[PATCH] wrong error path in dup_fd() leading to oopses in RCU

[PATCH] wrong error path in dup_fd() leading to oopses in RCU

[Kirill Korotaev]

[-- Attachment #1: Type: text/plain, Size: 813 bytes --]

Wrong error path in dup_fd() - it should return NULL on error,
not an address of already freed memory :/

Triggered by OpenVZ stress test suite.

What is interesting is that it was causing different oopses in RCU like 
below:
Call Trace:
   [<c013492c>] rcu_do_batch+0x2c/0x80
   [<c0134bdd>] rcu_process_callbacks+0x3d/0x70
   [<c0126cf3>] tasklet_action+0x73/0xe0
   [<c01269aa>] __do_softirq+0x10a/0x130
   [<c01058ff>] do_softirq+0x4f/0x60
   =======================
   [<c0113817>] smp_apic_timer_interrupt+0x77/0x110
   [<c0103b54>] apic_timer_interrupt+0x1c/0x24
  Code:  Bad EIP value.
   <0>Kernel panic - not syncing: Fatal exception in interrupt

Signed-Off-By: Pavel Emelianov <xemul@sw.ru>
Signed-Off-By: Dmitry Mishin <dim@openvz.org>
Signed-Off-By: Kirill Korotaev <dev@openvz.org>

Thanks,
Kirill

[-- Attachment #2: diff-ms-files-fix-20060329 --]
[-- Type: text/plain, Size: 401 bytes --]

--- ./kernel/fork.c.fsfix	2006-03-29 11:42:01.000000000 +0400
+++ ./kernel/fork.c	2006-03-29 19:20:18.000000000 +0400
@@ -758,7 +758,7 @@ out_release:
 	free_fdset (new_fdt->open_fds, new_fdt->max_fdset);
 	free_fd_array(new_fdt->fd, new_fdt->max_fds);
 	kmem_cache_free(files_cachep, newf);
-	goto out;
+	return NULL;
 }
 
 static int copy_files(unsigned long clone_flags, struct task_struct * tsk)