From: Mathias Krause minipli@grsecurity.net
commit dd839f31d7cd5e04f4111a219024268c6f6973f0 upstream.
Calling fd_install() makes a file reachable for userland, including the possibility to close the file descriptor, which leads to calling its 'release' hook. If that happens before the code had a chance to bump the reference of the newly created task struct, the release callback will call put_task_struct() too early, leading to the premature destruction of the kernel thread.
Avoid that race by calling fd_install() later, after all the setup is done.
Fixes: 1c6fdbd8f246 ("bcachefs: Initial commit") Signed-off-by: Mathias Krause minipli@grsecurity.net Signed-off-by: Kent Overstreet kent.overstreet@linux.dev Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- fs/bcachefs/chardev.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/fs/bcachefs/chardev.c b/fs/bcachefs/chardev.c index 4bb88aefed121..64000c8da5ee6 100644 --- a/fs/bcachefs/chardev.c +++ b/fs/bcachefs/chardev.c @@ -392,10 +392,9 @@ static long bch2_ioctl_data(struct bch_fs *c, goto err; }
- fd_install(fd, file); - get_task_struct(ctx->thread); wake_up_process(ctx->thread); + fd_install(fd, file);
return fd; err: