Patch "devpts: fix error handling in devpts_mntget()" has been added to the 4.14-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This is a note to let you know that I've just added the patch titled

    devpts: fix error handling in devpts_mntget()

to the 4.14-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     devpts-fix-error-handling-in-devpts_mntget.patch
and it can be found in the queue-4.14 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From c9cc8d01fb04117928830449388512a5047569c9 Mon Sep 17 00:00:00 2001
From: Eric Biggers <ebiggers@xxxxxxxxxx>
Date: Wed, 31 Jan 2018 00:49:18 -0800
Subject: devpts: fix error handling in devpts_mntget()

From: Eric Biggers <ebiggers@xxxxxxxxxx>

commit c9cc8d01fb04117928830449388512a5047569c9 upstream.

If devpts_ptmx_path() returns an error code, then devpts_mntget()
dereferences an ERR_PTR():

    BUG: unable to handle kernel paging request at fffffffffffffff5
    IP: devpts_mntget+0x13f/0x280 fs/devpts/inode.c:173

Fix it by returning early in the error paths.

Reproducer:

    #define _GNU_SOURCE
    #include <fcntl.h>
    #include <sched.h>
    #include <sys/ioctl.h>
    #define TIOCGPTPEER _IO('T', 0x41)

    int main()
    {
        for (;;) {
            int fd = open("/dev/ptmx", 0);
            unshare(CLONE_NEWNS);
            ioctl(fd, TIOCGPTPEER, 0);
        }
    }

Fixes: 311fc65c9fb9 ("pty: Repair TIOCGPTPEER")
Reported-by: syzbot <syzkaller@xxxxxxxxxxxxxxxx>
Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx>
Signed-off-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
 fs/devpts/inode.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/fs/devpts/inode.c
+++ b/fs/devpts/inode.c
@@ -168,11 +168,11 @@ struct vfsmount *devpts_mntget(struct fi
 	dput(path.dentry);
 	if (err) {
 		mntput(path.mnt);
-		path.mnt = ERR_PTR(err);
+		return ERR_PTR(err);
 	}
 	if (DEVPTS_SB(path.mnt->mnt_sb) != fsi) {
 		mntput(path.mnt);
-		path.mnt = ERR_PTR(-ENODEV);
+		return ERR_PTR(-ENODEV);
 	}
 	return path.mnt;
 }


Patches currently in stable-queue which might be from ebiggers@xxxxxxxxxx are

queue-4.14/pipe-fix-off-by-one-error-when-checking-buffer-limits.patch
queue-4.14/crypto-hash-annotate-algorithms-taking-optional-key.patch
queue-4.14/crypto-cryptd-pass-through-absence-of-setkey.patch
queue-4.14/crypto-hash-prevent-using-keyed-hashes-without-setting-key.patch
queue-4.14/ubifs-free-the-encrypted-symlink-target.patch
queue-4.14/pipe-actually-allow-root-to-exceed-the-pipe-buffer-limits.patch
queue-4.14/kernel-relay.c-revert-kernel-relay.c-fix-potential-memory-leak.patch
queue-4.14/nfs-reject-request-for-id_legacy-key-without-auxdata.patch
queue-4.14/crypto-poly1305-remove-setkey-method.patch
queue-4.14/crypto-sha512-mb-initialize-pending-lengths-correctly.patch
queue-4.14/devpts-fix-error-handling-in-devpts_mntget.patch
queue-4.14/crypto-hash-introduce-crypto_hash_alg_has_setkey.patch
queue-4.14/crypto-mcryptd-pass-through-absence-of-setkey.patch
[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]