| commit | 74d4c0de24e41870a26422350833825b04945e26 | |
| author | Al Viro <viro@ZenIV.linux.org.uk> | |
| Thu, 1 May 2008 02:52:22 +0000 (1 03:52 +0100) | ||
| committer | Oliver Pinter <oliver.pntr@gmail.com> | |
| Sat, 10 May 2008 15:31:05 +0000 (10 17:31 +0200) | ||
| tree | 519dd35c0b81a6f791ef38361026ac30eae4fd1f | treesnapshot (tar.gz zip) |
| parent | 709915d2d0f78971857d71020f068085d22490a4 | commitdiff |
Fix dnotify/close race
We have a race between fcntl() and close() that can lead to
dnotify_struct inserted into inode's list *after* the last descriptor
had been gone from current->files.
Since that's the only point where dnotify_struct gets evicted, we are
screwed - it will stick around indefinitely. Even after struct file in
question is gone and freed. Worse, we can trigger send_sigio() on it at
any later point, which allows to send an arbitrary signal to arbitrary
process if we manage to apply enough memory pressure to get the page
that used to host that struct file and fill it with the right pattern...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Oliver Pinter <oliver.pntr@gmail.com>
We have a race between fcntl() and close() that can lead to
dnotify_struct inserted into inode's list *after* the last descriptor
had been gone from current->files.
Since that's the only point where dnotify_struct gets evicted, we are
screwed - it will stick around indefinitely. Even after struct file in
question is gone and freed. Worse, we can trigger send_sigio() on it at
any later point, which allows to send an arbitrary signal to arbitrary
process if we manage to apply enough memory pressure to get the page
that used to host that struct file and fill it with the right pattern...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Oliver Pinter <oliver.pntr@gmail.com>
| fs/dnotify.c | diffblobblamehistory |