There's a potential problem in open_dentry that could lead to an error
return from open being mistaken as a successful return, possibly
resulting in one of a process's files being closed. If the return from
f_ops->open is > 0, it is treated as an error in open_dentry, but when
this value is returned to the caller it would be treated as an fd.
The attached patch against 2.1.51 coerces positive errors into -EIO.
Regards,
Bill
--------------342FDD08939CD9B92FA0B97C
Content-Type: text/plain; charset=us-ascii; name="exec_51-patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="exec_51-patch"
--- fs/exec.c.old Tue Aug 19 09:15:10 1997
+++ fs/exec.c Fri Aug 22 10:58:55 1997
@@ -134,21 +134,23 @@
}
#endif /* CONFIG_MODULES */
+/* N.B. Error returns must be < 0 */
int open_dentry(struct dentry * dentry, int mode)
{
int fd;
struct inode * inode = dentry->d_inode;
+ struct file * f;
+ int error;
+ error = -EINVAL;
if (!inode->i_op || !inode->i_op->default_file_ops)
- return -EINVAL;
+ goto out;
fd = get_unused_fd();
if (fd >= 0) {
- struct file * f = get_empty_filp();
-
- if (!f) {
- put_unused_fd(fd);
- return -ENFILE;
- }
+ error = -ENFILE;
+ f = get_empty_filp();
+ if (!f)
+ goto out_fd;
f->f_flags = mode;
f->f_mode = (mode+1) & O_ACCMODE;
f->f_dentry = dentry;
@@ -156,17 +158,23 @@
f->f_reada = 0;
f->f_op = inode->i_op->default_file_ops;
if (f->f_op->open) {
- int error = f->f_op->open(inode,f);
- if (error) {
- put_filp(f);
- put_unused_fd(fd);
- return error;
- }
+ error = f->f_op->open(inode,f);
+ if (error)
+ goto out_filp;
}
current->files->fd[fd] = f;
dget(dentry);
}
return fd;
+
+out_filp:
+ if (error > 0)
+ error = -EIO;
+ put_filp(f);
+out_fd:
+ put_unused_fd(fd);
+out:
+ return error;
}
/*
--------------342FDD08939CD9B92FA0B97C--