summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMathias Krause <minipli@grsecurity.net>2024-02-04 08:51:52 +0100
committerKent Overstreet <kent.overstreet@linux.dev>2024-02-13 21:22:21 -0500
commit79ec0122de72aa3c6b71ee9a637bc97280c5b24c (patch)
treed97f95ba0c0313b35b857dbd5169fd554e2fa9f7
parent1f66e2132664cd97669118fc08983d50f03eac21 (diff)
bcachefs: install fd later to avoid race with close
Calling fd_install() makes a file reachable for userland, including the possibility to close the file descriptor, which leads to calling its 'release' hook. If that happens before the code had a chance to bump the reference of the newly created task struct, the release callback will call put_task_struct() too early, leading to the premature destruction of the kernel thread. Avoid that race by calling fd_install() later, after all the setup is done. Fixes: 1c6fdbd8f246 ("bcachefs: Initial commit") Signed-off-by: Mathias Krause <minipli@grsecurity.net> Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev> (cherry picked from commit dd839f31d7cd5e04f4111a219024268c6f6973f0)
-rw-r--r--fs/bcachefs/chardev.c3
1 files changed, 1 insertions, 2 deletions
diff --git a/fs/bcachefs/chardev.c b/fs/bcachefs/chardev.c
index 4bb88aefed12..64000c8da5ee 100644
--- a/fs/bcachefs/chardev.c
+++ b/fs/bcachefs/chardev.c
@@ -392,10 +392,9 @@ static long bch2_ioctl_data(struct bch_fs *c,
goto err;
}
- fd_install(fd, file);
-
get_task_struct(ctx->thread);
wake_up_process(ctx->thread);
+ fd_install(fd, file);
return fd;
err: