summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorStephane Eranian <eranian@hpl.hp.com>2006-10-17 14:50:56 +0200
committerAdrian Bunk <bunk@stusta.de>2006-10-17 14:50:56 +0200
commit61dd5c3368db90edf32a5ceb4dde76cc18f34009 (patch)
tree0914b29b7cbe8dc2c1d833ca8e9dc954cea527b3
parent08f8337b2930f9b0924e6c0e362b11f7216766c0 (diff)
downloadlinux-stable-61dd5c3368db90edf32a5ceb4dde76cc18f34009.tar.gz
linux-stable-61dd5c3368db90edf32a5ceb4dde76cc18f34009.tar.bz2
linux-stable-61dd5c3368db90edf32a5ceb4dde76cc18f34009.zip
[IA64] correct file descriptor reference counting in perfmon (CVE-2006-3741)
Fix a bug in sys_perfmonctl() whereby it was not correctly decrementing the file descriptor reference count. Signed-off-by: Stephane Eranian <eranian@hpl.hp.com> Signed-off-by: Tony Luck <tony.luck@intel.com> Signed-off-by: Adrian Bunk <bunk@stusta.de>
-rw-r--r--arch/ia64/kernel/perfmon.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/arch/ia64/kernel/perfmon.c b/arch/ia64/kernel/perfmon.c
index 9c5194b385da..9b42b02b85ed 100644
--- a/arch/ia64/kernel/perfmon.c
+++ b/arch/ia64/kernel/perfmon.c
@@ -4937,13 +4937,15 @@ abort_locked:
if (likely(ctx)) {
DPRINT(("context unlocked\n"));
UNPROTECT_CTX(ctx, flags);
- fput(file);
}
/* copy argument back to user, if needed */
if (call_made && PFM_CMD_RW_ARG(cmd) && copy_to_user(arg, args_k, base_sz*count)) ret = -EFAULT;
error_args:
+ if (file)
+ fput(file);
+
kfree(args_k);
DPRINT(("cmd=%s ret=%ld\n", PFM_CMD_NAME(cmd), ret));