diff options
| author | Eric Paris <eparis@redhat.com> | 2010-08-18 12:25:49 -0400 |
|---|---|---|
| committer | Eric Paris <eparis@redhat.com> | 2010-08-22 20:09:41 -0400 |
| commit | faa9560ae76ef50a3cbfb1a6afc0343fd8172374 (patch) | |
| tree | b62dcdece22b214d0e0c75848b4d02b8e9923d0c | |
| parent | 3dc8d7f07e7496c0c6702e7e4b1acc179fa94019 (diff) | |
fanotify: do not dereference inode_mark when it is unset
The fanotify code is supposed to get the group from the mark. It accidentally
only used the inode_mark. If the vfsmount_mark was set but not the inode_mark
it would deref the NULL inode_mark. Get the group from the correct place.
Reported-by: Tvrtko Ursulin <tvrtko.ursulin@sophos.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
| -rw-r--r-- | fs/notify/fsnotify.c | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/fs/notify/fsnotify.c b/fs/notify/fsnotify.c index 3970392b2722..f3e3b355ba7f 100644 --- a/fs/notify/fsnotify.c +++ b/fs/notify/fsnotify.c | |||
| @@ -148,13 +148,14 @@ static int send_to_group(struct inode *to_tell, struct vfsmount *mnt, | |||
| 148 | const unsigned char *file_name, | 148 | const unsigned char *file_name, |
| 149 | struct fsnotify_event **event) | 149 | struct fsnotify_event **event) |
| 150 | { | 150 | { |
| 151 | struct fsnotify_group *group = inode_mark->group; | 151 | struct fsnotify_group *group = NULL; |
| 152 | __u32 inode_test_mask = (mask & ~FS_EVENT_ON_CHILD); | 152 | __u32 inode_test_mask = (mask & ~FS_EVENT_ON_CHILD); |
| 153 | __u32 vfsmount_test_mask = (mask & ~FS_EVENT_ON_CHILD); | 153 | __u32 vfsmount_test_mask = (mask & ~FS_EVENT_ON_CHILD); |
| 154 | 154 | ||
| 155 | pr_debug("%s: group=%p to_tell=%p mnt=%p mark=%p mask=%x data=%p" | 155 | if (unlikely(!inode_mark && !vfsmount_mark)) { |
| 156 | " data_is=%d cookie=%d event=%p\n", __func__, group, to_tell, | 156 | BUG(); |
| 157 | mnt, inode_mark, mask, data, data_is, cookie, *event); | 157 | return 0; |
| 158 | } | ||
| 158 | 159 | ||
| 159 | /* clear ignored on inode modification */ | 160 | /* clear ignored on inode modification */ |
| 160 | if (mask & FS_MODIFY) { | 161 | if (mask & FS_MODIFY) { |
| @@ -168,18 +169,24 @@ static int send_to_group(struct inode *to_tell, struct vfsmount *mnt, | |||
| 168 | 169 | ||
| 169 | /* does the inode mark tell us to do something? */ | 170 | /* does the inode mark tell us to do something? */ |
| 170 | if (inode_mark) { | 171 | if (inode_mark) { |
| 172 | group = inode_mark->group; | ||
| 171 | inode_test_mask &= inode_mark->mask; | 173 | inode_test_mask &= inode_mark->mask; |
| 172 | inode_test_mask &= ~inode_mark->ignored_mask; | 174 | inode_test_mask &= ~inode_mark->ignored_mask; |
| 173 | } | 175 | } |
| 174 | 176 | ||
| 175 | /* does the vfsmount_mark tell us to do something? */ | 177 | /* does the vfsmount_mark tell us to do something? */ |
| 176 | if (vfsmount_mark) { | 178 | if (vfsmount_mark) { |
| 179 | group = vfsmount_mark->group; | ||
| 177 | vfsmount_test_mask &= vfsmount_mark->mask; | 180 | vfsmount_test_mask &= vfsmount_mark->mask; |
| 178 | vfsmount_test_mask &= ~vfsmount_mark->ignored_mask; | 181 | vfsmount_test_mask &= ~vfsmount_mark->ignored_mask; |
| 179 | if (inode_mark) | 182 | if (inode_mark) |
| 180 | vfsmount_test_mask &= ~inode_mark->ignored_mask; | 183 | vfsmount_test_mask &= ~inode_mark->ignored_mask; |
| 181 | } | 184 | } |
| 182 | 185 | ||
| 186 | pr_debug("%s: group=%p to_tell=%p mnt=%p mark=%p mask=%x data=%p" | ||
| 187 | " data_is=%d cookie=%d event=%p\n", __func__, group, to_tell, | ||
| 188 | mnt, inode_mark, mask, data, data_is, cookie, *event); | ||
| 189 | |||
| 183 | if (!inode_test_mask && !vfsmount_test_mask) | 190 | if (!inode_test_mask && !vfsmount_test_mask) |
| 184 | return 0; | 191 | return 0; |
| 185 | 192 | ||