diff options
author | Eric Paris <eparis@redhat.com> | 2010-08-18 12:25:49 -0400 |
---|---|---|
committer | Eric Paris <eparis@redhat.com> | 2010-08-22 20:09:41 -0400 |
commit | faa9560ae76ef50a3cbfb1a6afc0343fd8172374 (patch) | |
tree | b62dcdece22b214d0e0c75848b4d02b8e9923d0c /fs/notify | |
parent | 3dc8d7f07e7496c0c6702e7e4b1acc179fa94019 (diff) |
fanotify: do not dereference inode_mark when it is unset
The fanotify code is supposed to get the group from the mark. It accidentally
only used the inode_mark. If the vfsmount_mark was set but not the inode_mark
it would deref the NULL inode_mark. Get the group from the correct place.
Reported-by: Tvrtko Ursulin <tvrtko.ursulin@sophos.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Diffstat (limited to 'fs/notify')
-rw-r--r-- | fs/notify/fsnotify.c | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/fs/notify/fsnotify.c b/fs/notify/fsnotify.c index 3970392b2722..f3e3b355ba7f 100644 --- a/fs/notify/fsnotify.c +++ b/fs/notify/fsnotify.c | |||
@@ -148,13 +148,14 @@ static int send_to_group(struct inode *to_tell, struct vfsmount *mnt, | |||
148 | const unsigned char *file_name, | 148 | const unsigned char *file_name, |
149 | struct fsnotify_event **event) | 149 | struct fsnotify_event **event) |
150 | { | 150 | { |
151 | struct fsnotify_group *group = inode_mark->group; | 151 | struct fsnotify_group *group = NULL; |
152 | __u32 inode_test_mask = (mask & ~FS_EVENT_ON_CHILD); | 152 | __u32 inode_test_mask = (mask & ~FS_EVENT_ON_CHILD); |
153 | __u32 vfsmount_test_mask = (mask & ~FS_EVENT_ON_CHILD); | 153 | __u32 vfsmount_test_mask = (mask & ~FS_EVENT_ON_CHILD); |
154 | 154 | ||
155 | pr_debug("%s: group=%p to_tell=%p mnt=%p mark=%p mask=%x data=%p" | 155 | if (unlikely(!inode_mark && !vfsmount_mark)) { |
156 | " data_is=%d cookie=%d event=%p\n", __func__, group, to_tell, | 156 | BUG(); |
157 | mnt, inode_mark, mask, data, data_is, cookie, *event); | 157 | return 0; |
158 | } | ||
158 | 159 | ||
159 | /* clear ignored on inode modification */ | 160 | /* clear ignored on inode modification */ |
160 | if (mask & FS_MODIFY) { | 161 | if (mask & FS_MODIFY) { |
@@ -168,18 +169,24 @@ static int send_to_group(struct inode *to_tell, struct vfsmount *mnt, | |||
168 | 169 | ||
169 | /* does the inode mark tell us to do something? */ | 170 | /* does the inode mark tell us to do something? */ |
170 | if (inode_mark) { | 171 | if (inode_mark) { |
172 | group = inode_mark->group; | ||
171 | inode_test_mask &= inode_mark->mask; | 173 | inode_test_mask &= inode_mark->mask; |
172 | inode_test_mask &= ~inode_mark->ignored_mask; | 174 | inode_test_mask &= ~inode_mark->ignored_mask; |
173 | } | 175 | } |
174 | 176 | ||
175 | /* does the vfsmount_mark tell us to do something? */ | 177 | /* does the vfsmount_mark tell us to do something? */ |
176 | if (vfsmount_mark) { | 178 | if (vfsmount_mark) { |
179 | group = vfsmount_mark->group; | ||
177 | vfsmount_test_mask &= vfsmount_mark->mask; | 180 | vfsmount_test_mask &= vfsmount_mark->mask; |
178 | vfsmount_test_mask &= ~vfsmount_mark->ignored_mask; | 181 | vfsmount_test_mask &= ~vfsmount_mark->ignored_mask; |
179 | if (inode_mark) | 182 | if (inode_mark) |
180 | vfsmount_test_mask &= ~inode_mark->ignored_mask; | 183 | vfsmount_test_mask &= ~inode_mark->ignored_mask; |
181 | } | 184 | } |
182 | 185 | ||
186 | pr_debug("%s: group=%p to_tell=%p mnt=%p mark=%p mask=%x data=%p" | ||
187 | " data_is=%d cookie=%d event=%p\n", __func__, group, to_tell, | ||
188 | mnt, inode_mark, mask, data, data_is, cookie, *event); | ||
189 | |||
183 | if (!inode_test_mask && !vfsmount_test_mask) | 190 | if (!inode_test_mask && !vfsmount_test_mask) |
184 | return 0; | 191 | return 0; |
185 | 192 | ||