aboutsummaryrefslogtreecommitdiffstats
path: root/fs/sysfs
diff options
context:
space:
mode:
authorMing Lei <ming.lei@canonical.com>2013-03-20 11:25:25 -0400
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2013-03-20 19:53:42 -0400
commite5110f411d2ee35bf8d202ccca2e89c633060dca (patch)
tree9fe7297901679cca05b459f9e7e524e99c534a7d /fs/sysfs
parent991f76f837bf22c5bb07261cfd86525a0a96650c (diff)
sysfs: handle failure path correctly for readdir()
In case of 'if (filp->f_pos == 0 or 1)' of sysfs_readdir(), the failure from filldir() isn't handled, and the reference counter of the sysfs_dirent object pointed by filp->private_data will be released without clearing filp->private_data, so use after free bug will be triggered later. This patch returns immeadiately under the situation for fixing the bug, and it is reasonable to return from readdir() when filldir() fails. Reported-by: Dave Jones <davej@redhat.com> Tested-by: Sasha Levin <levinsasha928@gmail.com> Cc: <stable@vger.kernel.org> Signed-off-by: Ming Lei <ming.lei@canonical.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'fs/sysfs')
-rw-r--r--fs/sysfs/dir.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/fs/sysfs/dir.c b/fs/sysfs/dir.c
index c9e16608f486..e14512678c9b 100644
--- a/fs/sysfs/dir.c
+++ b/fs/sysfs/dir.c
@@ -1020,6 +1020,8 @@ static int sysfs_readdir(struct file * filp, void * dirent, filldir_t filldir)
1020 ino = parent_sd->s_ino; 1020 ino = parent_sd->s_ino;
1021 if (filldir(dirent, ".", 1, filp->f_pos, ino, DT_DIR) == 0) 1021 if (filldir(dirent, ".", 1, filp->f_pos, ino, DT_DIR) == 0)
1022 filp->f_pos++; 1022 filp->f_pos++;
1023 else
1024 return 0;
1023 } 1025 }
1024 if (filp->f_pos == 1) { 1026 if (filp->f_pos == 1) {
1025 if (parent_sd->s_parent) 1027 if (parent_sd->s_parent)
@@ -1028,6 +1030,8 @@ static int sysfs_readdir(struct file * filp, void * dirent, filldir_t filldir)
1028 ino = parent_sd->s_ino; 1030 ino = parent_sd->s_ino;
1029 if (filldir(dirent, "..", 2, filp->f_pos, ino, DT_DIR) == 0) 1031 if (filldir(dirent, "..", 2, filp->f_pos, ino, DT_DIR) == 0)
1030 filp->f_pos++; 1032 filp->f_pos++;
1033 else
1034 return 0;
1031 } 1035 }
1032 mutex_lock(&sysfs_mutex); 1036 mutex_lock(&sysfs_mutex);
1033 for (pos = sysfs_dir_pos(ns, parent_sd, filp->f_pos, pos); 1037 for (pos = sysfs_dir_pos(ns, parent_sd, filp->f_pos, pos);