diff options
author | Al Viro <viro@zeniv.linux.org.uk> | 2008-04-22 07:32:44 +0200 |
---|---|---|
committer | Al Viro <viro@zeniv.linux.org.uk> | 2008-04-23 01:55:03 +0200 |
commit | 9b4f526cdc0f95f635607dfba6ac788b3deca188 (patch) | |
tree | f9f324dbd88856fdaeff1d0146059806bacba26f /fs/proc | |
parent | [PATCH] double-free of inode on alloc_file() failure exit in create_write_pipe() (diff) | |
download | linux-9b4f526cdc0f95f635607dfba6ac788b3deca188.tar.xz linux-9b4f526cdc0f95f635607dfba6ac788b3deca188.zip |
[PATCH] proc_readfd_common() race fix
Since we drop the rcu_read_lock inside the loop, we can't assume
that files->fdt will remain unchanged (and not freed) between
iterations.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to '')
-rw-r--r-- | fs/proc/base.c | 4 |
1 files changed, 1 insertions, 3 deletions
diff --git a/fs/proc/base.c b/fs/proc/base.c index 81d7d145292a..7313c62e3e9d 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -1626,7 +1626,6 @@ static int proc_readfd_common(struct file * filp, void * dirent, unsigned int fd, ino; int retval; struct files_struct * files; - struct fdtable *fdt; retval = -ENOENT; if (!p) @@ -1649,9 +1648,8 @@ static int proc_readfd_common(struct file * filp, void * dirent, if (!files) goto out; rcu_read_lock(); - fdt = files_fdtable(files); for (fd = filp->f_pos-2; - fd < fdt->max_fds; + fd < files_fdtable(files)->max_fds; fd++, filp->f_pos++) { char name[PROC_NUMBUF]; int len; |