From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1032288AbdAEL6p (ORCPT <rfc822;w@1wt.eu>);
        Thu, 5 Jan 2017 06:58:45 -0500
Received: from szxga02-in.huawei.com ([119.145.14.65]:36211 "EHLO
        szxga02-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S968751AbdAEL6f (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 5 Jan 2017 06:58:35 -0500
Subject: Re: [PATCH] Drop reference added by grab_header
To: Zhou Chengming <zhouchengming1@huawei.com>,
        <linux-kernel@vger.kernel.org>, <viro@zeniv.linux.org.uk>,
        <ebiederm@xmission.com>, <balbi@kernel.org>
References: <1483616021-16958-1-git-send-email-zhouchengming1@huawei.com>
CC: <konishi.ryusuke@lab.ntt.co.jp>, <jack@suse.cz>,
        <dmitry.torokhov@gmail.com>, <caiqian@redhat.com>,
        <yangshukui@huawei.com>, <dingtianhong@huawei.com>,
        <lizefan@huawei.com>
From: Hanjun Guo <guohanjun@huawei.com>
Message-ID: <586E3481.409@huawei.com>
Date: Thu, 5 Jan 2017 19:56:49 +0800
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101
 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <1483616021-16958-1-git-send-email-zhouchengming1@huawei.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.177.17.188]
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0),
        refid=str=0001.0A090203.586E3496.006F,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0,
        ip=0.0.0.0,
        so=2013-06-18 04:22:30,
        dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: dea8536e17773f4dc6a0896c586eaeb8
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 2017/1/5 19:33, Zhou Chengming wrote:
> Fixes CVE-2016-9191.

CVE-2016-9191 says that it's cgroup bug but turns out it's
not, I think you need to add more commit message to
explain it? For example, we got different calltrace stack
but all of them point to drop_sysctl_table() and it turns out
a reference count bug.

Thanks
Hanjun
>
> Reported-by: CAI Qian <caiqian@redhat.com>
> Tested-by: Yang Shukui <yangshukui@huawei.com>
> Signed-off-by: Zhou Chengming <zhouchengming1@huawei.com>
> ---
>  fs/proc/proc_sysctl.c |    3 ++-
>  1 files changed, 2 insertions(+), 1 deletions(-)
>
> diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
> index 5d931bf..c4c90bd 100644
> --- a/fs/proc/proc_sysctl.c
> +++ b/fs/proc/proc_sysctl.c
> @@ -718,7 +718,7 @@ static int proc_sys_readdir(struct file *file, struct dir_context *ctx)
>  	ctl_dir = container_of(head, struct ctl_dir, header);
>  
>  	if (!dir_emit_dots(file, ctx))
> -		return 0;
> +		goto out;
>  
>  	pos = 2;
>  
> @@ -728,6 +728,7 @@ static int proc_sys_readdir(struct file *file, struct dir_context *ctx)
>  			break;
>  		}
>  	}
> +out:
>  	sysctl_head_finish(head);
>  	return 0;
>  }