• Jan Kara's avatar
    fsnotify: Fix possible use-after-free in inode iteration on umount · 9e4fe773
    Jan Kara authored
    commit 5716863e upstream.
    
    fsnotify_unmount_inodes() plays complex tricks to pin next inode in the
    sb->s_inodes list when iterating over all inodes. Furthermore the code has a
    bug that if the current inode is the last on i_sb_list that does not have e.g.
    I_FREEING set, then we leave next_i pointing to inode which may get removed
    from the i_sb_list once we drop s_inode_list_lock thus resulting in
    use-after-free issues (usually manifesting as infinite looping in
    fsnotify_unmount_inodes()).
    
    Fix the problem by keeping current inode pinned somewhat longer. Then we can
    make the code much simpler and standard.
    Signed-off-by: default avatarJan Kara <jack@suse.cz>
    [bwh: Backported to 3.16: adjust context]
    Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
    9e4fe773
inode_mark.c 7.77 KB