kernel_optimize_test/fs
Sukadev Bhattiprolu edfacdd6f8 devpts_get_tty() should validate inode
devpts_get_tty() assumes that the inode passed in is associated with a valid
pty.  But if the only reference to the pty is via a bind-mount, the inode
passed to devpts_get_tty() while valid, would refer to a pty that no longer
exists.

With a lot of debug effort, Grzegorz Nosek developed a small program (see
below) to reproduce a crash on recent kernels. This crash is a regression
introduced by the commit:

	commit 527b3e4773
	Author: Sukadev Bhattiprolu <sukadev@us.ibm.com>
	Date:   Mon Oct 13 10:43:08 2008 +0100

To fix, ensure that the dentry associated with the inode has not yet been
deleted/unhashed by devpts_pty_kill().

See also:
https://lists.linux-foundation.org/pipermail/containers/2009-July/019273.html 

tty-bug.c:

#define _GNU_SOURCE
#include <fcntl.h>
#include <sched.h>
#include <stdlib.h>
#include <sys/mount.h>
#include <sys/signal.h>
#include <unistd.h>
#include <stdio.h>

#include <linux/fs.h>

void dummy(int sig)
{
}

static int child(void *unused)
{
	int fd;

	signal(SIGINT, dummy); signal(SIGHUP, dummy);
	pause(); /* cheesy synchronisation to wait for /dev/pts/0 to appear */

	mount("/dev/pts/0", "/dev/console", NULL, MS_BIND, NULL);
	sleep(2);

	fd = open("/dev/console", O_RDWR);
	dup(0); dup(0);
	write(1, "Hello world!\n", sizeof("Hello world!\n")-1);
	return 0;
}

int main(void)
{
	pid_t pid;
	char *stack;

	stack = malloc(16384);
	pid = clone(child, stack+16384, CLONE_NEWNS|SIGCHLD, NULL);

	open("/dev/ptmx", O_RDWR|O_NOCTTY|O_NONBLOCK);

	unlockpt(fd); grantpt(fd);

	sleep(2);
	kill(pid, SIGHUP);
	sleep(1);
	return 0; /* exit before child opens /dev/console */
}

