[PATCH] proc_pid_lookup use-after-free fix

From: "Martin J. Bligh" <mbligh@aracnet.com> and me

proc_pid_lookup() does a put_task_struct() and then continues to play with
the task.

diff --git a/fs/proc/base.c b/fs/proc/base.c
index d6415745561a98201ec1ccfb5959c4e40ce1807d..e843c6584cc9921d5e12487445cbeec8ea7035b7 100644 (file)
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -1362,10 +1362,11 @@ struct dentry *proc_pid_lookup(struct inode *dir, struct dentry * dentry)
 
        inode = proc_pid_make_inode(dir->i_sb, task, PROC_PID_INO);
 
-       put_task_struct(task);
 
-       if (!inode)
+       if (!inode) {
+               put_task_struct(task);
                goto out;
+       }
        inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
        inode->i_op = &proc_base_inode_operations;
        inode->i_fop = &proc_base_operations;
@@ -1379,6 +1380,7 @@ struct dentry *proc_pid_lookup(struct inode *dir, struct dentry * dentry)
        d_add(dentry, inode);
        spin_unlock(&task->proc_lock);
 
+       put_task_struct(task);
        return NULL;
 out:
        return ERR_PTR(-ENOENT);