• R/O
  • HTTP
  • SSH
  • HTTPS

linux-2.4.36: Commit

2.4.36-stable kernel tree


Commit MetaInfo

Revision859abf20cf365e97360f8dae1d4b5c75947a41bf (tree)
Zeit2006-08-28 13:29:47
AutorSolar Designer <solar@open...>
CommiterWilly Tarreau

Log Message

[PATCH] loop.c: kernel_thread() retval check

Patch extracted from 2.4.33-ow1. It has also been ported to 2.6 by
Julio Auto.

Basically, the code in drivers/block/loop.c did not check the return
value from kernel_thread(). If kernel_thread() would fail, the code
would misbehave (IIRC, the invoking process would become unkillable).

An easy way to trigger the bug was to run losetup under strace (as
root), and this is also how I tested the error path added with this
patch.

This change has been a part of publicly released -ow patches for 8+
months.

There are more instances of kernel_thread() calls that do not check the
return value; some of the remaining ones might need to be fixed, too.

Acked-by: Alan Cox <alan@redhat.com>

Ändern Zusammenfassung

Diff

--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -693,12 +693,23 @@ static int loop_set_fd(struct loop_device *lo, struct file *lo_file, kdev_t dev,
693693 set_blocksize(dev, bs);
694694
695695 lo->lo_bh = lo->lo_bhtail = NULL;
696- kernel_thread(loop_thread, lo, CLONE_FS | CLONE_FILES | CLONE_SIGHAND);
697- down(&lo->lo_sem);
696+ error = kernel_thread(loop_thread, lo,
697+ CLONE_FS | CLONE_FILES | CLONE_SIGHAND);
698+ if (error < 0)
699+ goto out_clr;
700+ down(&lo->lo_sem); /* wait for the thread to start */
698701
699702 fput(file);
700703 return 0;
701704
705+ out_clr:
706+ lo->lo_backing_file = NULL;
707+ lo->lo_device = 0;
708+ lo->lo_flags = 0;
709+ loop_sizes[lo->lo_number] = 0;
710+ inode->i_mapping->gfp_mask = lo->old_gfp_mask;
711+ lo->lo_state = Lo_unbound;
712+ fput(file); /* yes, have to do it twice */
702713 out_putf:
703714 fput(file);
704715 out:
Show on old repository browser