[PATCH][securityfs][2.6.34] Drop dentry reference count when mknod fails

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH][securityfs][2.6.34] Drop dentry reference count when mknod fails
@ 2010-07-15 12:25 Tvrtko Ursulin
  2010-07-15 14:59 ` Serge E. Hallyn
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Tvrtko Ursulin @ 2010-07-15 12:25 UTC (permalink / raw)
  To: James Morris
  Cc: greg@kroah.com, Al Viro, linux-kernel@vger.kernel.org,
	linux-security-module


lookup_one_len increments dentry reference count which is not decremented
when the create operation fails. This can cause a kernel BUG at
fs/dcache.c:676 at unmount time. Also error code returned when new_inode()
fails was replaced with more appropriate -ENOMEM.


Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@sophos.com>
---
 inode.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff -upr linux-2.6.34/security/inode.c linux-2.6.34-new/security/inode.c
--- linux-2.6.34/security/inode.c       2010-05-16 22:17:36.000000000 +0100
+++ linux-2.6.34-new/security/inode.c   2010-07-15 13:20:38.133783253 +0100
@@ -86,7 +86,7 @@ static int mknod(struct inode *dir, stru
                         int mode, dev_t dev)
 {
        struct inode *inode;
-       int error = -EPERM;
+       int error = -ENOMEM;

        if (dentry->d_inode)
                return -EEXIST;
@@ -166,6 +166,8 @@ static int create_by_name(const char *na
                        error = mkdir(parent->d_inode, *dentry, mode);
                else
                        error = create(parent->d_inode, *dentry, mode);
+               if (error)
+                       dput(dentry);
        } else
                error = PTR_ERR(*dentry);
        mutex_unlock(&parent->d_inode->i_mutex);



Sophos Plc, The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP, United Kingdom.
Company Reg No 2096520. VAT Reg No GB 348 3873 20.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH][securityfs][2.6.34] Drop dentry reference count when mknod fails
  2010-07-15 12:25 [PATCH][securityfs][2.6.34] Drop dentry reference count when mknod fails Tvrtko Ursulin
@ 2010-07-15 14:59 ` Serge E. Hallyn
  2010-07-15 17:10 ` Greg KH
  2010-07-16  1:38 ` James Morris
  2 siblings, 0 replies; 4+ messages in thread
From: Serge E. Hallyn @ 2010-07-15 14:59 UTC (permalink / raw)
  To: Tvrtko Ursulin
  Cc: James Morris, greg@kroah.com, Al Viro,
	linux-kernel@vger.kernel.org, linux-security-module

Quoting Tvrtko Ursulin (tvrtko.ursulin@sophos.com):
> 
> lookup_one_len increments dentry reference count which is not decremented
> when the create operation fails. This can cause a kernel BUG at
> fs/dcache.c:676 at unmount time. Also error code returned when new_inode()
> fails was replaced with more appropriate -ENOMEM.
> 
> 
> Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@sophos.com>

Looks right.

Acked-by: Serge E. Hallyn <serge@hallyn.com>

thanks,
-serge

> ---
>  inode.c |    4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff -upr linux-2.6.34/security/inode.c linux-2.6.34-new/security/inode.c
> --- linux-2.6.34/security/inode.c       2010-05-16 22:17:36.000000000 +0100
> +++ linux-2.6.34-new/security/inode.c   2010-07-15 13:20:38.133783253 +0100
> @@ -86,7 +86,7 @@ static int mknod(struct inode *dir, stru
>                          int mode, dev_t dev)
>  {
>         struct inode *inode;
> -       int error = -EPERM;
> +       int error = -ENOMEM;
> 
>         if (dentry->d_inode)
>                 return -EEXIST;
> @@ -166,6 +166,8 @@ static int create_by_name(const char *na
>                         error = mkdir(parent->d_inode, *dentry, mode);
>                 else
>                         error = create(parent->d_inode, *dentry, mode);
> +               if (error)
> +                       dput(dentry);
>         } else
>                 error = PTR_ERR(*dentry);
>         mutex_unlock(&parent->d_inode->i_mutex);
> 
> 
> 
> Sophos Plc, The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP, United Kingdom.
> Company Reg No 2096520. VAT Reg No GB 348 3873 20.
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH][securityfs][2.6.34] Drop dentry reference count when mknod fails
  2010-07-15 12:25 [PATCH][securityfs][2.6.34] Drop dentry reference count when mknod fails Tvrtko Ursulin
  2010-07-15 14:59 ` Serge E. Hallyn
@ 2010-07-15 17:10 ` Greg KH
  2010-07-16  1:38 ` James Morris
  2 siblings, 0 replies; 4+ messages in thread
From: Greg KH @ 2010-07-15 17:10 UTC (permalink / raw)
  To: Tvrtko Ursulin
  Cc: James Morris, Al Viro, linux-kernel@vger.kernel.org,
	linux-security-module

On Thu, Jul 15, 2010 at 01:25:06PM +0100, Tvrtko Ursulin wrote:
> 
> lookup_one_len increments dentry reference count which is not decremented
> when the create operation fails. This can cause a kernel BUG at
> fs/dcache.c:676 at unmount time. Also error code returned when new_inode()
> fails was replaced with more appropriate -ENOMEM.
> 

Nice, thanks for finding and fixing this, great job.

> Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@sophos.com>

Acked-by: Greg Kroah-Hartman <gregkh@suse.de>

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH][securityfs][2.6.34] Drop dentry reference count when mknod fails
  2010-07-15 12:25 [PATCH][securityfs][2.6.34] Drop dentry reference count when mknod fails Tvrtko Ursulin
  2010-07-15 14:59 ` Serge E. Hallyn
  2010-07-15 17:10 ` Greg KH
@ 2010-07-16  1:38 ` James Morris
  2 siblings, 0 replies; 4+ messages in thread
From: James Morris @ 2010-07-16  1:38 UTC (permalink / raw)
  To: Tvrtko Ursulin
  Cc: greg@kroah.com, Al Viro, linux-kernel@vger.kernel.org,
	linux-security-module

On Thu, 15 Jul 2010, Tvrtko Ursulin wrote:

> 
> lookup_one_len increments dentry reference count which is not decremented
> when the create operation fails. This can cause a kernel BUG at
> fs/dcache.c:676 at unmount time. Also error code returned when new_inode()
> fails was replaced with more appropriate -ENOMEM.
> 
> 
> Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@sophos.com>

Applied to
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6#next

-- 
James Morris
<jmorris@namei.org>

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2010-07-16  1:38 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-07-15 12:25 [PATCH][securityfs][2.6.34] Drop dentry reference count when mknod fails Tvrtko Ursulin
2010-07-15 14:59 ` Serge E. Hallyn
2010-07-15 17:10 ` Greg KH
2010-07-16  1:38 ` James Morris

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox