git.stricted.de - GitHub/mt8127/android_kernel_alcatel

author	Andrea Arcangeli <andrea@cpushare.com>
	Tue, 25 Jul 2017 20:22:45 +0000 (22:22 +0200)
committer	Stricted <info@stricted.net>
	Thu, 3 May 2018 16:49:05 +0000 (18:49 +0200)
commit	14468afe50e021585050245adfac7a1d385939cd
tree	455367e6fc0f32808fc6fb7a0a2aa029aedaed4e	tree \| snapshot (tar.gz zip)
parent	d0b3db957eea741958562bf660484af180a65d50	commit \| diff

fs/exec: fix use after free in execve

"file" can be already freed if bprm->file is NULL after
search_binary_handler() return. binfmt_script will do exactly that for
example. If the VM reuses the file after fput run(), this will result in
a use ater free.

So obtain d_is_su before search_binary_handler() runs.

This should explain this crash:

[25333.009554] Unable to handle kernel NULL pointer dereference at virtual address 00000185
[..]
[25333.009918] [2: am:21861] PC is at do_execve+0x354/0x474

Change-Id: I2a8a814d1c0aa75625be83cb30432cf13f1a0681
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>