diff options
author | Jan Kara <jack@suse.cz> | 2014-01-28 21:38:06 +0100 |
---|---|---|
committer | Jan Kara <jack@suse.cz> | 2014-01-29 13:57:17 +0100 |
commit | 85816794240b9659e66e4d9b0df7c6e814e5f603 (patch) | |
tree | dd9a5103e62f15e74b2d7729e972d141845462aa /fs/notify/fanotify/fanotify.h | |
parent | fsnotify: Do not return merged event from fsnotify_add_notify_event() (diff) | |
download | linux-85816794240b9659e66e4d9b0df7c6e814e5f603.tar.xz linux-85816794240b9659e66e4d9b0df7c6e814e5f603.zip |
fanotify: Fix use after free for permission events
Currently struct fanotify_event_info has been destroyed immediately
after reporting its contents to userspace. However that is wrong for
permission events because those need to stay around until userspace
provides response which is filled back in fanotify_event_info. So change
to code to free permission events only after we have got the response
from userspace.
Reported-and-tested-by: Jiri Kosina <jkosina@suse.cz>
Reported-and-tested-by: Dave Jones <davej@fedoraproject.org>
Signed-off-by: Jan Kara <jack@suse.cz>
Diffstat (limited to 'fs/notify/fanotify/fanotify.h')
-rw-r--r-- | fs/notify/fanotify/fanotify.h | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/fs/notify/fanotify/fanotify.h b/fs/notify/fanotify/fanotify.h index 0e90174a116a..32a2f034fb94 100644 --- a/fs/notify/fanotify/fanotify.h +++ b/fs/notify/fanotify/fanotify.h @@ -4,6 +4,13 @@ extern struct kmem_cache *fanotify_event_cachep; +/* + * Lifetime of the structure differs for normal and permission events. In both + * cases the structure is allocated in fanotify_handle_event(). For normal + * events the structure is freed immediately after reporting it to userspace. + * For permission events we free it only after we receive response from + * userspace. + */ struct fanotify_event_info { struct fsnotify_event fse; /* |