Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S965414AbbLOUg5 (ORCPT ); Tue, 15 Dec 2015 15:36:57 -0500 Received: from mail-pa0-f53.google.com ([209.85.220.53]:33058 "EHLO mail-pa0-f53.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S964985AbbLOUg4 (ORCPT ); Tue, 15 Dec 2015 15:36:56 -0500 Subject: Re: [PATCH] pty: fix use after free of tty->driver_data To: "Herton R. Krzesinski" References: <1450150179-20925-1-git-send-email-herton@redhat.com> <1450150179-20925-2-git-send-email-herton@redhat.com> <56704F9A.6050006@hurleysoftware.com> <20151215180509.GC20334@dhcppc10.redhat.com> <20151215192303.GD20334@dhcppc10.redhat.com> <56706F6E.2000804@hurleysoftware.com> <20151215203426.GE20334@dhcppc10.redhat.com> Cc: linux-kernel@vger.kernel.org, Greg Kroah-Hartman , Jiri Slaby From: Peter Hurley Message-ID: <567079E2.7010703@hurleysoftware.com> Date: Tue, 15 Dec 2015 12:36:50 -0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0 MIME-Version: 1.0 In-Reply-To: <20151215203426.GE20334@dhcppc10.redhat.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2234 Lines: 46 On 12/15/2015 12:34 PM, Herton R. Krzesinski wrote: > On Tue, Dec 15, 2015 at 11:52:14AM -0800, Peter Hurley wrote: >> On 12/15/2015 11:23 AM, Herton R. Krzesinski wrote: >>> On Tue, Dec 15, 2015 at 04:05:09PM -0200, Herton R. Krzesinski wrote: >>>> On Tue, Dec 15, 2015 at 09:36:26AM -0800, Peter Hurley wrote: >>>>> >>>>> >>>>>> Signed-off-by: Herton R. Krzesinski >>>>>> Cc: >>>>> >>>>> Afaict, the stable tag goes back to the original implementation. >>>>> Did you research how far back the /dev/tty alias problem goes? >>>> >>>> Hmm no. I did cc stable because the first report I got about this issue >>>> was on RHEL 7 with 3.10 based kernel, so this issue goes far back >>>> some releases that are still supported and similar code is there. >>>> >>>> On a quick check on a 2.6.32 kernel, things were very different, >>>> tty_release_dev() called directly devpts_kill_index with inode >>>> from the same file being closed. I'll check more and adjust the tag. >>> >>> FYI, checked here and the problem should start with 3.8, after commit >>> fa2ecfc5a68d85624bbd84f7d010860776b7e602 devpts_kill_index was moved >>> to pty.c/pty_unix98_shutdown >>> >> >> istm this goes back to multi-instance devpts support added in 2.6.28. >> >> Before then, there was no inode parameter because there was only >> one devpts instance and the idas were global. > > Yeah, I'm not ruling out problems with devpts instances prior to 3.8, where to > me the wrong inode will be given in the final close with /dev/tty case, when the > ptmx is on a different instance other than the main ptmx instance ( > pts_sb_from_inode will choose the "root"/main devpts instance, as the /dev/tty > inode usually is inode tied to devtmpfs mount at /dev). Both fa2ecfc5a68d85624b > and the new fix could be backported to 3.7 and as far as 2.6.28 perhaps, not > sure if anything else will be needed, however may not be worth the trouble. I think a 2.6.28 tag is sufficient. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/