--- /dev/null
+From df279ca8966c3de83105428e3391ab17690802a9 Mon Sep 17 00:00:00 2001
+From: Renaud Lottiaux <renaud.lottiaux@kerlabs.com>
+Date: Tue, 30 Jun 2009 11:41:34 -0700
+Subject: bsdacct: fix access to invalid filp in acct_on()
+
+From: Renaud Lottiaux <renaud.lottiaux@kerlabs.com>
+
+commit df279ca8966c3de83105428e3391ab17690802a9 upstream.
+
+The file opened in acct_on and freshly stored in the ns->bacct struct can
+be closed in acct_file_reopen by a concurrent call after we release
+acct_lock and before we call mntput(file->f_path.mnt).
+
+Record file->f_path.mnt in a local variable and use this variable only.
+
+Signed-off-by: Renaud Lottiaux <renaud.lottiaux@kerlabs.com>
+Signed-off-by: Louis Rilling <louis.rilling@kerlabs.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/acct.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/kernel/acct.c
++++ b/kernel/acct.c
+@@ -215,6 +215,7 @@ static void acct_file_reopen(struct bsd_
+ static int acct_on(char *name)
+ {
+ struct file *file;
++ struct vfsmount *mnt;
+ int error;
+ struct pid_namespace *ns;
+ struct bsd_acct_struct *acct = NULL;
+@@ -256,11 +257,12 @@ static int acct_on(char *name)
+ acct = NULL;
+ }
+
+- mnt_pin(file->f_path.mnt);
++ mnt = file->f_path.mnt;
++ mnt_pin(mnt);
+ acct_file_reopen(ns->bacct, file, ns);
+ spin_unlock(&acct_lock);
+
+- mntput(file->f_path.mnt); /* it's pinned, now give up active reference */
++ mntput(mnt); /* it's pinned, now give up active reference */
+ kfree(acct);
+
+ return 0;
projects / thirdparty / kernel / stable-queue.git / commitdiff
