Skip to content

Commit

Permalink
devpts: fix error handling in devpts_mntget()
Browse files Browse the repository at this point in the history 
If devpts_ptmx_path() returns an error code, then devpts_mntget()
dereferences an ERR_PTR():

    BUG: unable to handle kernel paging request at fffffffffffffff5
    IP: devpts_mntget+0x13f/0x280 fs/devpts/inode.c:173

Fix it by returning early in the error paths.

Reproducer:

    #define _GNU_SOURCE
    #include <fcntl.h>
    #include <sched.h>
    #include <sys/ioctl.h>
    #define TIOCGPTPEER _IO('T', 0x41)

    int main()
    {
        for (;;) {
            int fd = open("/dev/ptmx", 0);
            unshare(CLONE_NEWNS);
            ioctl(fd, TIOCGPTPEER, 0);
        }
    }

Fixes: 311fc65 ("pty: Repair TIOCGPTPEER")
Reported-by: syzbot <[email protected]>
Cc: <[email protected]> # v4.13+
Signed-off-by: Eric Biggers <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
  • Loading branch information
@ebiggers @torvalds
ebiggers authored and torvalds committed Jan 31, 2018
1 parent c0cef30 commit c9cc8d0
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions fs/devpts/inode.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -168,11 +168,11 @@ struct vfsmount *devpts_mntget(struct file *filp, struct pts_fs_info *fsi)
dput(path.dentry);
if (err) {
mntput(path.mnt);
path.mnt = ERR_PTR(err);
return ERR_PTR(err);
}
if (DEVPTS_SB(path.mnt->mnt_sb) != fsi) {
mntput(path.mnt);
path.mnt = ERR_PTR(-ENODEV);
return ERR_PTR(-ENODEV);
}
return path.mnt;
}
Expand Down

0 comments on commit c9cc8d0

Please sign in to comment.