Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S965357AbbLOR2e (ORCPT <rfc822;w@1wt.eu>);
	Tue, 15 Dec 2015 12:28:34 -0500
Received: from mail-pa0-f51.google.com ([209.85.220.51]:36290 "EHLO
	mail-pa0-f51.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S964956AbbLOR2d (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Tue, 15 Dec 2015 12:28:33 -0500
Subject: Re: pty: fix use after free/oops at pty_unix98_shutdown
To: "Herton R. Krzesinski" <herton@redhat.com>
References: <1450150179-20925-1-git-send-email-herton@redhat.com>
 <56703D34.7020106@hurleysoftware.com>
 <20151215163604.GA20334@dhcppc10.redhat.com>
Cc: linux-kernel@vger.kernel.org,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Jiri Slaby <jslaby@suse.com>
From: Peter Hurley <peter@hurleysoftware.com>
Message-ID: <56704DBC.4080503@hurleysoftware.com>
Date: Tue, 15 Dec 2015 09:28:28 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
 Thunderbird/38.4.0
MIME-Version: 1.0
In-Reply-To: <20151215163604.GA20334@dhcppc10.redhat.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1493
Lines: 31

On 12/15/2015 08:36 AM, Herton R. Krzesinski wrote:
> On Tue, Dec 15, 2015 at 08:17:56AM -0800, Peter Hurley wrote:
>>> I also expect in a rare case where all ptmx references are gone/closed, this also
>>> could happen on final close when the master tty is given to pty_unix98_shutdown.
>>
>> This logic I'm not following. If the pty master is being released, then the inode
>> is valid for the release() operation in-progress.
> 
> Hi Peter,
> 
> yes, you're right if you are eg. closing the /dev/ptmx or /dev/pts/ptmx file
> previously opened. But I thought and refer above to the case where for example
> you are closing /dev/tty and that's the final close and there is no other
> process in the system with the /dev/{,*/}ptmx opened, the inode which referenced
> the previously opened ptmx could be gone. It would be rare though since in a
> running system any logged in user eg. through ssh or with a terminal open in X
> will have at least a ptmx device opened.

/dev/tty can never be an alias for /dev/ptmx in Linux: a master pty cannot be
a controlling terminal. So if the master pty is being released it will always be
with the /dev/ptmx inode.

Regards,
Peter Hurley

PS - for the purpose of this discussion, /dev/pts/ptmx is equivalent.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/