Please sign in to comment.
inotify: fix double free/corruption of stuct user
On an error path in inotify_init1 a normal user can trigger a double free of struct user. This is a regression introduced by a2ae4cc ("inotify: stop kernel memory leak on file creation failure"). We fix this by making sure that if a group exists the user reference is dropped when the group is cleaned up. We should not explictly drop the reference on error and also drop the reference when the group is cleaned up. The new lifetime rules are that an inotify group lives from inotify_new_group to the last fsnotify_put_group. Since the struct user and inotify_devs are directly tied to this lifetime they are only changed/updated in those two locations. We get rid of all special casing of struct user or user->inotify_devs. Signed-off-by: Eric Paris <email@example.com> Cc: firstname.lastname@example.org (2.6.37 and up) Signed-off-by: Linus Torvalds <email@example.com>
- Loading branch information...
Showing with 14 additions and 26 deletions.