lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Mon, 5 Mar 2007 13:42:56 -0800
From:	Joel Becker <Joel.Becker@...cle.com>
To:	Akinobu Mita <akinobu.mita@...il.com>,
	Arnd Bergmann <arnd@...db.de>, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] configfs: add missing mutex_unlock()

	First, thank you Akinobu for discovering the bug.

On Mon, Mar 05, 2007 at 12:16:59AM +0900, Akinobu Mita wrote:
> On Sun, Mar 04, 2007 at 03:10:19PM +0100, Arnd Bergmann wrote:
> > This should be changed to jump to a new exit point, before the mutex_unlock
> > at the end of the function. Having multiple places in the function that
> > release the same lock easily leads to the kind of bug you are fixing here.
> 
> Agreed. Please see the patch below (untested).

	Jumping isn't always the solution.  The new patch, while better
than the first, still calls mutex_unlock() in two places.  The following
patch keeps it all in one code path, and keeps all dentry modification
underneath a single mutex_lock()/unlock() pair.  What do you think?  I'm
building it to test as we speak.

Joel

diff --git a/fs/configfs/dir.c b/fs/configfs/dir.c
index 1814ba4..489c265 100644
--- a/fs/configfs/dir.c
+++ b/fs/configfs/dir.c
@@ -1142,25 +1142,22 @@ int configfs_register_subsystem(struct configfs_subsystem *subsys)
 
 	err = -ENOMEM;
 	dentry = d_alloc(configfs_sb->s_root, &name);
-	if (!dentry)
-		goto out_release;
-
-	d_add(dentry, NULL);
+	if (dentry) {
+		d_add(dentry, NULL);
 
-	err = configfs_attach_group(sd->s_element, &group->cg_item,
-				    dentry);
-	if (!err)
-		dentry = NULL;
-	else
-		d_delete(dentry);
+		err = configfs_attach_group(sd->s_element, &group->cg_item,
+					    dentry);
+		if (err) {
+			d_delete(dentry);
+			dput(dentry);
+		}
+	}
 
 	mutex_unlock(&configfs_sb->s_root->d_inode->i_mutex);
 
-	if (dentry) {
-	    dput(dentry);
-out_release:
-	    unlink_group(group);
-	    configfs_release_fs();
+	if (err) {
+		unlink_group(group);
+		configfs_release_fs();
 	}
 
 	return err;

-- 

"Nobody loves me,
 Nobody seems to care.
 Troubles and worries, people,
 You know I've had my share."

Joel Becker
Principal Software Developer
Oracle
E-mail: joel.becker@...cle.com
Phone: (650) 506-8127
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