| From ec66eaf7653fbdfaad150329df058c77409093f1 Mon Sep 17 00:00:00 2001 |
| From: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> |
| Date: Fri, 4 Feb 2011 18:13:24 +0000 |
| Subject: [PATCH] CRED: Fix kernel panic upon security_file_alloc() failure. |
| |
| commit 78d2978874e4e10e97dfd4fd79db45bdc0748550 upstream. |
| |
| In get_empty_filp() since 2.6.29, file_free(f) is called with f->f_cred == NULL |
| when security_file_alloc() returned an error. As a result, kernel will panic() |
| due to put_cred(NULL) call within RCU callback. |
| |
| Fix this bug by assigning f->f_cred before calling security_file_alloc(). |
| |
| Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
| Signed-off-by: David Howells <dhowells@redhat.com> |
| Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/fs/file_table.c b/fs/file_table.c |
| index 32d12b7..d4be17f 100644 |
| --- a/fs/file_table.c |
| +++ b/fs/file_table.c |
| @@ -123,13 +123,13 @@ struct file *get_empty_filp(void) |
| goto fail; |
| |
| percpu_counter_inc(&nr_files); |
| + f->f_cred = get_cred(cred); |
| if (security_file_alloc(f)) |
| goto fail_sec; |
| |
| INIT_LIST_HEAD(&f->f_u.fu_list); |
| atomic_long_set(&f->f_count, 1); |
| rwlock_init(&f->f_owner.lock); |
| - f->f_cred = get_cred(cred); |
| spin_lock_init(&f->f_lock); |
| eventpoll_init_file(f); |
| /* f->f_version: 0 */ |
| -- |
| 1.7.4.4 |
| |