[PATCH v2]: check for fops->owner in anon_inode_getfd

[Christian Borntraeger <borntraeger@de.ibm.com>]

> > +	if (fops->owner && !try_module_get(fops->owner))
> > +		return -ENOENT;
> > +
> >  	error = get_unused_fd_flags(flags);
> >  	if (error < 0)
> >  		return error;
> 
> What if get_unused_fd_flags() (or the following error-returing ops) fails 
> after a successful try_module_get()?

Right, well spotted. I have added a fixup label.

From: Christian Borntraeger <borntraeger@de.ibm.com>

There is an imbalance for anonymous inodes. If the fops->owner field is set,
the module reference count of owner is decreases on release. 
("filp_close" --> "__fput" ---> "fops_put")

On the other hand, anon_inode_getfd does not increase the module reference 
count of owner. This causes two problems:

- if owner is set, the module refcount goes negative
- if owner is not set, the module can be unloaded while code is running 

This patch changes anon_inode_getfd to be symmetric regarding fops->owner 
handling.

I have checked all existing users of anon_inode_getfd. Noone sets fops->owner, 
thats why nobody has seen the module refcount negative.

Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>


From: Christian Borntraeger <borntraeger@de.ibm.com>

There is an imbalance for anonymous inodes. If the fops->owner field is set,
the module reference count of owner is decreases on release. 
("filp_close" --> "__fput" ---> "fops_put")

On the other hand, anon_inode_getfd does not increase the module reference 
count of owner. This causes two problems:

- if owner is set, the module refcount goes negative
- if owner is not set, the module can be unloaded while code is running 

This patch changes anon_inode_getfd to be symmetric regarding fops->owner 
handling.

I have checked all existing users of anon_inode_getfd. Noone sets fops->owner, 
thats why nobody has seen the module refcount negative.

Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
---
 fs/anon_inodes.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

Index: kvm/fs/anon_inodes.c
===================================================================
--- kvm.orig/fs/anon_inodes.c
+++ kvm/fs/anon_inodes.c
@@ -79,9 +79,12 @@ int anon_inode_getfd(const char *name, c
 	if (IS_ERR(anon_inode_inode))
 		return -ENODEV;
 
+	if (fops->owner && !try_module_get(fops->owner))
+		return -ENOENT;
+
 	error = get_unused_fd_flags(flags);
 	if (error < 0)
-		return error;
+		goto err_module;
 	fd = error;
 
 	/*
@@ -128,6 +131,8 @@ err_dput:
 	dput(dentry);
 err_put_unused_fd:
 	put_unused_fd(fd);
+err_module:
+	module_put(fops->owner);
 	return error;
 }
 EXPORT_SYMBOL_GPL(anon_inode_getfd);