mirror of
https://github.com/torvalds/linux.git
synced 2024-11-21 19:41:42 +00:00
21d1b618b6
Ensure the superblock is kept alive until we're done with iput().
Holding a reference to an inode is not allowed unless we ensure the
superblock stays alive, which fsnotify does by keeping the
watched_objects count elevated, so iput() must happen before the
watched_objects decrement.
This can lead to a UAF of something like sb->s_fs_info in tmpfs, but the
UAF is hard to hit because race orderings that oops are more likely, thanks
to the CHECK_DATA_CORRUPTION() block in generic_shutdown_super().
Also, ensure that fsnotify_put_sb_watched_objects() doesn't call
fsnotify_sb_watched_objects() on a superblock that may have already been
freed, which would cause a UAF read of sb->s_fsnotify_info.
Cc: stable@kernel.org
Fixes:
|
||
|---|---|---|
| .. | ||
| dnotify | ||
| fanotify | ||
| inotify | ||
| fdinfo.c | ||
| fdinfo.h | ||
| fsnotify.c | ||
| fsnotify.h | ||
| group.c | ||
| Kconfig | ||
| Makefile | ||
| mark.c | ||
| notification.c | ||