Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S932871AbcDEBmH (ORCPT <rfc822;w@1wt.eu>);
	Mon, 4 Apr 2016 21:42:07 -0400
Received: from out02.mta.xmission.com ([166.70.13.232]:41488 "EHLO
	out02.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S932822AbcDEBmE (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Mon, 4 Apr 2016 21:42:04 -0400
From: "Eric W. Biederman" <ebiederm@xmission.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: "H. Peter Anvin" <hpa@zytor.com>, Peter Hurley <peter@hurleysoftware.com>,
        Greg KH <greg@kroah.com>, Jiri Slaby <jslaby@suse.com>,
        Aurelien Jarno <aurelien@aurel32.net>,
        Andy Lutomirski <luto@amacapital.net>,
        Florian Weimer <fw@deneb.enyo.de>, Al Viro <viro@zeniv.linux.org.uk>,
        Serge Hallyn <serge.hallyn@ubuntu.com>, Jann Horn <jann@thejh.net>,
        "security@kernel.org" <security@kernel.org>, security@ubuntu.com,
        security@debian.org, Willy Tarreau <w@1wt.eu>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        "Eric W. Biederman" <ebiederm@xmission.com>
Date: Mon,  4 Apr 2016 20:29:28 -0500
Message-Id: <1459819769-30387-12-git-send-email-ebiederm@xmission.com>
X-Mailer: git-send-email 2.8.1
In-Reply-To: <1459819769-30387-1-git-send-email-ebiederm@xmission.com>
References: <878u0s3orx.fsf_-_@x220.int.ebiederm.org>
 <1459819769-30387-1-git-send-email-ebiederm@xmission.com>
X-XM-AID: U2FsdGVkX1+yeaYVwPFG/TJurJhI6vs4CvYGD65ovmY=
X-SA-Exim-Connect-IP: 67.3.249.252
X-SA-Exim-Mail-From: ebiederm@xmission.com
X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
	*  0.7 XMSubLong Long Subject
	*  1.5 XMNoVowels Alpha-numberic number with no vowels
	*  0.0 TVD_RCVD_IP Message was received from an IP address
	*  0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
	*      [score: 0.5000]
	* -0.0 DCC_CHECK_NEGATIVE Not listed in DCC
	*      [sa07 1397; Body=1 Fuz1=1 Fuz2=1]
X-Spam-DCC: XMission; sa07 1397; Body=1 Fuz1=1 Fuz2=1 
X-Spam-Combo: **;Linus Torvalds <torvalds@linux-foundation.org>
X-Spam-Relay-Country: 
X-Spam-Timing: total 371 ms - load_scoreonly_sql: 0.04 (0.0%),
	signal_user_changed: 4.3 (1.2%), b_tie_ro: 3.1 (0.8%), parse: 1.03 (0.3%),
	extract_message_metadata: 13 (3.5%), get_uri_detail_list: 2.2 (0.6%),
	tests_pri_-1000: 6 (1.6%), tests_pri_-950: 1.19 (0.3%), tests_pri_-900: 1.01
	(0.3%), tests_pri_-400: 24 (6.3%), check_bayes: 23 (6.1%), b_tokenize: 7
	(2.0%), b_tok_get_all: 7 (2.0%), b_comp_prob: 1.88 (0.5%), b_tok_touch_all:
	3.4 (0.9%), b_finish: 0.69 (0.2%), tests_pri_0: 313 (84.4%),
	check_dkim_signature: 0.45 (0.1%), check_dkim_adsp: 3.3 (0.9%),
	tests_pri_500: 4.6 (1.2%), rewrite_mail: 0.00 (0.0%)
Subject: [PATCH 12/13] devpts: Always return a distinct instance when mounting
X-Spam-Flag: No
X-SA-Exim-Version: 4.2.1 (built Wed, 24 Sep 2014 11:00:52 -0600)
X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 2584
Lines: 82

When devpts is mounted and the newinstance flag is not passed the code
first checks to see if the system devpts instance has been exported to
userspace.  If it has not the system devpts instance is returned
otherwise a fresh instance of devpts is allocated and returned.

If newinstance is passed a fresh devpts instance is always returned.

Combined with the earlier work to cause mounts of devpts to fail
if devpts is mounted over itself, this ensures that the system devpts
is mounted on /dev/pts on all of the systems I have tested.

This has been verified to work properly on openwrt-15.05, centos5,
centos6, centos7, debian-6.0.2, debian-7.9, debian-8.2, ubuntu-14.04.3,
ubuntu-15.10, fedora23, magia-5, mint-17.3, opensuse-42.1, slackware-14.1,
gentoo-20151225 (13.0?), archlinux-2015-12-01

Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
---
 fs/devpts/inode.c | 33 ++++++++++++---------------------
 1 file changed, 12 insertions(+), 21 deletions(-)

diff --git a/fs/devpts/inode.c b/fs/devpts/inode.c
index 7b4fe0d4018d..f86fae8dac0b 100644
--- a/fs/devpts/inode.c
+++ b/fs/devpts/inode.c
@@ -513,13 +513,6 @@ fail:
 }
 
 #ifdef CONFIG_DEVPTS_MULTIPLE_INSTANCES
-static int compare_init_pts_sb(struct super_block *s, void *p)
-{
-	if (devpts_mnt)
-		return devpts_mnt->mnt_sb == s;
-	return 0;
-}
-
 /*
  * devpts_mount()
  *
@@ -550,28 +543,26 @@ static int compare_init_pts_sb(struct super_block *s, void *p)
 static struct dentry *devpts_mount(struct file_system_type *fs_type,
 	int flags, const char *dev_name, void *data)
 {
-	struct super_block *s;
+	struct dentry *root;
 	bool newinstance;
 
 	newinstance = parse_newinstance(data);
+	if (flags & MS_KERNMOUNT)
+		newinstance = true;
 
-	/* Require newinstance for all user namespace mounts to ensure
+	/* Force newinstance for all user namespace mounts to ensure
 	 * the mount options are not changed.
 	 */
-	if ((current_user_ns() != &init_user_ns) && !newinstance)
-		return ERR_PTR(-EINVAL);
-
-	if (newinstance)
-		return mount_nodev(fs_type, flags, data, devpts_fill_super);
-
-	s = sget(fs_type, compare_init_pts_sb, set_anon_super, flags, NULL);
-	if (IS_ERR(s))
-		return ERR_CAST(s);
+	if (current_user_ns() != &init_user_ns)
+		newinstance = true;
 
-	/* Match mount_single ignore errors on remount */
-	devpts_remount(s, &flags, data);
+	root = NULL;
+	if (!newinstance)
+		root = mount_super_once(devpts_mnt->mnt_sb, flags, data);
+	if (IS_ERR_OR_NULL(root))
+		root = mount_nodev(fs_type, flags, data, devpts_fill_super);
 
-	return dget(s->s_root);
+	return root;
 }
 
 #else
-- 
2.6.3