Patch "debugfs: fix refcount imbalance in start_creating" has been added to the 4.2-stable tree

[<gregkh@linuxfoundation.org>]

This is a note to let you know that I've just added the patch titled

    debugfs: fix refcount imbalance in start_creating

to the 4.2-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     debugfs-fix-refcount-imbalance-in-start_creating.patch
and it can be found in the queue-4.2 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From 0ee9608c89e81a1ccee52ecb58a7ff040e2522d9 Mon Sep 17 00:00:00 2001
From: Daniel Borkmann <daniel@iogearbox.net>
Date: Thu, 5 Nov 2015 00:01:51 +0100
Subject: debugfs: fix refcount imbalance in start_creating

From: Daniel Borkmann <daniel@iogearbox.net>

commit 0ee9608c89e81a1ccee52ecb58a7ff040e2522d9 upstream.

In debugfs' start_creating(), we pin the file system to safely access
its root. When we failed to create a file, we unpin the file system via
failed_creating() to release the mount count and eventually the reference
of the vfsmount.

However, when we run into an error during lookup_one_len() when still
in start_creating(), we only release the parent's mutex but not so the
reference on the mount. Looks like it was done in the past, but after
splitting portions of __create_file() into start_creating() and
end_creating() via 190afd81e4a5 ("debugfs: split the beginning and the
end of __create_file() off"), this seemed missed. Noticed during code
review.

Fixes: 190afd81e4a5 ("debugfs: split the beginning and the end of __create_file() off")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/debugfs/inode.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/fs/debugfs/inode.c
+++ b/fs/debugfs/inode.c
@@ -271,8 +271,12 @@ static struct dentry *start_creating(con
 		dput(dentry);
 		dentry = ERR_PTR(-EEXIST);
 	}
-	if (IS_ERR(dentry))
+
+	if (IS_ERR(dentry)) {
 		mutex_unlock(&d_inode(parent)->i_mutex);
+		simple_release_fs(&debugfs_mount, &debugfs_mount_count);
+	}
+
 	return dentry;
 }
 


Patches currently in stable-queue which might be from daniel@iogearbox.net are

queue-4.2/packet-infer-protocol-from-ethernet-header-if-unset.patch
queue-4.2/debugfs-fix-refcount-imbalance-in-start_creating.patch
queue-4.2/bpf-array-fix-heap-out-of-bounds-access-when-updating-elements.patch
queue-4.2/ipv6-sctp-implement-sctp_v6_destroy_sock.patch
queue-4.2/packet-only-allow-extra-vlan-len-on-ethernet-devices.patch
queue-4.2/net-scm-fix-pax-detected-msg_controllen-overflow-in-scm_detach_fds.patch
queue-4.2/packet-fix-tpacket_snd-max-frame-len.patch
queue-4.2/packet-always-probe-for-transport-header.patch
queue-4.2/packet-do-skb_probe_transport_header-when-we-actually-have-data.patch
queue-4.2/tools-net-use-include-uapi-with-__exported_headers__.patch