Re: [PATCH] Drop reference added by grab_header

From: Hanjun Guo
Date: Thu Jan 05 2017 - 06:58:49 EST


On 2017/1/5 19:33, Zhou Chengming wrote:
> Fixes CVE-2016-9191.

CVE-2016-9191 says that it's cgroup bug but turns out it's
not, I think you need to add more commit message to
explain it? For example, we got different calltrace stack
but all of them point to drop_sysctl_table() and it turns out
a reference count bug.

Thanks
Hanjun
>
> Reported-by: CAI Qian <caiqian@xxxxxxxxxx>
> Tested-by: Yang Shukui <yangshukui@xxxxxxxxxx>
> Signed-off-by: Zhou Chengming <zhouchengming1@xxxxxxxxxx>
> ---
> fs/proc/proc_sysctl.c | 3 ++-
> 1 files changed, 2 insertions(+), 1 deletions(-)
>
> diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
> index 5d931bf..c4c90bd 100644
> --- a/fs/proc/proc_sysctl.c
> +++ b/fs/proc/proc_sysctl.c
> @@ -718,7 +718,7 @@ static int proc_sys_readdir(struct file *file, struct dir_context *ctx)
> ctl_dir = container_of(head, struct ctl_dir, header);
>
> if (!dir_emit_dots(file, ctx))
> - return 0;
> + goto out;
>
> pos = 2;
>
> @@ -728,6 +728,7 @@ static int proc_sys_readdir(struct file *file, struct dir_context *ctx)
> break;
> }
> }
> +out:
> sysctl_head_finish(head);
> return 0;
> }