git.alex.org.uk - linux-flexiantxendom0-natty.git/commit

author	Eric Paris <eparis@redhat.com>
	Tue, 5 Apr 2011 21:20:50 +0000 (17:20 -0400)
committer	Brad Figg <brad.figg@canonical.com>
	Wed, 27 Apr 2011 18:40:52 +0000 (11:40 -0700)
commit	36e12f5c41ed2712a13cb8d6f775e144c3f5c69c
tree	8d142a804fb7549739432f72354c05ba15b03a95	tree \| snapshot
parent	86510e95100a9b3da75915dee6680d0a1b92e1ce	commit \| diff

inotify: fix double free/corruption of stuct user

BugLink: http://bugs.launchpad.net/bugs/761134

commit d0de4dc584ec6aa3b26fffea320a8457827768fc upstream.

On an error path in inotify_init1 a normal user can trigger a double
free of struct user.  This is a regression introduced by a2ae4cc9a16e
("inotify: stop kernel memory leak on file creation failure").

We fix this by making sure that if a group exists the user reference is
dropped when the group is cleaned up.  We should not explictly drop the
reference on error and also drop the reference when the group is cleaned
up.

The new lifetime rules are that an inotify group lives from
inotify_new_group to the last fsnotify_put_group.  Since the struct user
and inotify_devs are directly tied to this lifetime they are only
changed/updated in those two locations.  We get rid of all special
casing of struct user or user->inotify_devs.

Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>

fs/notify/inotify/inotify_fsnotify.c		diff \| blob \| history
fs/notify/inotify/inotify_user.c		diff \| blob \| history