lookup_one_len increments dentry reference count which is not decremented
when the create operation fails. This can cause a kernel BUG at
fs/dcache.c:676 at unmount time. Also error code returned when new_inode()
fails was replaced with more appropriate -ENOMEM.
Signed-off-by: Tvrtko Ursulin <[email protected]>
---
inode.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff -upr linux-2.6.34/security/inode.c linux-2.6.34-new/security/inode.c
--- linux-2.6.34/security/inode.c 2010-05-16 22:17:36.000000000 +0100
+++ linux-2.6.34-new/security/inode.c 2010-07-15 13:20:38.133783253 +0100
@@ -86,7 +86,7 @@ static int mknod(struct inode *dir, stru
int mode, dev_t dev)
{
struct inode *inode;
- int error = -EPERM;
+ int error = -ENOMEM;
if (dentry->d_inode)
return -EEXIST;
@@ -166,6 +166,8 @@ static int create_by_name(const char *na
error = mkdir(parent->d_inode, *dentry, mode);
else
error = create(parent->d_inode, *dentry, mode);
+ if (error)
+ dput(dentry);
} else
error = PTR_ERR(*dentry);
mutex_unlock(&parent->d_inode->i_mutex);
Sophos Plc, The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP, United Kingdom.
Company Reg No 2096520. VAT Reg No GB 348 3873 20.
Quoting Tvrtko Ursulin ([email protected]):
>
> lookup_one_len increments dentry reference count which is not decremented
> when the create operation fails. This can cause a kernel BUG at
> fs/dcache.c:676 at unmount time. Also error code returned when new_inode()
> fails was replaced with more appropriate -ENOMEM.
>
>
> Signed-off-by: Tvrtko Ursulin <[email protected]>
Looks right.
Acked-by: Serge E. Hallyn <[email protected]>
thanks,
-serge
> ---
> inode.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff -upr linux-2.6.34/security/inode.c linux-2.6.34-new/security/inode.c
> --- linux-2.6.34/security/inode.c 2010-05-16 22:17:36.000000000 +0100
> +++ linux-2.6.34-new/security/inode.c 2010-07-15 13:20:38.133783253 +0100
> @@ -86,7 +86,7 @@ static int mknod(struct inode *dir, stru
> int mode, dev_t dev)
> {
> struct inode *inode;
> - int error = -EPERM;
> + int error = -ENOMEM;
>
> if (dentry->d_inode)
> return -EEXIST;
> @@ -166,6 +166,8 @@ static int create_by_name(const char *na
> error = mkdir(parent->d_inode, *dentry, mode);
> else
> error = create(parent->d_inode, *dentry, mode);
> + if (error)
> + dput(dentry);
> } else
> error = PTR_ERR(*dentry);
> mutex_unlock(&parent->d_inode->i_mutex);
>
>
>
> Sophos Plc, The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP, United Kingdom.
> Company Reg No 2096520. VAT Reg No GB 348 3873 20.
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
On Thu, Jul 15, 2010 at 01:25:06PM +0100, Tvrtko Ursulin wrote:
>
> lookup_one_len increments dentry reference count which is not decremented
> when the create operation fails. This can cause a kernel BUG at
> fs/dcache.c:676 at unmount time. Also error code returned when new_inode()
> fails was replaced with more appropriate -ENOMEM.
>
Nice, thanks for finding and fixing this, great job.
> Signed-off-by: Tvrtko Ursulin <[email protected]>
Acked-by: Greg Kroah-Hartman <[email protected]>
thanks,
greg k-h
On Thu, 15 Jul 2010, Tvrtko Ursulin wrote:
>
> lookup_one_len increments dentry reference count which is not decremented
> when the create operation fails. This can cause a kernel BUG at
> fs/dcache.c:676 at unmount time. Also error code returned when new_inode()
> fails was replaced with more appropriate -ENOMEM.
>
>
> Signed-off-by: Tvrtko Ursulin <[email protected]>
Applied to
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6#next
--
James Morris
<[email protected]>