devpts: fix error handling in devpts_mntget()

Commit Message

Eric Biggers Jan. 31, 2018, 8:49 a.m. UTC

From: Eric Biggers <ebiggers@google.com>

If devpts_ptmx_path() returns an error code, then devpts_mntget()
dereferences an ERR_PTR():

    BUG: unable to handle kernel paging request at fffffffffffffff5
    IP: devpts_mntget+0x13f/0x280 fs/devpts/inode.c:173

Fix it by returning early in the error paths.

Reproducer:

    #define _GNU_SOURCE
    #include <fcntl.h>
    #include <sched.h>
    #include <sys/ioctl.h>
    #define TIOCGPTPEER _IO('T', 0x41)

    int main()
    {
        for (;;) {
            int fd = open("/dev/ptmx", 0);
            unshare(CLONE_NEWNS);
            ioctl(fd, TIOCGPTPEER, 0);
        }
    }

Fixes: 311fc65c9fb9 ("pty: Repair TIOCGPTPEER")
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: <stable@vger.kernel.org> # v4.13+
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 fs/devpts/inode.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Linus Torvalds Jan. 31, 2018, 4:49 p.m. UTC | #1

On Wed, Jan 31, 2018 at 12:49 AM, Eric Biggers <ebiggers3@gmail.com> wrote:
>
> If devpts_ptmx_path() returns an error code, then devpts_mntget()
> dereferences an ERR_PTR():

Thanks, applied.

            Linus

Patch

diff --git a/fs/devpts/inode.c b/fs/devpts/inode.c
index 7eae33ffa3fcc..e31d6ed3ec327 100644
--- a/fs/devpts/inode.c
+++ b/fs/devpts/inode.c
@@ -168,11 +168,11 @@  struct vfsmount *devpts_mntget(struct file *filp, struct pts_fs_info *fsi)
 	dput(path.dentry);
 	if (err) {
 		mntput(path.mnt);
-		path.mnt = ERR_PTR(err);
+		return ERR_PTR(err);
 	}
 	if (DEVPTS_SB(path.mnt->mnt_sb) != fsi) {
 		mntput(path.mnt);
-		path.mnt = ERR_PTR(-ENODEV);
+		return ERR_PTR(-ENODEV);
 	}
 	return path.mnt;
 }