Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S933519AbbLORlo (ORCPT <rfc822;w@1wt.eu>);
	Tue, 15 Dec 2015 12:41:44 -0500
Received: from mx1.redhat.com ([209.132.183.28]:47288 "EHLO mx1.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S932211AbbLORln (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Tue, 15 Dec 2015 12:41:43 -0500
Date: Tue, 15 Dec 2015 15:41:41 -0200
From: "Herton R. Krzesinski" <herton@redhat.com>
To: Peter Hurley <peter@hurleysoftware.com>
Cc: linux-kernel@vger.kernel.org,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Jiri Slaby <jslaby@suse.com>
Subject: Re: pty: fix use after free/oops at pty_unix98_shutdown
Message-ID: <20151215174141.GB20334@dhcppc10.redhat.com>
References: <1450150179-20925-1-git-send-email-herton@redhat.com>
 <56703D34.7020106@hurleysoftware.com>
 <20151215163604.GA20334@dhcppc10.redhat.com>
 <56704DBC.4080503@hurleysoftware.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <56704DBC.4080503@hurleysoftware.com>
User-Agent: Mutt/1.5.23.1-rc1 (2014-03-12)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 2021
Lines: 43

On Tue, Dec 15, 2015 at 09:28:28AM -0800, Peter Hurley wrote:
> On 12/15/2015 08:36 AM, Herton R. Krzesinski wrote:
> > On Tue, Dec 15, 2015 at 08:17:56AM -0800, Peter Hurley wrote:
> >>> I also expect in a rare case where all ptmx references are gone/closed, this also
> >>> could happen on final close when the master tty is given to pty_unix98_shutdown.
> >>
> >> This logic I'm not following. If the pty master is being released, then the inode
> >> is valid for the release() operation in-progress.
> > 
> > Hi Peter,
> > 
> > yes, you're right if you are eg. closing the /dev/ptmx or /dev/pts/ptmx file
> > previously opened. But I thought and refer above to the case where for example
> > you are closing /dev/tty and that's the final close and there is no other
> > process in the system with the /dev/{,*/}ptmx opened, the inode which referenced
> > the previously opened ptmx could be gone. It would be rare though since in a
> > running system any logged in user eg. through ssh or with a terminal open in X
> > will have at least a ptmx device opened.
> 
> /dev/tty can never be an alias for /dev/ptmx in Linux: a master pty cannot be
> a controlling terminal. So if the master pty is being released it will always be
> with the /dev/ptmx inode.

Indeed, pty_unix98_shutdown in case of /dev/tty close will be called with slave
pty tty_struct. Sorry about my previous confusing/wrong statement. My concern is
only valid in case final /dev/tty close used the ptmx inode instead of slave_inode
created at ptmx_open, which was not the case before/with current code, but is
the case when applying my patch, thus I grab the reference to the inode.

> 
> Regards,
> Peter Hurley
> 
> PS - for the purpose of this discussion, /dev/pts/ptmx is equivalent.

-- 
[]'s
Herton
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/