• Al Viro's avatar
    Fix dnotify/close race · 214b7049
    Al Viro authored
    We have a race between fcntl() and close() that can lead to
    dnotify_struct inserted into inode's list *after* the last descriptor
    had been gone from current->files.
    
    Since that's the only point where dnotify_struct gets evicted, we are
    screwed - it will stick around indefinitely.  Even after struct file in
    question is gone and freed.  Worse, we can trigger send_sigio() on it at
    any later point, which allows to send an arbitrary signal to arbitrary
    process if we manage to apply enough memory pressure to get the page
    that used to host that struct file and fill it with the right pattern...
    Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    214b7049
dnotify.c 4.62 KB