If get_unused_fd_flags() fails, the error handling is incomplete because bprm->cred is already set to NULL, and therefore free_bprm will not unlock the cred_guard_mutex. Note there are two error conditions which end up here, one before and one after bprm->cred is cleared. Fixes: b8a61c9e7b4a ("exec: Generic execfd support") Signed-off-by: Bernd Edlinger <bernd.edlinger@xxxxxxxxxx> Acked-by: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx> --- fs/exec.c | 3 +++ 1 file changed, 3 insertions(+) v2: rebased to v6.7, retested and updated the commit message to fix a checkpatch.pl style nit about the too short sha1 hash in the Fixes: statement. And retained Eric's Acked-by from: https://lore.kernel.org/lkml/87mts2kcrm.fsf@disp2133/ v3: removed empty lines after Fixes: and Signed-off-by: header. Thanks Bernd. diff --git a/fs/exec.c b/fs/exec.c index 8cdd5b2dd09c..e88249a1ce07 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1409,6 +1409,9 @@ int begin_new_exec(struct linux_binprm * bprm) out_unlock: up_write(&me->signal->exec_update_lock); + if (!bprm->cred) + mutex_unlock(&me->signal->cred_guard_mutex); + out: return retval; } -- 2.39.2