From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: stable-review@kernel.org, torvalds@linux-foundation.org,
akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
Pavel Emelyanov <xemul@openvz.org>,
Eric Paris <eparis@redhat.com>
Subject: [25/39] inotify: dont leak user struct on inotify release
Date: Mon, 24 May 2010 16:15:37 -0700 [thread overview]
Message-ID: <20100524231815.446220688@clark.site> (raw)
In-Reply-To: <20100524231840.GA17857@kroah.com>
2.6.33-stable review patch. If anyone has any objections, please let us know.
------------------
From: Pavel Emelyanov <xemul@openvz.org>
commit b3b38d842fa367d862b83e7670af4e0fd6a80fc0 upstream.
inotify_new_group() receives a get_uid-ed user_struct and saves the
reference on group->inotify_data.user. The problem is that free_uid() is
never called on it.
Issue seem to be introduced by 63c882a0 (inotify: reimplement inotify
using fsnotify) after 2.6.30.
Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Eric Paris <eparis@parisplace.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
fs/notify/inotify/inotify_fsnotify.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/notify/inotify/inotify_fsnotify.c
+++ b/fs/notify/inotify/inotify_fsnotify.c
@@ -28,6 +28,7 @@
#include <linux/path.h> /* struct path */
#include <linux/slab.h> /* kmem_* */
#include <linux/types.h>
+#include <linux/sched.h>
#include "inotify.h"
@@ -146,6 +147,7 @@ static void inotify_free_group_priv(stru
idr_for_each(&group->inotify_data.idr, idr_callback, group);
idr_remove_all(&group->inotify_data.idr);
idr_destroy(&group->inotify_data.idr);
+ free_uid(group->inotify_data.user);
}
void inotify_free_event_priv(struct fsnotify_event_private_data *fsn_event_priv)
next prev parent reply other threads:[~2010-05-24 23:28 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-05-24 23:18 [00/39] 2.6.33.5-stable review Greg KH
2010-05-24 23:15 ` [01/39] ipv4: udp: fix short packet and bad checksum logging Greg KH
2010-05-24 23:15 ` [02/39] hp_accel: fix race in device removal Greg KH
2010-05-24 23:15 ` [03/39] fbdev: bfin-t350mcqb-fb: fix fbmem allocation with blanking lines Greg KH
2010-05-24 23:15 ` [04/39] hugetlbfs: kill applications that use MAP_NORESERVE with SIGBUS instead of OOM-killer Greg KH
2010-05-24 23:15 ` [05/39] dma-mapping: fix dma_sync_single_range_* Greg KH
2010-05-24 23:15 ` [06/39] ALSA: Revert "ALSA: hda/realtek: quirk for D945GCLF2 mainboard" Greg KH
2010-05-24 23:15 ` [07/39] revert "procfs: provide stack information for threads" and its fixup commits Greg KH
2010-05-24 23:15 ` [08/39] ALSA: hda - fix DG45ID SPDIF output Greg KH
2010-05-24 23:15 ` [09/39] ACPI: sleep: eliminate duplicate entries in acpisleep_dmi_table[] Greg KH
2010-05-24 23:15 ` [10/39] mmc: atmel-mci: fix two parameters swapped Greg KH
2010-05-24 23:15 ` Greg KH
2010-05-24 23:15 ` [11/39] mmc: atmel-mci: prevent kernel oops while removing card Greg KH
2010-05-24 23:15 ` Greg KH
2010-05-24 23:15 ` [12/39] mmc: atmel-mci: remove data error interrupt after xfer Greg KH
2010-05-24 23:15 ` Greg KH
2010-05-24 23:15 ` [13/39] drm/i915: use PIPE_CONTROL instruction on Ironlake and Sandy Bridge Greg KH
2010-05-24 23:15 ` [14/39] drm/i915: fix non-Ironlake 965 class crashes Greg KH
2010-05-24 23:15 ` [15/39] [S390] ptrace: fix return value of do_syscall_trace_enter() Greg KH
2010-05-24 23:15 ` [16/39] [S390] dasd: fix race between tasklet and dasd_sleep_on Greg KH
2010-05-24 23:15 ` [17/39] powerpc/perf_event: Fix oops due to perf_event_do_pending call Greg KH
2010-05-24 23:15 ` [18/39] cifs: guard against hardlinking directories Greg KH
2010-05-24 23:15 ` [19/39] serial: imx.c: fix CTS trigger level lower to avoid lost chars Greg KH
2010-05-24 23:15 ` [20/39] tty: Fix unbalanced BKL handling in error path Greg KH
2010-05-24 23:15 ` [21/39] ALSA: ice1724 - Fix ESI Maya44 capture source control Greg KH
2010-05-24 23:15 ` [22/39] ALSA: virtuoso: fix Xonar D1/DX front panel microphone Greg KH
2010-05-24 23:15 ` [23/39] ALSA: hda: Fix 0 dB for Lenovo models using Conexant CX20549 (Venice) Greg KH
2010-05-24 23:15 ` [24/39] inotify: race use after free/double free in inotify inode marks Greg KH
2010-05-24 23:15 ` Greg KH [this message]
2010-05-24 23:15 ` [26/39] profile: fix stats and data leakage Greg KH
2010-05-24 23:15 ` [27/39] x86, k8: Fix build error when K8_NB is disabled Greg KH
2010-05-24 23:15 ` [28/39] x86, cacheinfo: Turn off L3 cache index disable feature in virtualized environments Greg KH
2010-05-25 1:50 ` Hugh Dickins
2010-05-25 17:14 ` Greg KH
2010-05-25 20:41 ` Hugh Dickins
2010-05-25 20:50 ` Greg KH
2010-05-24 23:15 ` [29/39] x86, amd: Check X86_FEATURE_OSVW bit before accessing OSVW MSRs Greg KH
2010-05-24 23:15 ` [30/39] Btrfs: check for read permission on src file in the clone ioctl Greg KH
2010-05-24 23:15 ` [31/39] ALSA: hda - New Intel HDA controller Greg KH
2010-05-24 23:15 ` [32/39] drm/i915: Disable FBC on 915GM and 945GM Greg KH
2010-05-24 23:15 ` [33/39] iwlwifi: check for aggregation frame and queue Greg KH
2010-05-24 23:15 ` [34/39] iwlwifi: clear all the stop_queue flag after load firmware Greg KH
2010-05-24 23:15 ` [35/39] CacheFiles: Fix error handling in cachefiles_determine_cache_security() Greg KH
2010-05-24 23:15 ` [36/39] mmap_min_addr check CAP_SYS_RAWIO only for write Greg KH
2010-05-24 23:15 ` [37/39] nilfs2: fix sync silent failure Greg KH
2010-05-24 23:15 ` [38/39] Revert "ath9k: fix lockdep warning when unloading module" on stable kernels Greg KH
2010-05-24 23:15 ` [39/39] crypto: authenc - Add EINPROGRESS check Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100524231815.446220688@clark.site \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=eparis@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable-review@kernel.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=xemul@openvz.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.