From: Eric Sandeen <sandeen@redhat.com> Subject: [RHEL5.2 PATCH ] missing dput in do_lookup error case leaks dentries Date: Mon, 05 Nov 2007 17:05:16 -0600 Bugzilla: 363491 Message-Id: <472FA1AC.20600@redhat.com> Changelog: [fs] missing dput in do_lookup error leaks dentries For Bugzilla Bug 363491: EMBARGOED CVE-2007-5494 open(O_ATOMICLOOKUP) leaks dentry [rhel-5.2] the "atomic" codepaths introduced by the tux patch added an error return case which leaks a dentry; see bug 315051 for a testcase, with which this patch was tested. >From the original report: static int do_lookup(struct nameidata *nd, struct qstr *name, struct path *path, int atomic) { struct vfsmount *mnt = nd->mnt; struct dentry *dentry = __d_lookup(nd->dentry, name); if (!dentry) goto need_lookup; if (dentry->d_op && dentry->d_op->d_revalidate) goto need_revalidate; >>>>> VvS: dentry was taken but requires revalidation need_revalidate: if (atomic) return -EWOULDBLOCKIO; >>>>> VvS: ... however if atomic is set, we forget to call dput before exit Patch follows. Thanks, -Eric --- Index: linux-2.6.18-49.el5/fs/namei.c =================================================================== --- linux-2.6.18-49.el5.orig/fs/namei.c +++ linux-2.6.18-49.el5/fs/namei.c @@ -788,8 +788,10 @@ need_lookup: goto done; need_revalidate: - if (atomic) + if (atomic) { + dput(dentry); return -EWOULDBLOCKIO; + } dentry = do_revalidate(dentry, nd); if (!dentry) goto need_lookup;