Commit 8d68d932 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'for-linus-20190701' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux 

Pull pidfd fork() fix from Christian Brauner:
 "A single small fix for copy_process() in kernel/fork.c:

  With Al's removal of ksys_close() from cleanup paths in copy_process()
  a bug was introduced. When anon_inode_getfile() failed the cleanup was
  correctly performed but the error code was not propagated to callers
  of copy_process() causing them to operate on a nonsensical pointer.

  The fix is a simple on-liner which makes sure that a proper negative
  error code is returned from copy_process().

  syzkaller has also verified that the bug is not reproducible with this
  fix"

* tag 'for-linus-20190701' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux:
  fork: return proper negative error code
parents 4b1fe9b5 28dd29c0

kernel/fork.c

+1 −0
Original line number Diff line number Diff line
@@ -2036,6 +2036,7 @@ static __latent_entropy struct task_struct *copy_process( 
					      O_RDWR | O_CLOEXEC);

		if (IS_ERR(pidfile)) {

			put_unused_fd(pidfd);

			retval = PTR_ERR(pidfile);

			goto bad_fork_free_pid;

		}

		get_pid(pid);	/* held by pidfile now */

CRA Git | Maintained and supported by SUSTech CRA and CCSE