1
linux/fs/notify
Eric Paris d0de4dc584 inotify: fix double free/corruption of stuct user
On an error path in inotify_init1 a normal user can trigger a double
free of struct user.  This is a regression introduced by a2ae4cc9a1
("inotify: stop kernel memory leak on file creation failure").

We fix this by making sure that if a group exists the user reference is
dropped when the group is cleaned up.  We should not explictly drop the
reference on error and also drop the reference when the group is cleaned
up.

The new lifetime rules are that an inotify group lives from
inotify_new_group to the last fsnotify_put_group.  Since the struct user
and inotify_devs are directly tied to this lifetime they are only
changed/updated in those two locations.  We get rid of all special
casing of struct user or user->inotify_devs.

Signed-off-by: Eric Paris <eparis@redhat.com>
Cc: stable@kernel.org (2.6.37 and up)
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2011-04-05 15:27:14 -07:00
..
dnotify fanotify: use both marks when possible 2010-07-28 10:18:55 -04:00
fanotify Remove one to many n's in a word 2011-03-01 15:47:58 +01:00
inotify inotify: fix double free/corruption of stuct user 2011-04-05 15:27:14 -07:00
fsnotify.c fs: dcache per-inode inode alias locking 2011-01-07 17:50:31 +11:00
fsnotify.h fsnotify: remove global fsnotify groups lists 2010-07-28 10:18:54 -04:00
group.c fsnotify: remove global fsnotify groups lists 2010-07-28 10:18:54 -04:00
inode_mark.c fs: rename inode_lock to inode_hash_lock 2011-03-24 21:17:51 -04:00
Kconfig fanotify: allow fanotify to be built 2010-10-28 17:22:13 -04:00
Makefile fsnotify: vfsmount marks generic functions 2010-07-28 09:58:57 -04:00
mark.c fs: rename inode_lock to inode_hash_lock 2011-03-24 21:17:51 -04:00
notification.c Revert "fsnotify: store struct file not struct path" 2010-08-12 14:23:04 -07:00
vfsmount_mark.c fs: rename inode_lock to inode_hash_lock 2011-03-24 21:17:51 -04:00