| Revision | 859abf20cf365e97360f8dae1d4b5c75947a41bf (tree) |
|---|---|
| Zeit | 2006-08-28 13:29:47 |
| Autor | Solar Designer <solar@open...> |
| Commiter | Willy Tarreau |
[PATCH] loop.c: kernel_thread() retval check
Patch extracted from 2.4.33-ow1. It has also been ported to 2.6 by
Julio Auto.
Basically, the code in drivers/block/loop.c did not check the return
value from kernel_thread(). If kernel_thread() would fail, the code
would misbehave (IIRC, the invoking process would become unkillable).
An easy way to trigger the bug was to run losetup under strace (as
root), and this is also how I tested the error path added with this
patch.
This change has been a part of publicly released -ow patches for 8+
months.
There are more instances of kernel_thread() calls that do not check the
return value; some of the remaining ones might need to be fixed, too.
Acked-by: Alan Cox <alan@redhat.com>
drivers/block/loop.c (diff)| @@ -693,12 +693,23 @@ static int loop_set_fd(struct loop_device *lo, struct file *lo_file, kdev_t dev, | ||
| 693 | 693 | set_blocksize(dev, bs); |
| 694 | 694 | |
| 695 | 695 | lo->lo_bh = lo->lo_bhtail = NULL; |
| 696 | - kernel_thread(loop_thread, lo, CLONE_FS | CLONE_FILES | CLONE_SIGHAND); | |
| 697 | - down(&lo->lo_sem); | |
| 696 | + error = kernel_thread(loop_thread, lo, | |
| 697 | + CLONE_FS | CLONE_FILES | CLONE_SIGHAND); | |
| 698 | + if (error < 0) | |
| 699 | + goto out_clr; | |
| 700 | + down(&lo->lo_sem); /* wait for the thread to start */ | |
| 698 | 701 | |
| 699 | 702 | fput(file); |
| 700 | 703 | return 0; |
| 701 | 704 | |
| 705 | + out_clr: | |
| 706 | + lo->lo_backing_file = NULL; | |
| 707 | + lo->lo_device = 0; | |
| 708 | + lo->lo_flags = 0; | |
| 709 | + loop_sizes[lo->lo_number] = 0; | |
| 710 | + inode->i_mapping->gfp_mask = lo->old_gfp_mask; | |
| 711 | + lo->lo_state = Lo_unbound; | |
| 712 | + fput(file); /* yes, have to do it twice */ | |
| 702 | 713 | out_putf: |
| 703 | 714 | fput(file); |
| 704 | 715 | out: |
Linux Kernel Documents
Fork