From: Stephane Eranian <eranian@hpl.hp.com>
Date: Tue, 17 Oct 2006 12:50:56 +0000 (+0200)
Subject: [IA64] correct file descriptor reference counting in perfmon (CVE-2006-3741)
X-Git-Tag: v2.6.16.30-rc1~1
X-Git-Url: https://git.karo-electronics.de/?a=commitdiff_plain;h=61dd5c3368db90edf32a5ceb4dde76cc18f34009;p=karo-tx-linux.git

[IA64] correct file descriptor reference counting in perfmon (CVE-2006-3741)

Fix a bug in sys_perfmonctl() whereby it was not correctly
decrementing the file descriptor reference count.

Signed-off-by: Stephane Eranian <eranian@hpl.hp.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
---

diff --git a/arch/ia64/kernel/perfmon.c b/arch/ia64/kernel/perfmon.c
index 9c5194b385da..9b42b02b85ed 100644
--- a/arch/ia64/kernel/perfmon.c
+++ b/arch/ia64/kernel/perfmon.c
@@ -4937,13 +4937,15 @@ abort_locked:
 	if (likely(ctx)) {
 		DPRINT(("context unlocked\n"));
 		UNPROTECT_CTX(ctx, flags);
-		fput(file);
 	}
 
 	/* copy argument back to user, if needed */
 	if (call_made && PFM_CMD_RW_ARG(cmd) && copy_to_user(arg, args_k, base_sz*count)) ret = -EFAULT;
 
 error_args:
+	if (file)
+		fput(file);
+
 	kfree(args_k);
 
 	DPRINT(("cmd=%s ret=%ld\n", PFM_CMD_NAME(cmd), ret));