From: Greg Kroah-Hartman <gregkh@suse.de>
Date: Thu, 2 Jul 2009 23:24:33 +0000 (-0700)
Subject: forgot to commit the .29 patch
X-Git-Tag: v2.6.27.26~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c0da2e41f1195b16f69d9144d46e34b02bd8d6e0;p=thirdparty%2Fkernel%2Fstable-queue.git

forgot to commit the .29 patch
---

diff --git a/queue-2.6.29/bsdacct-fix-access-to-invalid-filp-in-acct_on.patch b/queue-2.6.29/bsdacct-fix-access-to-invalid-filp-in-acct_on.patch
new file mode 100644
index 00000000000..825f76fd25d
--- /dev/null
+++ b/queue-2.6.29/bsdacct-fix-access-to-invalid-filp-in-acct_on.patch
@@ -0,0 +1,51 @@
+From df279ca8966c3de83105428e3391ab17690802a9 Mon Sep 17 00:00:00 2001
+From: Renaud Lottiaux <renaud.lottiaux@kerlabs.com>
+Date: Tue, 30 Jun 2009 11:41:34 -0700
+Subject: bsdacct: fix access to invalid filp in acct_on()
+
+From: Renaud Lottiaux <renaud.lottiaux@kerlabs.com>
+
+commit df279ca8966c3de83105428e3391ab17690802a9 upstream.
+
+The file opened in acct_on and freshly stored in the ns->bacct struct can
+be closed in acct_file_reopen by a concurrent call after we release
+acct_lock and before we call mntput(file->f_path.mnt).
+
+Record file->f_path.mnt in a local variable and use this variable only.
+
+Signed-off-by: Renaud Lottiaux <renaud.lottiaux@kerlabs.com>
+Signed-off-by: Louis Rilling <louis.rilling@kerlabs.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/acct.c |    6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/kernel/acct.c
++++ b/kernel/acct.c
+@@ -215,6 +215,7 @@ static void acct_file_reopen(struct bsd_
+ static int acct_on(char *name)
+ {
+ 	struct file *file;
++	struct vfsmount *mnt;
+ 	int error;
+ 	struct pid_namespace *ns;
+ 	struct bsd_acct_struct *acct = NULL;
+@@ -256,11 +257,12 @@ static int acct_on(char *name)
+ 		acct = NULL;
+ 	}
+ 
+-	mnt_pin(file->f_path.mnt);
++	mnt = file->f_path.mnt;
++	mnt_pin(mnt);
+ 	acct_file_reopen(ns->bacct, file, ns);
+ 	spin_unlock(&acct_lock);
+ 
+-	mntput(file->f_path.mnt); /* it's pinned, now give up active reference */
++	mntput(mnt); /* it's pinned, now give up active reference */
+ 	kfree(acct);
+ 
+ 	return 0;
diff --git a/queue-2.6.29/series b/queue-2.6.29/series
index 311c011ca9d..747c1b779d7 100644
--- a/queue-2.6.29/series
+++ b/queue-2.6.29/series
@@ -33,3 +33,4 @@ mm-fix-handling-of-pagesets-for-downed-cpus.patch
 dm-mpath-validate-table-argument-count.patch
 dm-mpath-validate-hw_handler-argument-count.patch
 dm-sysfs-skip-output-when-device-is-being-destroyed.patch
+bsdacct-fix-access-to-invalid-filp-in-acct_on.patch