Prev: GFS2: Pull request (fixes)
Next: [PATCH] kmemleak: Annotate false positive in init_section_page_cgroup()
From: Serge E. Hallyn on 15 Jul 2010 11:00
Quoting Tvrtko Ursulin (tvrtko.ursulin(a)sophos.com):
>
> lookup_one_len increments dentry reference count which is not decremented
> when the create operation fails. This can cause a kernel BUG at
> fs/dcache.c:676 at unmount time. Also error code returned when new_inode()
> fails was replaced with more appropriate -ENOMEM.
>
>
> Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin(a)sophos.com>

Looks right.

Acked-by: Serge E. Hallyn <serge(a)hallyn.com>

thanks,
-serge

> ---
> inode.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff -upr linux-2.6.34/security/inode.c linux-2.6.34-new/security/inode.c
> --- linux-2.6.34/security/inode.c 2010-05-16 22:17:36.000000000 +0100
> +++ linux-2.6.34-new/security/inode.c 2010-07-15 13:20:38.133783253 +0100
> @@ -86,7 +86,7 @@ static int mknod(struct inode *dir, stru
> int mode, dev_t dev)
> {
> struct inode *inode;
> - int error = -EPERM;
> + int error = -ENOMEM;
>
> if (dentry->d_inode)
> return -EEXIST;
> @@ -166,6 +166,8 @@ static int create_by_name(const char *na
> error = mkdir(parent->d_inode, *dentry, mode);
> else
> error = create(parent->d_inode, *dentry, mode);
> + if (error)
> + dput(dentry);
> } else
> error = PTR_ERR(*dentry);
> mutex_unlock(&parent->d_inode->i_mutex);
>
>
>
> Sophos Plc, The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP, United Kingdom.
> Company Reg No 2096520. VAT Reg No GB 348 3873 20.
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo(a)vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo(a)vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
From: James Morris on 15 Jul 2010 21:40
On Thu, 15 Jul 2010, Tvrtko Ursulin wrote:

>
> lookup_one_len increments dentry reference count which is not decremented
> when the create operation fails. This can cause a kernel BUG at
> fs/dcache.c:676 at unmount time. Also error code returned when new_inode()
> fails was replaced with more appropriate -ENOMEM.
>
>
> Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin(a)sophos.com>

Applied to
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6#next

--
James Morris
<jmorris(a)namei.org>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo(a)vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
 | 
Pages: 1
Prev: GFS2: Pull request (fixes)
Next: [PATCH] kmemleak: Annotate false positive in init_section_page_cgroup()