Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S965255AbbLOTwU (ORCPT <rfc822;w@1wt.eu>);
	Tue, 15 Dec 2015 14:52:20 -0500
Received: from mail-pf0-f172.google.com ([209.85.192.172]:34411 "EHLO
	mail-pf0-f172.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S933425AbbLOTwT (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Tue, 15 Dec 2015 14:52:19 -0500
Subject: Re: [PATCH] pty: fix use after free of tty->driver_data
To: "Herton R. Krzesinski" <herton@redhat.com>
References: <1450150179-20925-1-git-send-email-herton@redhat.com>
 <1450150179-20925-2-git-send-email-herton@redhat.com>
 <56704F9A.6050006@hurleysoftware.com>
 <20151215180509.GC20334@dhcppc10.redhat.com>
 <20151215192303.GD20334@dhcppc10.redhat.com>
Cc: linux-kernel@vger.kernel.org,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Jiri Slaby <jslaby@suse.com>
From: Peter Hurley <peter@hurleysoftware.com>
Message-ID: <56706F6E.2000804@hurleysoftware.com>
Date: Tue, 15 Dec 2015 11:52:14 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
 Thunderbird/38.4.0
MIME-Version: 1.0
In-Reply-To: <20151215192303.GD20334@dhcppc10.redhat.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1466
Lines: 34

On 12/15/2015 11:23 AM, Herton R. Krzesinski wrote:
> On Tue, Dec 15, 2015 at 04:05:09PM -0200, Herton R. Krzesinski wrote:
>> On Tue, Dec 15, 2015 at 09:36:26AM -0800, Peter Hurley wrote:
>>>
>>>
>>>> Signed-off-by: Herton R. Krzesinski <herton@redhat.com>
>>>> Cc: <stable@vger.kernel.org>
>>>
>>> Afaict, the stable tag goes back to the original implementation.
>>> Did you research how far back the /dev/tty alias problem goes?
>>
>> Hmm no. I did cc stable because the first report I got about this issue
>> was on RHEL 7 with 3.10 based kernel, so this issue goes far back
>> some releases that are still supported and similar code is there.
>>
>> On a quick check on a 2.6.32 kernel, things were very different,
>> tty_release_dev() called directly devpts_kill_index with inode
>> from the same file being closed. I'll check more and adjust the tag.
> 
> FYI, checked here and the problem should start with 3.8, after commit
> fa2ecfc5a68d85624bbd84f7d010860776b7e602 devpts_kill_index was moved
> to pty.c/pty_unix98_shutdown
> 

istm this goes back to multi-instance devpts support added in 2.6.28.

Before then, there was no inode parameter because there was only
one devpts instance and the idas were global.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/