pty: fix possible use after free of tty->driver_data
authorHerton R. Krzesinski <herton@redhat.com>
Mon, 11 Jan 2016 14:07:43 +0000 (12:07 -0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Sun, 7 Feb 2016 07:45:46 +0000 (23:45 -0800)
commit2831c89f42dcde440cfdccb9fee9f42d54bbc1ef
treecf69785b4edd19e4a59549de860b0d00f920df1a
parent7dde55787b43a8f2b4021916db38d90c03a2ec64
pty: fix possible use after free of tty->driver_data

This change fixes a bug for a corner case where we have the the last
release from a pty master/slave coming from a previously opened /dev/tty
file. When this happens, the tty->driver_data can be stale, due to all
ptmx or pts/N files having already been closed before (and thus the inode
related to these files, which tty->driver_data points to, being already
freed/destroyed).

The fix here is to keep a reference on the opened master ptmx inode.
We maintain the inode referenced until the final pty_unix98_shutdown,
and only pass this inode to devpts_kill_index.

Signed-off-by: Herton R. Krzesinski <herton@redhat.com>
Cc: <stable@vger.kernel.org> # 2.6.29+
Reviewed-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/tty/pty.c