git.baikalelectronics.ru Git - kernel.git/commit

author	Eric Paris <eparis@redhat.com>
	Tue, 5 Apr 2011 21:20:50 +0000 (17:20 -0400)
committer	Linus Torvalds <torvalds@linux-foundation.org>
	Tue, 5 Apr 2011 22:27:14 +0000 (15:27 -0700)
commit	7945542443241d89e267f93e383a18961117b735
tree	6895419a694ba323c6b18cdb6aa2714892b6f481	tree \| snapshot
parent	5b4f6290d8b6a8b6e1d549c919e35ed39a57934d	commit \| diff

inotify: fix double free/corruption of stuct user

On an error path in inotify_init1 a normal user can trigger a double
free of struct user.  This is a regression introduced by 70021a37f2f5
("inotify: stop kernel memory leak on file creation failure").

We fix this by making sure that if a group exists the user reference is
dropped when the group is cleaned up.  We should not explictly drop the
reference on error and also drop the reference when the group is cleaned
up.

The new lifetime rules are that an inotify group lives from
inotify_new_group to the last fsnotify_put_group.  Since the struct user
and inotify_devs are directly tied to this lifetime they are only
changed/updated in those two locations.  We get rid of all special
casing of struct user or user->inotify_devs.

Signed-off-by: Eric Paris <eparis@redhat.com>
Cc: stable@kernel.org (2.6.37 and up)
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

fs/notify/inotify/inotify_fsnotify.c		diff \| blob \| history
fs/notify/inotify/inotify_user.c		diff \| blob \| history