diff options
author | Pavel Emelyanov <xemul@openvz.org> | 2010-05-13 00:34:07 +0200 |
---|---|---|
committer | Eric Paris <eparis@redhat.com> | 2010-05-14 17:53:36 +0200 |
commit | b3b38d842fa367d862b83e7670af4e0fd6a80fc0 (patch) | |
tree | db803231178ae41f21240017a3119dea3a4d3589 /fs/notify | |
parent | inotify: race use after free/double free in inotify inode marks (diff) | |
download | linux-b3b38d842fa367d862b83e7670af4e0fd6a80fc0.tar.xz linux-b3b38d842fa367d862b83e7670af4e0fd6a80fc0.zip |
inotify: don't leak user struct on inotify release
inotify_new_group() receives a get_uid-ed user_struct and saves the
reference on group->inotify_data.user. The problem is that free_uid() is
never called on it.
Issue seem to be introduced by 63c882a0 (inotify: reimplement inotify
using fsnotify) after 2.6.30.
Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Eric Paris <eparis@parisplace.org>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Eric Paris <eparis@redhat.com>
Diffstat (limited to 'fs/notify')
-rw-r--r-- | fs/notify/inotify/inotify_fsnotify.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/fs/notify/inotify/inotify_fsnotify.c b/fs/notify/inotify/inotify_fsnotify.c index 1afb0a10229f..e27960cd76ab 100644 --- a/fs/notify/inotify/inotify_fsnotify.c +++ b/fs/notify/inotify/inotify_fsnotify.c @@ -28,6 +28,7 @@ #include <linux/path.h> /* struct path */ #include <linux/slab.h> /* kmem_* */ #include <linux/types.h> +#include <linux/sched.h> #include "inotify.h" @@ -146,6 +147,7 @@ static void inotify_free_group_priv(struct fsnotify_group *group) idr_for_each(&group->inotify_data.idr, idr_callback, group); idr_remove_all(&group->inotify_data.idr); idr_destroy(&group->inotify_data.idr); + free_uid(group->inotify_data.user); } void inotify_free_event_priv(struct fsnotify_event_private_data *fsn_event_priv) |