提交 45525b26 编写于 作者: A Al Viro

fix a leak in replace_fd() users

replace_fd() began with "eats a reference, tries to insert into
descriptor table" semantics; at some point I'd switched it to
much saner current behaviour ("try to insert into descriptor
table, grabbing a new reference if inserted; caller should do
fput() in any case"), but forgot to update the callers.
Mea culpa...

[Spotted by Pavel Roskin, who has really weird system with pipe-fed
coredumps as part of what he considers a normal boot ;-)]
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
上级 dd8e8c4a
...@@ -450,11 +450,12 @@ static int umh_pipe_setup(struct subprocess_info *info, struct cred *new) ...@@ -450,11 +450,12 @@ static int umh_pipe_setup(struct subprocess_info *info, struct cred *new)
cp->file = files[1]; cp->file = files[1];
replace_fd(0, files[0], 0); err = replace_fd(0, files[0], 0);
fput(files[0]);
/* and disallow core files too */ /* and disallow core files too */
current->signal->rlim[RLIMIT_CORE] = (struct rlimit){1, 1}; current->signal->rlim[RLIMIT_CORE] = (struct rlimit){1, 1};
return 0; return err;
} }
void do_coredump(siginfo_t *siginfo, struct pt_regs *regs) void do_coredump(siginfo_t *siginfo, struct pt_regs *regs)
......
...@@ -2132,18 +2132,14 @@ static inline void flush_unauthorized_files(const struct cred *cred, ...@@ -2132,18 +2132,14 @@ static inline void flush_unauthorized_files(const struct cred *cred,
return; return;
devnull = dentry_open(&selinux_null, O_RDWR, cred); devnull = dentry_open(&selinux_null, O_RDWR, cred);
if (!IS_ERR(devnull)) { if (IS_ERR(devnull))
devnull = NULL;
/* replace all the matching ones with this */ /* replace all the matching ones with this */
do { do {
replace_fd(n - 1, get_file(devnull), 0); replace_fd(n - 1, devnull, 0);
} while ((n = iterate_fd(files, n, match_file, cred)) != 0); } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
if (devnull)
fput(devnull); fput(devnull);
} else {
/* just close all the matching ones */
do {
replace_fd(n - 1, NULL, 0);
} while ((n = iterate_fd(files, n, match_file, cred)) != 0);
}
} }
/* /*
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册