ACK: [PATCH 1/1] inotify: Fix fsnotify_mark refcount leak in inotify_update_existing_watch()
Colin Ian King
colin.king at canonical.com
Wed Mar 27 18:59:51 UTC 2019
On 27/03/2019 18:57, Tyler Hicks wrote:
> From: ZhangXiaoxu <zhangxiaoxu5 at huawei.com>
>
> Commit 4d97f7d53da7dc83 ("inotify: Add flag IN_MASK_CREATE for
> inotify_add_watch()") forgot to call fsnotify_put_mark() with
> IN_MASK_CREATE after fsnotify_find_mark()
>
> Fixes: 4d97f7d53da7dc83 ("inotify: Add flag IN_MASK_CREATE for inotify_add_watch()")
> Signed-off-by: ZhangXiaoxu <zhangxiaoxu5 at huawei.com>
> Signed-off-by: Jan Kara <jack at suse.cz>
>
> CVE-2019-9857
>
> (cherry picked from commit 62c9d2674b31d4c8a674bee86b7edc6da2803aea)
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
> ---
> fs/notify/inotify/inotify_user.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/fs/notify/inotify/inotify_user.c b/fs/notify/inotify/inotify_user.c
> index 798f1253141a..3b7b8e95c98a 100644
> --- a/fs/notify/inotify/inotify_user.c
> +++ b/fs/notify/inotify/inotify_user.c
> @@ -519,8 +519,10 @@ static int inotify_update_existing_watch(struct fsnotify_group *group,
> fsn_mark = fsnotify_find_mark(&inode->i_fsnotify_marks, group);
> if (!fsn_mark)
> return -ENOENT;
> - else if (create)
> - return -EEXIST;
> + else if (create) {
> + ret = -EEXIST;
> + goto out;
> + }
>
> i_mark = container_of(fsn_mark, struct inotify_inode_mark, fsn_mark);
>
> @@ -548,6 +550,7 @@ static int inotify_update_existing_watch(struct fsnotify_group *group,
> /* return the wd */
> ret = i_mark->wd;
>
> +out:
> /* match the get from fsnotify_find_mark() */
> fsnotify_put_mark(fsn_mark);
>
>
Clean cherry pick. Looks OK to me.
Acked-by: Colin Ian King <colin.king at canonical.com>
More information about the kernel-team
mailing list