Reported-by: Grzegorz Nosek <root@localdomain.pl>
Signed-off-by: Sukadev Bhattiprolu <sukadev@linux.vnet.ibm.com>
Tested-by: Serge Hallyn <serue@us.ibm.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2009-12-11 15:18:05 -08:00
..
9p 9p: fix build breakage introduced by FS-Cache 2009-12-01 07:35:11 -08:00
adfs adfs: remove redundant test on unsigned 2009-09-24 07:21:05 -07:00
affs
afs FS-Cache: Handle pages pending storage that get evicted under OOM conditions 2009-11-19 18:11:35 +00:00
autofs trivial: remove unnecessary semicolons 2009-09-21 15:14:58 +02:00
autofs4
befs fs: Make unload_nls() NULL pointer safe 2009-09-24 07:47:42 -04:00
bfs
btrfs Merge branch 'for-next' into for-linus 2009-12-07 18:36:35 +01:00
cachefiles CacheFiles: Update IMA counters when using dentry_open 2009-12-01 07:35:11 -08:00
cifs Merge branch 'for-next' into for-linus 2009-12-07 18:36:35 +01:00
coda sysctl: Drop & in front of every proc_handler. 2009-11-18 08:37:40 -08:00
configfs writeback: add name to backing_dev_info 2009-09-11 09:20:26 +02:00
cramfs
debugfs fs/debugfs/inode.c: fix comment typos 2009-12-04 15:39:52 +01:00
devpts devpts_get_tty() should validate inode 2009-12-11 15:18:05 -08:00
dlm Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/teigland/dlm 2009-12-10 09:33:59 -08:00
ecryptfs ima: ecryptfs fix imbalance message 2009-10-08 11:31:38 -05:00
efs
exofs exofs: Multi-device mirror support 2009-12-10 09:59:23 +02:00
exportfs
ext2 Merge branch 'hwpoison' of git://git.kernel.org/pub/scm/linux/kernel/git/ak/linux-mce-2.6 2009-09-24 07:53:22 -07:00
ext3 Merge branch 'for-next' into for-linus 2009-12-07 18:36:35 +01:00
ext4 Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 2009-12-10 09:33:29 -08:00
fat Merge git://git.kernel.org/pub/scm/linux/kernel/git/hirofumi/fatfs-2.6 2009-09-30 09:31:14 -07:00
freevxfs
fscache FS-Cache: Provide nop fscache_stat_d() if CONFIG_FSCACHE_STATS=n 2009-11-20 21:50:44 +00:00
fuse fuse: reject O_DIRECT flag also in fuse_create 2009-11-27 16:37:13 +01:00
gfs2 GFS2: Fix glock refcount issues 2009-12-03 12:00:12 +00:00
hfs hfs: fix oops on mount with corrupted btree extent records 2009-10-29 07:39:29 -07:00
hfsplus hfsplus: refuse to mount volumes larger than 2TB 2009-10-29 07:39:27 -07:00
hostfs
hpfs
hppfs
hugetlbfs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 2009-09-24 08:32:11 -07:00
isofs fs: Make unload_nls() NULL pointer safe 2009-09-24 07:47:42 -04:00
jbd fs/jbd: Export log_start_commit to fix ext3 build. 2009-11-12 10:24:12 +01:00
jbd2 jbd2: Export jbd2_log_start_commit to fix ext4 build 2009-12-09 20:42:53 -05:00
jffs2 Merge branch 'for-next' into for-linus 2009-12-07 18:36:35 +01:00
jfs tree-wide: fix assorted typos all over the place 2009-12-04 15:39:55 +01:00
lockd sysctl: Drop & in front of every proc_handler. 2009-11-18 08:37:40 -08:00
minix V3 minixfs: add missing directory type checking 2009-09-23 07:39:57 -07:00
ncpfs tree-wide: fix assorted typos all over the place 2009-12-04 15:39:55 +01:00
nfs Merge branch 'for-2.6.33' of git://git.kernel.dk/linux-2.6-block 2009-12-08 08:19:16 -08:00
nfs_common
nfsd Fix memory corruption caused by nfsd readdir+ 2009-11-14 12:55:55 -08:00
nilfs2 nilfs2: deleted inconsistent comment in nilfs_load_inode_block() 2009-11-15 17:17:46 +09:00
nls Merge git://git.kernel.org/pub/scm/linux/kernel/git/hirofumi/fatfs-2.6 2009-09-30 09:31:14 -07:00
notify Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2009-12-09 19:43:33 -08:00
ntfs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2009-12-09 19:43:33 -08:00
ocfs2 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2009-12-09 19:43:33 -08:00
omfs tree-wide: fix assorted typos all over the place 2009-12-04 15:39:55 +01:00
openpromfs
partitions partitions: read whole sector with EFI GPT header 2009-11-23 09:29:58 +01:00
proc Merge git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/sysctl-2.6 2009-12-08 07:38:50 -08:00
qnx4 qnx4fs: add missing KERN_xxx to printk() calls 2009-11-09 09:40:57 +01:00
quota Merge git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/sysctl-2.6 2009-12-08 07:38:50 -08:00
ramfs truncate: use new helpers 2009-09-24 08:41:47 -04:00
reiserfs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2009-12-09 19:43:33 -08:00
romfs ROMFS: fix length used with romfs_dev_strnlen() function 2009-10-11 11:33:56 -07:00
