6.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bernd Edlinger bernd.edlinger@hotmail.de
commit 84c39ec57d409e803a9bb6e4e85daf1243e0e80b upstream.
If get_unused_fd_flags() fails, the error handling is incomplete because bprm->cred is already set to NULL, and therefore free_bprm will not unlock the cred_guard_mutex. Note there are two error conditions which end up here, one before and one after bprm->cred is cleared.
Fixes: b8a61c9e7b4a ("exec: Generic execfd support") Signed-off-by: Bernd Edlinger bernd.edlinger@hotmail.de Acked-by: Eric W. Biederman ebiederm@xmission.com Link: https://lore.kernel.org/r/AS8P193MB128517ADB5EFF29E04389EDAE4752@AS8P193MB12... Cc: stable@vger.kernel.org Signed-off-by: Kees Cook keescook@chromium.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- fs/exec.c | 3 +++ 1 file changed, 3 insertions(+)
--- a/fs/exec.c +++ b/fs/exec.c @@ -1408,6 +1408,9 @@ int begin_new_exec(struct linux_binprm *
out_unlock: up_write(&me->signal->exec_update_lock); + if (!bprm->cred) + mutex_unlock(&me->signal->cred_guard_mutex); + out: return retval; }