From: Eric Sandeen <sandeen@redhat.com>
Subject: [RHEL5 PATCH 2/3] - sysfs: fix condition check in sysfs_drop_dentry()
Date: Fri, 24 Aug 2007 14:47:12 -0500
Bugzilla: 243728
Message-Id: <46CF35C0.60204@redhat.com>
Changelog: [fs] sysfs: fix condition check in sysfs_drop_dentry()


For Bugzilla Bug 243728: CVE-2007-3104 Null pointer to an inode in a dentry can cause an oops in sysfs_readdir

Backport from upstream.

X-Git-Tag: v2.6.22-rc5~46
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=6aa054aadfea613a437ad0b15d38eca2b963fc0a

sysfs: fix condition check in sysfs_drop_dentry()

The condition check doesn't make much sense as it basically always
succeeds.  This causes NULL dereferencing on certain cases.  It seems
that parentheses are put in the wrong place.  Fix it.

Signed-off-by: Tejun Heo <htejun@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

Index: linux-2.6.18-24.el5/fs/sysfs/inode.c
===================================================================
--- linux-2.6.18-24.el5.orig/fs/sysfs/inode.c
+++ linux-2.6.18-24.el5/fs/sysfs/inode.c
@@ -221,7 +221,7 @@ void sysfs_drop_dentry(struct sysfs_dire
 	if (dentry) {
 		spin_lock(&dcache_lock);
 		spin_lock(&dentry->d_lock);
-		if (!(d_unhashed(dentry) && dentry->d_inode)) {
+		if (!d_unhashed(dentry) && dentry->d_inode) {
 			dget_locked(dentry);
 			__d_drop(dentry);
 			spin_unlock(&dentry->d_lock);