[Devel] [PATCH vz10 v2] ve/vtty: fix use-after-free on concurrent tty close and reopen
Eva Kurchatova
eva.kurchatova at virtuozzo.com
Tue Jun 30 19:06:25 MSK 2026
Two races in the vtty subsystem lead to use-after-free of tty_struct
objects when vzctl console attach/detach cycles run concurrently with
container-side tty open/close (e.g. SAK-triggered getty respawn):
Race 1: double-final between concurrent vtty master and slave close.
In tty_release(), the vttys (slave) side has o_tty == NULL because its
driver subtype is PTY_TYPE_SLAVE, so the final-close check depends
solely on !slave->count. When master and slave close concurrently,
both sides can independently determine final == true: the slave sees
slave->count == 0, the master sees both counts == 0 (after the slave
count underflows to -1 and gets reset). Both then call
tty_release_struct -> release_tty, and the second caller hits a
use-after-free.
Fix this by adding a vtty-specific check after computing final: for
vttys closes, also verify that the peer vttym count is not positive.
This is safe without holding the vttym lock because the vttym side of
tty_release holds tty_lock_slave(vttys) while decrementing vttym->count,
so while we hold tty_lock(vttys) the vttym cannot have decremented yet.
Race 2: vtty_open_master reopens a dying tty pair.
After tty_release() sets final == true and releases tty_lock, there is
a window before release_tty() runs under tty_mutex. During this window
vtty_open_master() can find the old vttym in the vtty map with count == 0,
pass the ">= 1" check (which was designed as a "one vttym at a time"
guard, not a liveness check), re-increment the counts, and hand out a
file descriptor pointing to a tty_struct that is about to be freed.
Fix this by taking tty_lock(vttys) in vtty_open_master() to serialize
with a concurrent tty_release() on the vttys side, so we read the slave
count after any in-flight close has decremented it. If vttys->count
has reached zero the pair is dying, so return -EBUSY. Incrementing
vttys->count under the same tty_lock prevents a concurrent tty_release()
from seeing zero and entering the final-close path.
The lock nesting pattern of tty_mutex -> tty_lock is preserved, which
prevents any kind of A->B, B->A circular locking dependency.
Fixes: dfe187803cf9 ("ve/vtty: Don't close unread master peer if slave is nonzero")
Signed-off-by: Eva Kurchatova <eva.kurchatova at virtuozzo.com>
---
drivers/tty/pty.c | 31 ++++++++++++++++++++++++++-----
drivers/tty/tty_io.c | 17 +++++++++++++++++
include/linux/ve.h | 1 +
3 files changed, 44 insertions(+), 5 deletions(-)
diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c
index f8610c77817a..2336204265ab 100644
--- a/drivers/tty/pty.c
+++ b/drivers/tty/pty.c
@@ -628,6 +628,11 @@ bool vtty_is_master(struct tty_struct *tty)
return tty->driver == vttym_driver;
}
+bool vtty_is_slave(struct tty_struct *tty)
+{
+ return tty->driver == vttys_driver;
+}
+
typedef struct {
envid_t veid;
struct tty_struct *vttys[MAX_NR_VTTY_CONSOLES];
@@ -1082,15 +1087,31 @@ int vtty_open_master(envid_t veid, int idx)
goto err_install;
}
- vtty_drop_context();
-
/*
- * We're the master peer so increment
- * slave counter as well.
+ * Serialize with a concurrent tty_release() on the vttys side.
+ * tty_lock guarantees we see the slave count after any in-flight
+ * close has decremented it. If the slave has reached zero the
+ * pair is dying; return -EBUSY and let the caller retry; the
+ * old pair will be freed once we drop tty_mutex below, and the
+ * next attempt will create a fresh one.
+ *
+ * Incrementing slave->count under the same tty_lock prevents a
+ * concurrent tty_release() from seeing zero and starting the
+ * final-close path that would cause use-after-free.
*/
+ tty_lock(tty->link);
+ if (tty->link->count == 0) {
+ tty_unlock(tty->link);
+ ret = -EBUSY;
+ goto err_install;
+ }
+ tty->link->count++;
+ tty_unlock(tty->link);
+
+ vtty_drop_context();
+
tty_add_file(tty, file);
tty->count++;
- tty->link->count++;
fd_install(fd, file);
vtty_open(tty, file);
diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
index 797a9d0ddd1e..507da79a24fa 100644
--- a/drivers/tty/tty_io.c
+++ b/drivers/tty/tty_io.c
@@ -1864,6 +1864,23 @@ int tty_release(struct inode *inode, struct file *filp)
/* check whether both sides are closing ... */
final = !tty->count && !(o_tty && o_tty->count);
+#ifdef CONFIG_VE
+ /*
+ * vtty: prevent double-final between concurrent master and slave close.
+ *
+ * For vtty slaves o_tty is NULL (PTY_TYPE_SLAVE), so the standard final
+ * check only looks at slave->count.
+ *
+ * When the master is closing concurrently, it holds tty_lock_slave(slave)
+ * while decrementing master->count, so while we hold tty_lock(slave),
+ * the master cannot have decremented yet - master->count is still > 0.
+ * If master->count is already 0 here, the master already returned
+ * from tty_release with final = false, therefore we are closing it.
+ */
+ if (final && !o_tty && tty->link && vtty_is_slave(tty) && tty->link->count > 0)
+ final = 0;
+#endif
+
tty_unlock_slave(o_tty);
tty_unlock(tty);
diff --git a/include/linux/ve.h b/include/linux/ve.h
index b037f60225bb..bf5d9acb964c 100644
--- a/include/linux/ve.h
+++ b/include/linux/ve.h
@@ -236,6 +236,7 @@ extern int vtty_open_master(envid_t veid, int idx);
extern void vtty_release(struct tty_struct *tty, struct tty_struct *o_tty,
int *tty_closing, int *o_tty_closing);
extern bool vtty_is_master(struct tty_struct *tty);
+extern bool vtty_is_slave(struct tty_struct *tty);
extern void vtty_alloc_tty_struct(const struct tty_driver *driver,
struct tty_struct *o_tty);
#endif /* CONFIG_TTY */
--
2.54.0
More information about the Devel
mailing list