recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.15/0057-cred-copy_process-should-clear-child-replacement_ses.patch

   1 From 58063126ba5d427e0dae0e9319f5dabb5aeee22f Mon Sep 17 00:00:00 2001
   2 From: Oleg Nesterov <oleg@redhat.com>
   3 Date: Mon, 9 Apr 2012 21:03:50 +0200
   4 Subject: [PATCH 57/60] cred: copy_process() should clear
   5  child->replacement_session_keyring
   6
   7 commit 79549c6dfda0603dba9a70a53467ce62d9335c33 upstream.
   8
   9 keyctl_session_to_parent(task) sets ->replacement_session_keyring,
  10 it should be processed and cleared by key_replace_session_keyring().
  11
  12 However, this task can fork before it notices TIF_NOTIFY_RESUME and
  13 the new child gets the bogus ->replacement_session_keyring copied by
  14 dup_task_struct(). This is obviously wrong and, if nothing else, this
  15 leads to put_cred(already_freed_cred).
  16
  17 change copy_creds() to clear this member. If copy_process() fails
  18 before this point the wrong ->replacement_session_keyring doesn't
  19 matter, exit_creds() won't be called.
  20
  21 Signed-off-by: Oleg Nesterov <oleg@redhat.com>
  22 Acked-by: David Howells <dhowells@redhat.com>
  23 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
  24 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  25 ---
  26  kernel/cred.c |    2 ++
  27  1 file changed, 2 insertions(+)
  28
  29 diff --git a/kernel/cred.c b/kernel/cred.c
  30 index 5791612..48c6fd3 100644
  31 --- a/kernel/cred.c
  32 +++ b/kernel/cred.c
  33 @@ -385,6 +385,8 @@ int copy_creds(struct task_struct *p, unsigned long clone_flags)
  34         struct cred *new;
  35         int ret;
  36
  37 +       p->replacement_session_keyring = NULL;
  38 +
  39         if (
  40  #ifdef CONFIG_KEYS
  41                 !p->cred->thread_keyring &&
  42 --
  43 1.7.9.5
  44