinced about this. Normally we do *not* allow
f_path and f_inode to change. I guess this file descriptor hasn't been
exposed yet, so it might be ok, but it makes me a bit nervous that
this code violates the basic filp rules..

                 Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/