From: David Howells <dhowells@redhat.com>
To: stable@kernel.org
Cc: dhowells@redhat.com, akpm@linux-foundation.org,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org,
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Subject: Re: [PATCH] CRED: Fix kernel panic upon security_file_alloc() failure.
Date: Mon, 07 Feb 2011 23:55:20 +0000 [thread overview]
Message-ID: <13661.1297122920@redhat.com> (raw)
In-Reply-To: <20110204181324.15313.11611.stgit@warthog.procyon.org.uk>
From: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
In get_empty_filp() since 2.6.29, file_free(f) is called with f->f_cred == NULL
when security_file_alloc() returned an error. As a result, kernel will panic()
due to put_cred(NULL) call within RCU callback.
Fix this bug by assigning f->f_cred before calling security_file_alloc().
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: David Howells <dhowells@redhat.com>
---
fs/file_table.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/fs/file_table.c b/fs/file_table.c
index c3e89ad..eb36b6b 100644
--- a/fs/file_table.c
+++ b/fs/file_table.c
@@ -125,13 +125,13 @@ struct file *get_empty_filp(void)
goto fail;
percpu_counter_inc(&nr_files);
+ f->f_cred = get_cred(cred);
if (security_file_alloc(f))
goto fail_sec;
INIT_LIST_HEAD(&f->f_u.fu_list);
atomic_long_set(&f->f_count, 1);
rwlock_init(&f->f_owner.lock);
- f->f_cred = get_cred(cred);
spin_lock_init(&f->f_lock);
eventpoll_init_file(f);
/* f->f_version: 0 */
next prev parent reply other threads:[~2011-02-07 23:55 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-02-04 18:13 [PATCH] CRED: Fix kernel panic upon security_file_alloc() failure David Howells
2011-02-07 23:55 ` David Howells [this message]
[not found] <201102032116.IAD48949.OHFFLOSFVMtJQO@I-love.SAKURA.ne.jp>
[not found] ` <20110203020957.10955.86.stgit@warthog.procyon.org.uk>
[not found] ` <20110203021008.10955.59837.stgit@warthog.procyon.org.uk>
[not found] ` <8442.1296743034@redhat.com>
2011-02-04 13:30 ` [PATCH] cred: " Tetsuo Handa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=13661.1297122920@redhat.com \
--to=dhowells@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=stable@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.