projects / platform / adaptation / renesas_rcar / renesas_kernel.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
exec: kill ->load_binary != NULL check in search_binary_handler()
[platform/adaptation/renesas_rcar/renesas_kernel.git] / fs / exec.c
diff --git a/fs/exec.c b/fs/exec.c
index d51f717..7b92fbf 100644 (file)
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -74,6 +74,8 @@ static DEFINE_RWLOCK(binfmt_lock);
 void __register_binfmt(struct linux_binfmt * fmt, int insert)
 {
        BUG_ON(!fmt);
+       if (WARN_ON(!fmt->load_binary))
+               return;
        write_lock(&binfmt_lock);
        insert ? list_add(&fmt->lh, &formats) :
                 list_add_tail(&fmt->lh, &formats);
@@ -1389,21 +1391,14 @@ int search_binary_handler(struct linux_binprm *bprm)
        for (try=0; try<2; try++) {
                read_lock(&binfmt_lock);
                list_for_each_entry(fmt, &formats, lh) {
-                       int (*fn)(struct linux_binprm *) = fmt->load_binary;
-                       if (!fn)
-                               continue;
                        if (!try_module_get(fmt->module))
                                continue;
                        read_unlock(&binfmt_lock);
                        bprm->recursion_depth++;
-                       retval = fn(bprm);
+                       retval = fmt->load_binary(bprm);
                        bprm->recursion_depth--;
                        if (retval >= 0) {
                                put_binfmt(fmt);
-                               allow_write_access(bprm->file);
-                               if (bprm->file)
-                                       fput(bprm->file);
-                               bprm->file = NULL;
                                return retval;
                        }
                        read_lock(&binfmt_lock);
@@ -1455,6 +1450,12 @@ static int exec_binprm(struct linux_binprm *bprm)
                ptrace_event(PTRACE_EVENT_EXEC, old_vpid);
                current->did_exec = 1;
                proc_exec_connector(current);
+
+               if (bprm->file) {
+                       allow_write_access(bprm->file);
+                       fput(bprm->file);
+                       bprm->file = NULL; /* to catch use-after-free */
+               }
        }
 
        return ret;
Domain: System / Uncategorized;