smbfs fs: Make unload_nls() NULL pointer safe 2009-09-24 07:47:42 -04:00
squashfs const: mark remaining super_operations const 2009-09-22 07:17:24 -07:00
sysfs sysfs: Don't leak secdata when a sysfs_dirent is freed. 2009-11-05 08:19:18 +11:00
sysv
ubifs Merge git://git.infradead.org/ubifs-2.6 2009-12-10 09:31:45 -08:00
udf udf: Fix possible corruption when close races with write 2009-09-14 19:13:01 +02:00
ufs
xfs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2009-12-09 19:43:33 -08:00
aio.c block: move bdi/address_space unplug functions to backing-dev.h 2009-10-29 13:59:26 +01:00
anon_inodes.c headers: remove sched.h from poll.h 2009-10-04 15:05:10 -07:00
attr.c truncate: new helpers 2009-09-24 08:41:47 -04:00
bad_inode.c
binfmt_aout.c
binfmt_elf_fdpic.c fdpic: ignore the loader's PT_GNU_STACK when calculating the stack size 2009-09-24 07:21:02 -07:00
binfmt_elf.c tree-wide: fix assorted typos all over the place 2009-12-04 15:39:55 +01:00
binfmt_em86.c
binfmt_flat.c flat: use IS_ERR_VALUE() helper macro 2009-09-24 07:21:03 -07:00
binfmt_misc.c
binfmt_script.c
binfmt_som.c
bio-integrity.c
bio.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2009-12-09 19:43:33 -08:00
block_dev.c Merge branch 'for-linus' into for-2.6.33 2009-11-03 21:14:39 +01:00
buffer.c Merge branch 'writeback' of git://git.kernel.dk/linux-2.6-block 2009-09-25 09:27:30 -07:00
char_dev.c fs/char_dev.c: remove useless loop 2009-09-24 07:21:03 -07:00
compat_binfmt_elf.c
compat_ioctl.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2009-12-09 19:43:33 -08:00
compat.c x86, fs: Fix x86 procfs stack information for threads on 64-bit 2009-11-04 13:25:03 +01:00
dcache.c
dcookies.c
direct-io.c Fix regression in direct writes performance due to WRITE_ODIRECT flag removal 2009-11-26 09:46:46 +01:00
drop_caches.c sysctl: remove "struct file *" argument of ->proc_handler 2009-09-24 07:21:04 -07:00
eventfd.c anonfd: split interface into file creation and install 2009-09-23 07:39:29 -07:00
eventpoll.c sysctl: Drop & in front of every proc_handler. 2009-11-18 08:37:40 -08:00
exec.c Merge branch 'master' into next 2009-12-03 12:03:40 +05:30
fcntl.c fcntl: rename F_OWNER_GID to F_OWNER_PGRP 2009-11-17 17:40:33 -08:00
fifo.c
file_table.c LSM: imbed ima calls in the security hooks 2009-10-25 12:22:48 +08:00
file.c headers: remove sched.h from interrupt.h 2009-10-11 11:20:58 -07:00
filesystems.c
fs_struct.c
fs-writeback.c writeback: remove unused nonblocking and congestion checks 2009-12-03 13:54:25 +01:00
generic_acl.c
inode.c LSM: imbed ima calls in the security hooks 2009-10-25 12:22:48 +08:00
internal.h fs: fix overflow in sys_mount() for in-kernel calls 2009-09-24 08:40:15 -04:00
ioctl.c __generic_block_fiemap(): fix for files bigger than 4GB 2009-11-12 07:26:01 -08:00
ioprio.c
Kconfig powerpc: Cleanup Kconfig selection of hugetlbfs support 2009-10-30 15:03:54 +11:00
Kconfig.binfmt
libfs.c libfs: return error code on failed attr set 2009-09-24 07:47:30 -04:00
locks.c const: make lock_manager_operations const 2009-09-22 07:17:25 -07:00
Makefile
mbcache.c
mpage.c
namei.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6 2009-09-11 08:55:49 -07:00
namespace.c LSM: Pass original mount flags to security_sb_mount(). 2009-10-12 10:56:03 +11:00
nfsctl.c
no-block.c
open.c LSM: Move security_path_chmod()/security_path_chown() to after mutex_lock(). 2009-11-24 08:49:26 +11:00
pipe.c fs: pipe.c null pointer dereference 2009-10-22 08:11:44 +09:00
pnode.c
pnode.h
posix_acl.c
read_write.c sendfile(): check f_op.splice_write() rather than f_op.sendpage() 2009-11-04 09:09:52 +01:00
read_write.h
readdir.c
select.c headers: remove sched.h from poll.h 2009-10-04 15:05:10 -07:00
seq_file.c vfs: seq_file: add helpers for data filling 2009-09-24 07:47:35 -04:00
signalfd.c
splice.c sendfile(): check f_op.splice_write() rather than f_op.sendpage() 2009-11-04 09:09:52 +01:00
stack.c
stat.c
super.c freeze_bdev: grab active reference to frozen superblocks 2009-09-24 07:47:41 -04:00
sync.c fs/buffer.c: clean up EXPORT* macros 2009-09-23 07:39:29 -07:00
timerfd.c
utimes.c
xattr_acl.c VFS: Use GFP_NOFS in posix_acl_from_xattr() 2009-12-03 11:48:07 +00:00
xattr.c VFS: Factor out part of vfs_setxattr so it can be called from the SELinux hook for inode_setsecctx. 2009-09-10 10:11:22 +10:00