devpts: fix error handling in devpts_mntget()

If devpts_ptmx_path() returns an error code, then devpts_mntget() dereferences an ERR_PTR(): BUG: unable to handle kernel paging request at fffffffffffffff5 IP: devpts_mntget+0x13f/0x280 fs/devpts/inode.c:173 Fix it by returning early in the error paths. Reproducer: #define _GNU_SOURCE #include <fcntl.h> #include <sched.h> #include <sys/ioctl.h> #define TIOCGPTPEER _IO('T', 0x41) int main() { for (;;) { int fd = open("/dev/ptmx", 0); unshare(CLONE_NEWNS); ioctl(fd, TIOCGPTPEER, 0); } } Fixes: 311fc65c9fb9 ("pty: Repair TIOCGPTPEER") Reported-by: syzbot <syzkaller@googlegroups.com> Cc: <stable@vger.kernel.org> # v4.13+ Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
author: Eric Biggers <ebiggers@google.com> 2018-01-31 03:49:18 -0500
committer: Linus Torvalds <torvalds@linux-foundation.org> 2018-01-31 11:48:37 -0500
commit: c9cc8d01fb04117928830449388512a5047569c9 (patch)
tree: b7e97b68733d1ee57025aed05373041d5912853f
parent: c0cef30e4ff0dc025f4a1660b8f0ba43ed58426e (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/fs/devpts/inode.c b/fs/devpts/inode.c
index 7eae33ffa3fc..e31d6ed3ec32 100644
--- a/fs/devpts/inode.c
+++ b/fs/devpts/inode.c
@@ -168,11 +168,11 @@ struct vfsmount *devpts_mntget(struct file *filp, struct pts_fs_info *fsi)
        dput(path.dentry);
        if (err) {
                mntput(path.mnt);
-                path.mnt = ERR_PTR(err);
+                return ERR_PTR(err);
        }
        if (DEVPTS_SB(path.mnt->mnt_sb) != fsi) {
                mntput(path.mnt);
-                path.mnt = ERR_PTR(-ENODEV);
+                return ERR_PTR(-ENODEV);
        }
        return path.mnt;
 }
author	Eric Biggers <ebiggers@google.com>	2018-01-31 03:49:18 -0500
committer	Linus Torvalds <torvalds@linux-foundation.org>	2018-01-31 11:48:37 -0500
commit	c9cc8d01fb04117928830449388512a5047569c9 (patch)
tree	b7e97b68733d1ee57025aed05373041d5912853f
parent	c0cef30e4ff0dc025f4a1660b8f0ba43ed58426e (diff)

diff --git a/fs/devpts/inode.c b/fs/devpts/inode.c index 7eae33ffa3fc..e31d6ed3ec32 100644 --- a/fs/devpts/inode.c +++ b/fs/devpts/inode.c
@@ -168,11 +168,11 @@ struct vfsmount devpts_mntget(struct file filp, struct pts_fs_info *fsi)
168	dput(path.dentry);	168	dput(path.dentry);
169	if (err) {	169	if (err) {
170	mntput(path.mnt);	170	mntput(path.mnt);
171	path.mnt = ERR_PTR(err);	171	return ERR_PTR(err);
172	}	172	}
173	if (DEVPTS_SB(path.mnt->mnt_sb) != fsi) {	173	if (DEVPTS_SB(path.mnt->mnt_sb) != fsi) {
174	mntput(path.mnt);	174	mntput(path.mnt);
175	path.mnt = ERR_PTR(-ENODEV);	175	return ERR_PTR(-ENODEV);
176	}	176	}
177	return path.mnt;	177	return path.mnt;
178	}	178	}