From: Darrick J. Wong Date: Tue, 8 May 2007 07:25:47 +0000 (-0700) Subject: Fix race between proc_readdir and remove_proc_entry X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=59cd0cbc75367b82f704f63b104117462275060d;p=GitHub%2FLineageOS%2Fandroid_kernel_samsung_universal7580.git Fix race between proc_readdir and remove_proc_entry Fix the following race: proc_readdir remove_proc_entry ============ ================= spin_lock(&proc_subdir_lock); [choose PDE to start filldir from] spin_unlock(&proc_subdir_lock); spin_lock(&proc_subdir_lock); [find PDE] [free PDE, refcount is 0] spin_unlock(&proc_subdir_lock); /* boom */ if (filldir(dirent, de->name, ... [de_put on error path --adobriyan] Signed-off-by: Darrick J. Wong Signed-off-by: Alexey Dobriyan Cc: "Eric W. Biederman" Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- diff --git a/fs/proc/generic.c b/fs/proc/generic.c index 22a08ff3475..8a40e15f5ec 100644 --- a/fs/proc/generic.c +++ b/fs/proc/generic.c @@ -478,14 +478,21 @@ int proc_readdir(struct file * filp, } do { + struct proc_dir_entry *next; + /* filldir passes info to user space */ + de_get(de); spin_unlock(&proc_subdir_lock); if (filldir(dirent, de->name, de->namelen, filp->f_pos, - de->low_ino, de->mode >> 12) < 0) + de->low_ino, de->mode >> 12) < 0) { + de_put(de); goto out; + } spin_lock(&proc_subdir_lock); filp->f_pos++; - de = de->next; + next = de->next; + de_put(de); + de = next; } while (de); spin_unlock(&proc_subdir_lock); }